OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  [xacml]

    Posted 05-28-2002 14:52
    Michiharu suggested the following outline for such proposals. I think it is excellent, so I will follow it and encourage others to do the same. - Access request description in English - XACML Context specification of the above - Sample J2SE policy in English - XACML policy specification of the above (not exact one, simplified description is enough) - How XACML policy specification refers to each attribute in XACML Context - Desirable final decision - ... NOTE: I have specified a complete context and policy below, although my current proposal is addressed to the ContextPrincipal syntax. EXAMPLE ACCESS REQUEST DESCRIPTION IN ENGLISH Read access has been requested for the file "/net/saguaro/home/zoe/status.txt". The user executing the thread from which the access request was generated was authenticated as both o "cn=Anne,ou=SunLabs,o=Sun,c=US", and as o "Anne.Anderson@Sun.COM" The executing code for the thread that generated the access request was downloaded from " http://java.sun.com/jdk1.4/classes" ;. The code was signed by two certificates with subject names o "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US", and o "cn=SunSigner,o=Sun,c=US". PROPOSED XACML CONTEXT SPECIFICATION OF THE ABOVE <xacml:RequestContext> <xacml:ContextPrincipals> <xacml:SimplePrincipal PrincipalType="j2se:RequestingUser"> <xacml:NameIdentifier Format="itu:X500DistinguishedName"> "cn=Anne,ou=SunLabs,o=Sun,c=US" </xacml:NameIdentifier> </xacml:SimplePrincipal> <xacml:SimplePrincipal PrincipalType="j2se:RequestingUser"> <xacml:NameIdentifier Format="ietf:RFC822Name"> "Anne.Anderson@Sun.COM" </xacml:NameIdentifier> </xacml:SimplePrincipal> <xacml:SimplePrincipal PrincipalType="j2se:CodeSource"> <xacml:NameIdentifier Format="ietf:URL"> " http://java.sun.com/jdk1.4/classes" ; </xacml:NameIdentifier> <xacml:Attribute AttributeName="SignedBy" AttributeFamily="j2se:Policy" Issuer="j2se:com.sun.labs.isrg.ClassLoader" IssueInstant="2002-05-28T00:00:00Z"> <xacml:AttributeValue> "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US" </xacml:AttributeValue> <xacml:AttributeValue> "cn=SunSigner,o=Sun,c=US" </xacml:AttributeValue> </xacml:Attribute> </xacml:SimplePrincipal> </xacml:ContextPrincipals> <xacml:ContextResource> <xacml:ResourceSpecifier ResourceURI="file:/net/saguaro/home/zoe/status.txt"/> </xacml:ContextResource> <xacml:ContextAction> <xacml:Action> "read" </xacml:Action> </xacml:ContextAction> </xacml:RequestContext> SAMPLE POLICY IN ENGLISH Grant read access to resource "file:/net/saguaro/home/zoe/*" if the requesting user is "Zoe@Sun.COM" or if the executing code was signed by "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US". XACML POLICY SPECIFICATION OF THE ABOVE The following two rules are included in an xacml:policyStatement where the ruleCombiningAlgId allows access if any rule allows access. <xacml:rule ruleId="sunlabs:rule9" effect="Permit"> <xacml:target> <xacml:subjects> <xacml:Attribute AttributeName= "RequestContext/ContextPrincipals /SimplePrincipal[@PrincipalType="j2se:RequestingUser"] /NameIdentifier[@Format="ietf:RFC822Name"]"> <xacml:AttributeValue> "Zoe@Sun.COM" </xacml:AttributeValue> </xacml:Attribute> </xacml:subjects> <xacml:resources> <xacml:Attribute AttributeName= "RequestContext/ContextResource /ResourceSpecifier[@ResourceURI="file:/net/saguaro/home/zoe/*"]" </xacml:Attribute> </xacml:resources> <xacml:actions> <xacml:Attribute AttributeName= "RequestContext/contextAction/Action"> <xacml:AttributeValue> "read" </xacml:AttributeValue> </xacml:Attribute> </xacml:actions> </xacml:target> </xacml:rule> <xacml:rule ruleId="sunlabs:rule10" effect="Permit"> <xacml:target> <xacml:subjects> <xacml:Attribute AttributeName= "RequestContext/ContextPrincipals /SimplePrincipal[@PrincipalType="j2se:CodeBase"] /Attribute[@AttributeName="SignedBy" and @AttributeFamily="j2se:Policy"]"> <xacml:AttributeValue> "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US" </xacml:AttributeValue> </xacml:Attribute> </xacml:subjects> <xacml:resources> <xacml:Attribute AttributeName= "RequestContext/ContextResource /ResourceSpecifier[@ResourceURI="file:/net/saguaro/home/zoe/*"]" </xacml:Attribute> </xacml:resources> <xacml:actions> <xacml:Attribute AttributeName= "RequestContext/contextAction/Action"> <xacml:AttributeValue> "read" </xacml:AttributeValue> </xacml:Attribute> </xacml:actions> </xacml:target> </xacml:rule> HOW XACML POLICY SPECIFICATION REFERS TO EACH ATTRIBUTE IN XACML CONTEXT In the example above, I have used full XPATH expressions (to the best of my ability) starting from RequestContext to refer to attributes in the request context. Under the xacml:rule/target/subjects section of a rule, it should be possible to assume the root is RequestContext/ContextPrincipals, and then use an XPATH expression to navigate from there. Similarly, it should be possible to assume under xacml:target/resources that the root of the XPATH is RequestContext/ContextResource. In the xacml:rule/conditions sections of a rule, it would be necessary to specify the root explicitly (as I did in my examples), since there is no context to narrow it. DESIRABLE FINAL DECISION 1. Support multiple SimplePrincipal (or ComplexPrincipal? Not sure we need multiple elements here) elements under ResourceContext. 2. Each SimplePrincipal has an associated xml attribute named "PrincipalType" that is a URI. This is used to indicate the role the SimplePrincipal plays in this particular request (requesting user, delegating user, requesting machine, requesting process ID, requesting code source location, etc.). Communities of users, such as J2SE, would specify the PrincipalTypes that apply to them. Standards groups could specify PrincipalTypes that apply to multiple communities of users. 3. An xacml:Attribute that applies to a particular SimplePrincipal is included as a subelement under the SimplePrincipal to which it applies. This means the Attribute does not need to include Holder, since the Holder will be the xacml:NameIdentifier of the SimplePrincipal. QUESTION 1. Why can't AttributeName be a URL, and use the namespace identifier to indicate the AttributeFamily? E.g., instead of <xacml:Attribute AttributeName="SignedBy" AttributeFamily="j2se:Policy" Issuer="j2se:com.sun.labs.isrg.ClassLoader" IssueInstant="2002-05-28T00:00:00Z"> use <xacml:Attribute AttributeName="j2sePolicy:SignedBy" Issuer="j2se:com.sun.labs.isrg.ClassLoader" IssueInstant="2002-05-28T00:00:00Z"> -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692