您可以在 XACML(和 ALFA - XACML 的更轻量级语法)中轻松做到这一点。首先,你说:
每个部分将允许或拒绝
为此,您将为使用deny-unless-permit
组合算法的每个部分使用一个策略。这意味着如果满足条件,策略将授予访问权限,或者拒绝访问。您可能还记得,默认情况下,如果条件不满足,通常的决定是NotApplicable
. 使用deny-unless-permit
将防止这种情况。
任何拒绝都会使整体政策失败
使用 编写每个策略deny-unless-permit
后,您会将它们全部组合成一个父策略集,该策略集将使用deny-overrides
组合算法。这意味着如果有任何拒绝决定,那么该决定将胜过所有其他决定。
这给了我们以下结构:
阿尔法
namespace com.axiomatics{
/**
* Resource data labeling to provide access control to data
*/
policyset dataAccess{
apply denyOverrides
/**
* First check
*/
policy firstCheck{
apply denyUnlessPermit
/**
* Allow if clearance is sufficient
*/
rule clearanceCheck{
permit
condition com.acme.user.clearance > com.acme.record.classification
}
rule otherCheck{
// Fill in your checks here
permit
}
}
/**
* Second check...
*/
policy secondCheck{
apply denyUnlessPermit
}
}
}
XACML 中的等价物
<?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the
ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will
be lost upon recompilation of the source ALFA file -->
<xacml3:PolicySet
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides"
PolicySetId="http://axiomatics.com/alfa/identifier/com.axiomatics.dataAccess"
Version="1.0"
xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<xacml3:Description>Resource data labeling to provide access control to
data</xacml3:Description>
<xacml3:PolicySetDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicySetDefaults>
<xacml3:Target />
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.dataAccess.firstCheck"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"
Version="1.0">
<xacml3:Description>First check</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.dataAccess.firstCheck.clearanceCheck">
<xacml3:Description>Allow if clearance is sufficient
</xacml3:Description>
<xacml3:Target />
<xacml3:Condition>
<xacml3:Apply
FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of-any">
<xacml3:Function
FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than" />
<xacml3:AttributeDesignator
AttributeId="com.acme.user.clearance"
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
DataType="http://www.w3.org/2001/XMLSchema#integer"
MustBePresent="false" />
<xacml3:AttributeDesignator
AttributeId="com.acme.record.classification"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
DataType="http://www.w3.org/2001/XMLSchema#integer"
MustBePresent="false" />
</xacml3:Apply>
</xacml3:Condition>
</xacml3:Rule>
<xacml3:Rule Effect="Permit"
RuleId="com.axiomatics.dataAccess.firstCheck.otherCheck">
<xacml3:Description />
<xacml3:Target />
</xacml3:Rule>
</xacml3:Policy>
<xacml3:Policy
PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.dataAccess.secondCheck"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit"
Version="1.0">
<xacml3:Description>Second check...</xacml3:Description>
<xacml3:PolicyDefaults>
<xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116
</xacml3:XPathVersion>
</xacml3:PolicyDefaults>
<xacml3:Target />
</xacml3:Policy>
</xacml3:PolicySet>
其他检查
除了您的策略结构之外,您还提到您将根据属性控制访问(例如,用户可以查看他们拥有的文档)以及基于显式访问控制(如果用户在列表中,则用户可以查看文档)该文件)。除了基于属性的访问之外,您绝对可以在 XACML 中实现自主访问控制 (DAC)。这是一个例子:
/**
* Second check...
*/
policy secondCheck{
target clause com.acme.action.actionId == "view" and com.acme.object.objectType == "document"
apply denyUnlessPermit
/**
* Users can view documents they own
*/
rule owner{
permit
condition com.acme.record.owner==user.userId
}
/**
* Users in the whitelist can view the document
*/
rule dac{
permit
condition stringAtLeastOneMemberOf(user.userId, com.acme.record.whitelist)
}
}