OASIS eXtensible Access Control Markup Language (XACML) TC

  • 1.  Re: [xacml]

    Posted 05-28-2002 13:25
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] <ContextPrincipal>/<AttributeDesignator> proposal


    since i expect that these documents will take on something of a life of 
    their own, i would like to suggest a section that lists the version and 
    name of any external standard relied upon. for example:
    
    EXTERNAL REFERENCE
    
    the descriptions herein are based upon the defintions listed below:
    
    J2SE v1.40
    http://java.sun.com/j2se/1.4/index.html
    
    XPATH v1.0
    http://www.w3.org/TR/1999/REC-xpath-19991116
    
    [...]
    
    or some such. thoughts?
    
    b
    
    Anne Anderson wrote:
    > Michiharu suggested the following outline for such proposals.
    > I think it is excellent, so I will follow it and encourage others
    > to do the same.
    > 
    > - Access request description in English
    > - XACML Context specification of the above
    > - Sample J2SE policy in English
    > - XACML policy specification of the above
    >              (not exact one, simplified description is enough)
    > - How XACML policy specification refers to each attribute in XACML Context
    > - Desirable final decision
    > - ...
    > 
    > NOTE: I have specified a complete context and policy below,
    > although my current proposal is addressed to the ContextPrincipal
    > syntax.
    > 
    > EXAMPLE ACCESS REQUEST DESCRIPTION IN ENGLISH
    > 
    > Read access has been requested for the file
    > "/net/saguaro/home/zoe/status.txt".
    > 
    > The user executing the thread from which the access request was
    > generated was authenticated as both
    >   o "cn=Anne,ou=SunLabs,o=Sun,c=US", and as
    >   o "Anne.Anderson@Sun.COM"
    > 
    > The executing code for the thread that generated the access
    > request was downloaded from "http://java.sun.com/jdk1.4/classes";.
    > 
    > The code was signed by two certificates with subject names
    >   o "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US", and
    >   o "cn=SunSigner,o=Sun,c=US".
    > 
    > PROPOSED XACML CONTEXT SPECIFICATION OF THE ABOVE
    > 
    > <xacml:RequestContext>
    >     <xacml:ContextPrincipals>
    >         <xacml:SimplePrincipal PrincipalType="j2se:RequestingUser">
    >             <xacml:NameIdentifier Format="itu:X500DistinguishedName">
    >                 "cn=Anne,ou=SunLabs,o=Sun,c=US"
    >             </xacml:NameIdentifier>
    >         </xacml:SimplePrincipal>
    >         <xacml:SimplePrincipal PrincipalType="j2se:RequestingUser">
    >             <xacml:NameIdentifier Format="ietf:RFC822Name">
    >                 "Anne.Anderson@Sun.COM"
    >             </xacml:NameIdentifier>
    >         </xacml:SimplePrincipal>
    >         <xacml:SimplePrincipal PrincipalType="j2se:CodeSource">
    >             <xacml:NameIdentifier Format="ietf:URL">
    >                 "http://java.sun.com/jdk1.4/classes";
    >             </xacml:NameIdentifier>
    >             <xacml:Attribute AttributeName="SignedBy"
    >                              AttributeFamily="j2se:Policy"
    >                              Issuer="j2se:com.sun.labs.isrg.ClassLoader"
    >                              IssueInstant="2002-05-28T00:00:00Z">
    >                 <xacml:AttributeValue>
    >                     "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US"
    >                 </xacml:AttributeValue>
    >                 <xacml:AttributeValue>
    >                     "cn=SunSigner,o=Sun,c=US"
    >                 </xacml:AttributeValue>
    >             </xacml:Attribute>
    >         </xacml:SimplePrincipal>
    >     </xacml:ContextPrincipals>
    >     <xacml:ContextResource>
    >         <xacml:ResourceSpecifier ResourceURI="file:/net/saguaro/home/zoe/status.txt"/>
    >     </xacml:ContextResource>
    >     <xacml:ContextAction>
    >         <xacml:Action>
    >             "read"
    >         </xacml:Action>
    >     </xacml:ContextAction>
    > </xacml:RequestContext>
    > 
    > SAMPLE POLICY IN ENGLISH
    > 
    > Grant read access to resource "file:/net/saguaro/home/zoe/*" if
    > the requesting user is "Zoe@Sun.COM" or if the executing code
    > was signed by "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US".
    > 
    > XACML POLICY SPECIFICATION OF THE ABOVE
    > 
    > The following two rules are included in an xacml:policyStatement
    > where the ruleCombiningAlgId allows access if any rule allows
    > access.
    > 
    > <xacml:rule ruleId="sunlabs:rule9" effect="Permit">
    >     <xacml:target>
    >         <xacml:subjects>
    >             <xacml:Attribute AttributeName=
    >                    "RequestContext/ContextPrincipals
