(免责声明 - 我为Axiomatics工作,这是 XACML 和 ABAC 的主要实现)
好问题。实际上,我已经组合了一个授权策略生命周期,它引导用户完成收集需求、识别属性和实施策略的过程。
在你的情况下,让我们来看看你的要求
需求收集
您的原始要求
以下任何一项必须为真:
- 用户必须是配方的所有者(编写它的人)。
- 用户必须是创建配方的项目的团队成员。(直接或通过群组成员资格)
- 用户必须是制造配方的组的成员。(他们需要查看制造它的配方。)
- 用户必须是在过去两周内制作配方的组的成员。(即,在完成制造配方的请求后,他们可以继续查看配方两周以纠正任何问题。)
- 用户必须是管理员。
重组要求
我喜欢将需求修改为主语 - 动词 - 宾语,例如用户可以查看食谱...基于此模型,您的原始需求可以改写如下:
- 用户可以查看他/她拥有的食谱。
- 用户可以查看在用户所属项目中创建的配方
- 用户可以查看属于用户所属(制造)组的制造阶段的配方。
- 用户可以查看属于用户所属(制造)组的制造阶段中的配方,如果制造日期在今天日期的 2 周内。
- 管理员可以查看配方。
识别属性
您可以将属性分解为不同的类别(或语法功能)。XACML 本身使用类别,因此这是使用 XACML(或ALFA )实现的自然步骤。
主题属性
- userId:该类别的关键属性。它将用于识别用户,但也检索所有其他派生属性。
- project:用户所属的项目列表
- group:用户所属的组列表
- 角色:用户的角色,例如
资源属性
- objectType:这是一个属性,用于区分要控制访问的不同类型的项目,例如配方、文档或事务
- recipeId:食谱的关键属性。它将用于识别您想要访问哪个特定配方,并且还将用作查找其他属性的键,例如配方所在的状态、它所属的组和项目。
- group:配方所属的组
- project:配方所属的项目
动作属性
在此类别中,从外观上看,您只有:
- 潜在值为 {view, edit, delete...} 的 actionId。
使用属性重写的需求
- 如果 recipe.owner == userId,任何人都可以对 objectType == "recipe" 执行操作 == "view"
- 如果 recipe.project == user.project 任何人都可以对 objectType == "recipe" 执行操作 == "view"
- 如果 recipe.stage == "manufacturing" 和 recipe.group == user.group,任何人都可以对 objectType == "recipe" 执行操作 == "view"
- 如果 recipe.stage == "manufactured" 和 recipe.group == user.group 和 currentDate <= recipe.manufacturedDate + "2 周",任何人都可以对 objectType == "recipe" 执行操作 == "view"。
- 具有角色 ==“管理员”的任何人都可以对 objectType ==“recipe”执行操作 ==“view”。
使用 ALFA 或 XACML 实施策略
下一步是实施您的政策。您可以使用 ALFA(授权缩写语言)。Axiomatics 有一个Eclipse 插件,可以将 ALFA 转换为 XACML 3.0。
让我们创建一个处理配方的策略集。该策略集将包含一个处理操作视图的策略。反过来,该策略将包含满足每个要求的规则。
policyset recipe{
target clause objectType == "recipe"
apply firstApplicable
/**
* View recipes
*/
policy viewRecipe{
target clause actionId == "view"
apply firstApplicable
/**
* Administrators can view all recipes
*/
rule administrator{
target clause user.role == "administrator"
permit
}
/**
* Recipe owners can view their own recipes
*/
rule owner{
permit
condition user.userId == recipe.owner
}
/**
* Users can view recipes in their project
*/
rule sameProject{
permit
condition user.assignedProject == recipe.assignedProject
}
/**
* Users can view recipes in their project
*/
rule sameGroup{
target clause recipe.stage == "manufacturing"
permit
condition user.assignedGroup == recipe.assignedGroup
}
/**
* Users can view recipes in their project
*/
rule sameGroupManufactured{
target clause recipe.stage == "manufacturing"
permit
condition user.assignedGroup == recipe.assignedGroup && currentDate<=dateTimeAddDayTimeDuration(dateTimeOneAndOnly(recipe.manufacturedDate),"P14D":dayTimeDuration)
}
}
}
使用策略信息点
PIP 将如何收集这些信息?直接从数据库?通过对存储此信息的系统的服务调用?
