我正在使用身份服务器 4.1.0。在编辑策略时,我注意到对正确 XACML 策略的评估总是导致结果“不适用”。这表明服务器无法在策略中找到匹配的目标。
查阅系统日志后,我遇到以下故障: 1. 解析策略时出错 2. 无法从注册表策略查找器模块中检索策略
查看已知问题后,我发现PDP 在负载测试期间可能会返回 NotApplicable。由于我目前是唯一的用户,因此我认为此问题不会导致故障。
我附上了描述。由于我不了解故障的原因,我需要帮助来破译故障描述以解决问题。
1.
TID[-1234] [IS] [2013-05-15 09:29:11,466] ERROR {org.wso2.carbon.identity.entitlement.policy.PolicyReader} - Error while parsing the policy org.wso2.balana.cond.FunctionBase.checkInputsNoBag(FunctionBase.java:419) org.wso2.balana.TargetMatch.getInstance(TargetMatch.java:243) org.wso2.balana.TargetMatch.getInstance(TargetMatch.java:169) org.wso2.balana.xacml3.AllOfSelection.getInstance(AllOfSelection.java:68) org.wso2.balana.xacml3.AnyOfSelection.getInstance(AnyOfSelection.java:79) org.wso2.balana.xacml3.Target.getInstance(Target.java:78) org.wso2.balana.TargetFactory.getTarget(TargetFactory.java:43) org.wso2.balana.Rule.getInstance(Rule.java:232) org.wso2.balana.Policy.(Policy.java:308) org.wso2.balana.Policy.getInstance(Policy.java:389) org.wso2.carbon.identity.entitlement.policy.PolicyReader.handleDocument(PolicyReader.java:163) org.wso2.carbon.identity.entitlement.policy.PolicyReader.getPolicy(PolicyReader.java:124) org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyReader.readPolicy(RegistryPolicyReader.java:195) org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyReader.readAllPolicies(RegistryPolicyReader.java:111) org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyFinderModule.getPolicies(RegistryPolicyFinderModule.java:90) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.init(CarbonPolicyFinder.java:160) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.init(CarbonPolicyFinder.java:75) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.findPolicy(CarbonPolicyFinder.java:203) org.wso2.balana.finder.PolicyFinder.findPolicy(PolicyFinder.java:169) org.wso2.balana.PDP.evaluateContext(PDP.java:243) org.wso2.balana.PDP.evaluate(PDP.java:199) org.wso2.balana.PDP.evaluate(PDP.java:157) org.wso2.balana.PDP.evaluate(PDP.java:119) org.wso2.carbon.identity.entitlement.pdp.EntitlementEngine.evaluate(EntitlementEngine.java:256) org.wso2.carbon.identity.entitlement.EntitlementService.getDecision(EntitlementService.java:54) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:597) org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212) org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117) org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40) org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110) org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231) javax.servlet.http.HttpServlet.service(HttpServlet.java:641) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90) org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111) org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:172) org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1001) org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653) java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) java.lang.Thread.run(Thread.java:662)
2.
TID[-1234] [IS] [2013-05-15 09:29:11,467] ERROR {org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyFinderModule} - Policies can not be retrieved from registry policy finder module org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyReader.readPolicy(RegistryPolicyReader.java:197) org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyReader.readAllPolicies(RegistryPolicyReader.java:111) org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyFinderModule.getPolicies(RegistryPolicyFinderModule.java:90) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.init(CarbonPolicyFinder.java:160) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.init(CarbonPolicyFinder.java:75) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.findPolicy(CarbonPolicyFinder.java:203) org.wso2.balana.finder.PolicyFinder.findPolicy(PolicyFinder.java:169) org.wso2.balana.PDP.evaluateContext(PDP.java:243) org.wso2.balana.PDP.evaluate(PDP.java:199) org.wso2.balana.PDP.evaluate(PDP.java:157) org.wso2.balana.PDP.evaluate(PDP.java:119) org.wso2.carbon.identity.entitlement.pdp.EntitlementEngine.evaluate(EntitlementEngine.java:256) org.wso2.carbon.identity.entitlement.EntitlementService.getDecision(EntitlementService.java:54) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:597) org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212) org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117) org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40) org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110) org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231) javax.servlet.http.HttpServlet.service(HttpServlet.java:641) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90) org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111) org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:172) org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1001) org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653) java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) java.lang.Thread.run(Thread.java:662)
编辑 5 月 21 日,添加了活动策略(它们被提升为 PDP)
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="DossierPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ObjectID_Dossier</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="EigenaarRules">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DossierEigenaar</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DatasetID_http://www.horecataxonomie.nl/0.92/report/horeca/entrypoints/rpt-hrt-entity.xsd</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="null" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<AttributeDesignator AttributeId="null" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
<AttributeDesignator AttributeId="null" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Basic2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SomeotherStuff</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SomeotherStuff</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">wsTC</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Architect</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
</Policy>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Basic" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">RiSourceApp</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">RiSourceApp</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Architect</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Condition>
</Rule>
</Policy>