嗨,我只想知道如何将来自 PEP 的 XACML 3.0 请求与使用 PDP 存储在策略存储中的策略进行匹配。我将如何根据策略存储中存储的多个策略评估特定请求。
3 回答
XACML request is matched with the "Target" element of the policies that are stored in PDP policy store. Once target element is matched for policies, Those matched policies (applicable policies) are evaluated (rules of the policies) according to the policy order and results are combined according to the policy combining algorithm of the policy store. If PEP wants to know that; what PEP policies are matched for given XACML request, PEP can send the XACML request with "ReturnPolicyIdList" attribute as "true".
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">
Then XACML response would returns the matched policies in the XACML response.
除了 Asela 的回答,我想补充一点,“策略商店”是特定于实现的。
Asela 描述它的方式本质上意味着策略存储充当具有组合算法且没有目标的策略集。
添加我使用 WSO2 身份服务器作为 PDP 的经验
因此,您可以在 IS 中添加多个策略文件。但是您必须对每个策略文件进行排名。
所以我认为,这些策略按照我们提供的排名顺序进行验证,并且对于目标元素首先匹配的任何策略,首先得到评估。