PIP 只是外部属性源的抽象概念。它可以是任何东西。不同的实现将具有不同的 PIP 连接器。例如,Axiomatics Policy Server 为 SQL、LDAP 和 REST 服务提供连接器。这涵盖了客户的大部分需求。
XACML 和 OAuth 2.0
您比较了这两种技术,但它们在某种程度上有些不同。OAuth 2.0 首先关注身份验证。它即将打败密码反模式。然后需要定义权限,或者,正如他们在 OAuth 中所说的,范围。然而,这些范围只是准时的权限。您仍然依赖目标应用程序来发布一组有效范围,并且您仍然无法进行细粒度的访问控制。我的同事就该主题写了一篇由三部分组成的博客,您可以在此处阅读其中的第一部分。
我希望这有帮助。随时向我提出后续问题或发推文。
XACML 输出(奖金)
<?xml version="1.0" encoding="UTF-8"?>
<!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com).
Any modification to this file will be lost upon recompilation of the source ALFA file-->
<xacml3:PolicySet xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="http://axiomatics.com/alfa/identifier/so.recipe"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>Control access to recipes</xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">recipe</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="so.objectType"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Policy xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicyId="http://axiomatics.com/alfa/identifier/so.recipe.viewRecipe"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
Version="1.0">
<xacml3:Description>View recipes</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">view</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="so.actionId"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/so.recipe.viewRecipe.administrator">
<xacml3:Description>Administrators can view all recipes</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">administrator</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="so.user.role"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
</xacml3:Rule>
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/so.recipe.viewRecipe.owner">
<xacml3:Description>Recipe owners can view their own recipes</xacml3:Description>
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeDesignator
AttributeId="so.user.userId"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
<xacml3:AttributeDesignator
AttributeId="so.recipe.owner"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/so.recipe.viewRecipe.sameProject">
<xacml3:Description>Users can view recipes in their project</xacml3:Description>
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeDesignator
AttributeId="so.user.assignedProject"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
<xacml3:AttributeDesignator
AttributeId="so.recipe.assignedProject"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/so.recipe.viewRecipe.sameGroup">
<xacml3:Description>Users can view recipes in their project</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">manufacturing</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="so.recipe.stage"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeDesignator
AttributeId="so.user.assignedGroup"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
<xacml3:AttributeDesignator
AttributeId="so.recipe.assignedGroup"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
<xacml3:Rule
Effect="Permit"
RuleId="http://axiomatics.com/alfa/identifier/so.recipe.viewRecipe.sameGroupManufactured">
<xacml3:Description>Users can view recipes in their project</xacml3:Description>
<xacml3:Target>
<xacml3:AnyOf>
<xacml3:AllOf>
<xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">manufacturing</xacml3:AttributeValue>
<xacml3:AttributeDesignator
AttributeId="so.recipe.stage"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Match>
</xacml3:AllOf>
</xacml3:AnyOf>
</xacml3:Target>
<xacml3:Condition>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<xacml3:AttributeDesignator
AttributeId="so.user.assignedGroup"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
MustBePresent="false"
/>
<xacml3:AttributeDesignator
AttributeId="so.recipe.assignedGroup"
DataType="http://www.w3.org/2001/XMLSchema#string"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Apply>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<xacml3:Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:dateTime-greater-than-or-equal"/>
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:dateTime-add-dayTimeDuration" >
<xacml3:Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:dateTime-one-and-only" >
<xacml3:AttributeDesignator
AttributeId="so.recipe.manufacturedDate"
DataType="http://www.w3.org/2001/XMLSchema#dateTime"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
MustBePresent="false"
/>
</xacml3:Apply>
<xacml3:AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#dayTimeDuration">P14D</xacml3:AttributeValue>
</xacml3:Apply>
<xacml3:AttributeDesignator
AttributeId="currentDate"
DataType="http://www.w3.org/2001/XMLSchema#dateTime"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment"
MustBePresent="false"
/>
</xacml3:Apply>
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
</xacml3:Policy>
</xacml3:PolicySet>