wiki:XACML

Version 2 (modified by pjkersha, 9 years ago) (diff)

--

ndg_xacml

ndg_xacml is a XACML 2.0 implementation for CEDA (the Centre for Environmental Data Archival) STFC, Rutherford Appleton Laboratory. This is follow on work from the NERC (Natural Environment Research Council) DataGrid? 3 Project.

XACML (eXtensible Access Control Mark-up Language), is an XML based language for expressing access control policies.

See:  http://www.oasis-open.org/committees/xacml/

Current Status

Version 0.2

The first Alpha release to PyPI has been made 288 June 2010:

Only the parts of the specification immediately required for CEDA have been implemented in this initial release:

  • Deny overrides and Permit overrides rule combining algorithms
  • AttributeDesignators?
  • various function types: see ndg.xacml.core.functions
  • and attribute types: see ndg.xacml.core.attribute
  • incomplete support for <AttributeSelector>s, <VariableReference>, <VariableDefinition>. <Obligations>
  • includes an ElementTree based parser for Policies. No support for writing out policies or read/write of XML representation of <Request> and <Response>

The software follows a modular structure to allow it to be extended easily to include new parsers, functions and attribute types.

Installation

$ easy_install ndg_xacml

Tests and Examples

See ndg.xacml.test for unit tests and examples.

The first use case for the CEDA access control policy is to restrict access based on resource URIs. Rules are defined based on regular expression based matching of these. Access is permitted to a given subject if they have an entitlement of at least one of the attributes specified in the rule.

This is the content of the test policy file:

<?xml version="1.0" encoding="UTF-8"?>
<Policy PolicyId="urn:ndg:security:1.0:authz:test:policy"
    xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:cd:04 http://docs.oasis-open.org/xacml/access_control-xacml-2.0-policy-schema-cd-04.xsd"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
    <Description>
        NDG XACML example for unit tests: allow access for resource URIs 
        matching given regular expressions.  The subject must have at least one
        of a set of named attributes allocated 
    </Description>
    
    <!-- 
        The Policy target(s) define which requests apply to the whole policy
    -->
    <Target>
        <Resources>
            <Resource>
                <!-- Pattern match all request URIs beginning with / -->
                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                    <ResourceAttributeDesignator
                        AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                        DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/.*$</AttributeValue>
                </ResourceMatch>
            </Resource>
        </Resources>
    </Target>   
    
    <!-- Deny everything by default -->
    <Rule RuleId="urn:ndg:security1.0:authz:test:DenyAllRule" Effect="Deny"/>
    <!-- 
        Following rules punch holes through the deny everything rule above
        because the rule combining algorithm is set to permit overrides - see 
        Policy element above
    -->
    <Rule RuleId="urn:ndgsecurity:secured-uri-rule" Effect="Permit">
        <!-- 
            Rule target(s) define which requests apply to the particular rule
        -->
        <Target>
            <Resources>
                <Resource>
                    <!-- Pattern match the request URI -->
                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                        <ResourceAttributeDesignator
                            AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_securedURI.*$</AttributeValue>
                    </ResourceMatch>
                </Resource>
            </Resources>
        </Target>
        
        <!-- 
            The condition narrows down the constraints layed down in the target to
            something more specific
            
            The user must have at least one of the roles set - in this
            case 'urn:siteA:security:authz:1.0:attr:staff'
        -->
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <SubjectAttributeDesignator 
                    AttributeId="urn:ndg:security:authz:1.0:attr" 
                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">staff</AttributeValue>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">postdoc</AttributeValue>
                </Apply>
            </Apply>
        </Condition>
    </Rule>
    <Rule RuleId="accessDeniedToSecuredURIRule" Effect="Permit">
        <Target>
            <Resources>
                <Resource>
                    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
                        <ResourceAttributeDesignator
                            AttributeId="urn:siteA:security:authz:1.0:attr:resourceURI"
                            DataType="http://www.w3.org/2001/XMLSchema#anyURI"/>
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">^http://localhost/test_accessDeniedToSecuredURI$</AttributeValue>
                    </ResourceMatch>
                </Resource>
            </Resources>
        </Target>
        <Condition>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
                <SubjectAttributeDesignator 
                    AttributeId="urn:ndg:security:authz:1.0:attr" 
                    DataType="http://www.w3.org/2001/XMLSchema#string"/>
                <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">forbidden</AttributeValue>
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">keepout</AttributeValue>
                </Apply>
            </Apply>
        </Condition>
    </Rule>
</Policy>

In the above, the first <Target/> element filters out reuqests which don't apply to the rules which follow, so if the URI doesn't start with, http://localhost/ it's ignored. After this a series of rules are specified, the first rule denies accesses to all requests. However, the top-most <Policy> element specifies the so called Rule Combining Algorithm to permit overrides:

RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"

Any rule which follows for which a match is made grants access. For example, the second rule grants access to any URI which begins with http://localhost/test_securedURI, provided the subject (the person or entity requesting access) has at least one of the attributes, staff, admin or postdoc.


Philip Kershaw, 28 June 2010