我正在使用Authzforce 8.1.0并且已经根据用户和程序员指南RBAC中给出的示例创建了几个策略场景,但我想创建一个简单的场景。ABAC
作为 XACML 语言的新手,我正在尝试从这里学习一些示例。更具体地说,我正在尝试实施类似于4.1.1 Example policy的策略。
我要创建的政策
假设一家名为 Medi Corp 的公司(由其域名:med.example.com 标识)有一个访问控制策略,该策略用英语声明:
任何在“med.example.com”命名空间中具有电子邮件名称的用户都可以对任何资源执行任何操作。
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:schema:os
http://docs.oasis-open.org/xacml/FIXME.xsd"
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
<Description>
Medi Corp access control policy
</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>
Any subject with an e-mail name in the med.example.com domain
can perform any action on any resource.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
当我尝试执行POST此政策时,{ip}:{port}/authzforce-ce/domains/{domainId}/pap/policies
我收到以下错误
错误
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
<message>Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Policy'.</message>
</error>
到目前为止,我在 authzforce 中看到的所有示例都以<PolicySet>声明开头(我们可以在其中声明多个<Policy>块,因此我认为这可能是一个问题,并尝试将策略包含在 apolicySet中,如下所示:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="first_policyset_id"
Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny">
<Description>Policy for Github</Description>
<Target />
<Policy
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
<Description>
Medi Corp access control policy
</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>
Any subject with an e-mail name in the med.example.com domain
can perform any action on any resource.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
MustBePresent="false"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>
但现在我得到以下信息:
回复
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
<message>Failed to find a root PolicySet with id = 'first_policyset_id', Version=1.0,EarliestVersion=*,LatestVersion=*: Matched PolicySet 'first_policyset_id' (version 1.0) is invalid or its content is unavailable</message>
</error>
制作如此简单的 ABAC 策略场景的 XACML 请求的正确格式是什么?对此政策访问请求的示例也将不胜感激,在此先感谢!