您可以在XACML(和ALFA-XACML的更轻量级语法)中轻松地做到这一点。首先,您说:
每个部分都会允许或拒绝
为此,您将为使用deny-unless-permit
组合算法的每个部分使用一个策略。这意味着,如果满足条件,则策略将授予访问权限,否则将拒绝访问。您可能还记得默认情况下,如果不满足条件,通常的决定是NotApplicable
。使用deny-unless-permit
可以防止这种情况。
任何拒绝都会使整体政策失败
一旦您使用deny-unless-permit
编写了每个策略,就将它们全部组合成一个父策略集,该父策略集将使用deny-overrides
组合算法。这意味着,如果有任何拒绝的决定,那么该决定将胜过所有其他决定。
这为我们提供了以下结构:
ALFA
namespace com.axiomatics{
/**
* Resource data labeling to provide access control to data
*/
policyset dataAccess{
apply denyOverrides
/**
* First check
*/
policy firstCheck{
apply denyUnlessPermit
/**
* Allow if clearance is sufficient
*/
rule clearanceCheck{
permit
condition com.acme.user.clearance > com.acme.record.classification
}
rule otherCheck{
// Fill in your checks here
permit
}
}
/**
* Second check...
*/
policy secondCheck{
apply denyUnlessPermit
}
}
}
在XACML中等效
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides"
PolicySetId="http://axiomatics.com/alfa/identifier/com.axiomatics.dataAccess"
Version="1.0"
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>Resource data labeling to provide access control to
data</xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target />
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.dataAccess.firstCheck"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"
Version="1.0">
<xacml3:Description>First check</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.dataAccess.firstCheck.clearanceCheck">
<xacml3:Description>Allow if clearance is sufficient
</xacml3:Description>
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply
FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">
<xacml3:Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than" />
<xacml3:AttributeDesignator
AttributeId="com.acme.user.clearance"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#integer"
MustBePresent="false" />
<xacml3:AttributeDesignator
AttributeId="com.acme.record.classification"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#integer"
MustBePresent="false" />
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.dataAccess.firstCheck.otherCheck">
<xacml3:Description />
<xacml3:Target />
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.dataAccess.secondCheck"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"
Version="1.0">
<xacml3:Description>Second check...</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
</xacml3:Policy>
</xacml3:PolicySet>
其他支票
除了您的策略结构外,您还提到了您将基于属性(例如,用户可以查看他们拥有的文档)和显式访问控制(如果用户处于打开状态,则用户可以查看文档)来控制访问。该文档的列表)。除了基于属性的访问之外,您还可以在XACML中绝对实现自由访问控制(DAC)。这是一个示例:
/**
* Second check...
*/
policy secondCheck{
target clause com.acme.action.actionId == "view" and com.acme.object.objectType == "document"
apply denyUnlessPermit
/**
* Users can view documents they own
*/
rule owner{
permit
condition com.acme.record.owner==user.userId
}
/**
* Users in the whitelist can view the document
*/
rule dac{
permit
condition stringAtLeastOneMemberOf(user.userId,com.acme.record.whitelist)
}
}
本文链接:https://www.f2er.com/3142311.html