OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

WI#9 Proposal: policies referring to hierarchical resources

  • 1.  WI#9 Proposal: policies referring to hierarchical resources

    Posted 04-07-2004 20:18
     MHonArc v2.5.0b2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


    Subject: WI#9 Proposal: policies referring to hierarchical resources


    Contents
    ========
    Problem statement
    Schema for describing hierarchies
    DataType for describing nodepaths
    Functions for operating on hierarchies
    Issues
    
    Problem statement
    =================
    
    XACML 2.0 Work Item #9 addresses the problem of a policy writer
    who wants to control access to elements in a hierarchical
    resource.  The writer does not want to have to specify access
    conditions on each element in the resource individually.  For
    example, the writer wants to say:
    
      grant read access to any element in the hierarchy below
      /a/b/c"
    
    and not
    
      grant read access to /a/b/c/d
      grant read access to /a/b/c/e
      grant read access to /a/b/c/d/f
      ....
    
    Schema for describing hierarchies
    =================================
    
    Whenever a policy writer uses any of the special functions for
    matching hierarchical resources, the Request Context MUST
    (notionally) contain a "urn:oasis:names:tc:xacml:1.0:recource:resource-content"
    Attribute that contains a Hierarchy element instance.  The schema
    for describing a Hierarchy element follows.
    
    <?xml version="1.0" encoding="UTF-8"?>
    <xs:schema targetNamespace="urn:oasis:names:tc:xacml:2.0:hierarchy-schema" xmlns:xs="http://www.w3.org/2001/XMLSchema";; xmlns:hs="urn:oasis:names:tc:xacml:2.0:hierarchy-schema" elementFormDefault="qualified" attributeFormDefault="unqualified">
      <!-- -->
      <xs:element name="Hierarchy" type="hs:HierarchyType"/>
      <xs:complexType name="HierarchyType">
        <xs:sequence>
          <xs:element ref="hs:Node" minOccurs="0" maxOccurs="unlimited"/>
          <xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unlimited"/>
        </xs:sequence>
        <xs:attribute name="Root" type="xs:anyURI"/>
      </xs:complexType>
      <!--  -->
      <xs:element name="Node" type="hs:NodeType"/>
      <xs:complexType name="NodeType">
        <xs:sequence>
          <xs:element ref="hs:Node" minOccurs="0" maxOccurs="unlimited"/>
          <xs:element ref="xacml-context:Attribute" minOccurs="0" maxOccurs="unlimited"/>
        </xs:sequence>
        <xs:attribute name="NodeName" type="xs:string"/>
      </xs:complexType>
    </xs:schema>
    
    The RootName and NodeName attribute values MUST not contain a "/"
    character unless it is escaped using "\/".  If a RootName or
    NodeName attribute contains a "\" character, then that character
    MUST be escaped using "\\".
    
    Alternatives considered:
    a. NetBeans Filesystem DTD
         http://www.netbeans.org/dtds/filesystem-1_0.dtd
         http://openide.netbeans.org/nonav/fs/Library.html
       X Has no query syntax associated
    b. XML schema in which each node in the hierarchy is an element
       A Requires a new schema to be constructed for each hierarchy
         instance
    c. WS-ResourceDescriptionFramework
       X Does not help handle recursive hierarchies
         (e.g. root/container/container/container; it handles
         hierarchies in which each element is a unique name, although
         multiple elements may share sub-components).  Also, it is so
         rich that an XACML profile would strip out almost everything
         in the schema.
    
    DataType for describing nodepaths
    =================================
    
    DataType="urn:oasis:names:tc:xacml:2.0:data-type:nodepath"
    
      A "nodepath" is a string representing the path from the root of
      a Hierarchy instance to a particular Node in the Hierarchy
      instance.  A nodepath is constructed by concatenating the value
      of the Hierarchy "RootName" attribute with the value of each
      "Node" element's "NodeName" attribute along the path leading to
      the node being specified.  RootName and NodeNames are separated
      from each other using the "/" character.
    
    Alternatives considered:
    a. XPath
       X Operates on paths of node tags, not on paths of node values,
         so would require creations of a separate schema for each new
         hierarchy instance.
    
    Functions for operating on hierarchies
    ======================================
    
    All return "Indeterminate" if arg2 is not a valid nodepath in the
    resource-content Attribute.
       
    - Match any descendant of a given node
    
      Function name: descendant-match
      Arguments:  1. nodepath to be tested against descendants of arg2
                  2. nodepath at root of the subtree in the
                     resource-content Attribute
      Returns:    Boolean: True if arg1 string-equals the nodepath of
                  any descendant of arg2 in the resource-content
                  Attribute
    
      Function name: descendant-or-self-match
      Arguments:  1. nodepath to be tested against descendants of arg2
                  2. nodepath at root of the subtree in the
                     resource-content Attribute
      Returns:    Boolean: True if arg1 string-equals arg2 or the
                  nodepath of any descendant of arg2 in the
                  resource-content Attribute
    
    - Match any ancestor of a given node
    
      Function name: ancestor-match
      Arguments:  1. nodepath to be tested against ancestors of arg2
                  2. nodepath in the resource-content Attribute
      Returns:    Boolean: True if arg1 string-equals the nodepath of
                  any ancestor of arg2 in the resource-content
                  Attribute
    
      Function name: ancestor-or-self-match
      Arguments:  1. nodepath to be tested against ancestors of arg2
                  2. nodepath in the resource-content Attribute
      Returns:    Boolean: True if arg1 string-equals arg2 or the
                  nodepath of any ancestor of arg2 in the
                  resource-content Attribute
    
    
    - Match any specific node
    
      Function name: node-match
      Arguments:  1. nodepath to be tested against arg2
                  2. nodepath in the resource-content Attribute
      Returns:    Boolean: True if arg1 string-equals arg2
    
    - Match attributes of a given node
    
      Function name: node-attribute-match
      Arguments:  1. Attribute or AttributeDesignator
                  2. nodepath in the resource-content Attribute
      Returns:    Boolean: True if arg1 type-equals an Attribute of
                  arg2 in the resource-content Attribute
    
      * This can be used to test that arg 2 has an "owner" Attribute
        that matches a specified value.
    
    - Match attributes of ancestors of a given node
    
      Function name: ancestor-attribute-match
      Arguments:  1. Attribute or AttributeDesignator
                  2. nodepath in the resource-content Attribute
      Returns:    Boolean: True if arg1 type-equals an Attribute of
                  each ancestor of arg2 in the resource-content
                  Attribute
    
      * This can be used to test that arg 2 has a "can execute"
         Attribute that matches the value of the Attribute in Arg1
    
    Issues
    ======
    
    1. This does not directly address the issue of expressing "in
    order to read node x, the subject must have execute rights to
    every ancestor of x."  I think this can be addressed in XACML
    using "deny" rules as described in my previous e-mail.
    
    2. I'm not sure the "ancestor-attribute-match" function buys us
    much.  For example, it requires a notional "can-execute"
    Attribute on each ancestor that contains explicit Subject
    identities in order to be use this to solve the problem in
    Issue#1.
    
    3. Can we possibly be the first group to run up against this
    problem?  Why aren't there suitable XML schemas and functions
    already available in some other standard?  I have Google'd and
    asked, but have not found anything so far.
    
    Anne
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]