    >                    /SimplePrincipal[@PrincipalType="j2se:RequestingUser"]
    >                    /NameIdentifier[@Format="ietf:RFC822Name"]">
    >                 <xacml:AttributeValue>
    >                     "Zoe@Sun.COM"
    >                 </xacml:AttributeValue>
    >             </xacml:Attribute>
    >         </xacml:subjects>
    >         <xacml:resources>
    >             <xacml:Attribute AttributeName=
    >                    "RequestContext/ContextResource
    >                    /ResourceSpecifier[@ResourceURI="file:/net/saguaro/home/zoe/*"]"
    >             </xacml:Attribute>
    >         </xacml:resources>
    >         <xacml:actions>
    >             <xacml:Attribute AttributeName=
    >                    "RequestContext/contextAction/Action">
    >                 <xacml:AttributeValue>
    >                    "read"
    >                 </xacml:AttributeValue>
    >             </xacml:Attribute>
    >         </xacml:actions>
    >     </xacml:target>
    > </xacml:rule>
    > 
    > <xacml:rule ruleId="sunlabs:rule10" effect="Permit">
    >     <xacml:target>
    >         <xacml:subjects>
    >             <xacml:Attribute AttributeName=
    >                    "RequestContext/ContextPrincipals
    >                    /SimplePrincipal[@PrincipalType="j2se:CodeBase"]
    >                    /Attribute[@AttributeName="SignedBy" and
    >                              @AttributeFamily="j2se:Policy"]">
    >                 <xacml:AttributeValue>
    >                     "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US"
    >                 </xacml:AttributeValue>
    >             </xacml:Attribute>
    >         </xacml:subjects>
    >         <xacml:resources>
    >             <xacml:Attribute AttributeName=
    >                    "RequestContext/ContextResource
    >                    /ResourceSpecifier[@ResourceURI="file:/net/saguaro/home/zoe/*"]"
    >             </xacml:Attribute>
    >         </xacml:resources>
    >         <xacml:actions>
    >             <xacml:Attribute AttributeName=
    >                    "RequestContext/contextAction/Action">
    >                 <xacml:AttributeValue>
    >                    "read"
    >                 </xacml:AttributeValue>
    >             </xacml:Attribute>
    >         </xacml:actions>
    >     </xacml:target>
    > </xacml:rule>
    > 
    > HOW XACML POLICY SPECIFICATION REFERS TO EACH ATTRIBUTE IN XACML CONTEXT
    > 
    > In the example above, I have used full XPATH expressions (to the
    > best of my ability) starting from RequestContext to refer to
    > attributes in the request context.
    > 
    > Under the xacml:rule/target/subjects section of a rule, it should be
    > possible to assume the root is RequestContext/ContextPrincipals,
    > and then use an XPATH expression to navigate from there.http://java.sun.com/j2se/1.4/index.html
    > Similarly, it should be possible to assume under
    > xacml:target/resources that the root of the XPATH is
    > RequestContext/ContextResource.
    > 
    > In the xacml:rule/conditions sections of a rule, it would be
    > necessary to specify the root explicitly (as I did in my
    > examples), since there is no context to narrow it.
    > 
    > DESIRABLE FINAL DECISION
    > 
    > 1. Support multiple SimplePrincipal (or ComplexPrincipal? Not
    >    sure we need multiple elements here) elements under
    >    ResourceContext.
    > 2. Each SimplePrincipal has an associated xml attribute named
    >    "PrincipalType" that is a URI.  This is used to indicate the
    >    role the SimplePrincipal plays in this particular request
    >    (requesting user, delegating user, requesting machine,
    >    requesting process ID, requesting code source location, etc.).
    >    Communities of users, such as J2SE, would specify the
    >    PrincipalTypes that apply to them.  Standards groups could
    >    specify PrincipalTypes that apply to multiple communities of
    >    users.
    > 3. An xacml:Attribute that applies to a particular
    >    SimplePrincipal is included as a subelement under the
    >    SimplePrincipal to which it applies.  This means the Attribute
    >    does not need to include Holder, since the Holder will be the
    >    xacml:NameIdentifier of the SimplePrincipal.
    > 
    > QUESTION
    > 
    > 1. Why can't AttributeName be a URL, and use the namespace
    >    identifier to indicate the AttributeFamily?  E.g., instead of
    >      <xacml:Attribute AttributeName="SignedBy"
    >                       AttributeFamily="j2se:Policy"
    >                       Issuer="j2se:com.sun.labs.isrg.ClassLoader"
    >                       IssueInstant="2002-05-28T00:00:00Z">
    >    use
    >      <xacml:Attribute AttributeName="j2sePolicy:SignedBy"
    >                       Issuer="j2se:com.sun.labs.isrg.ClassLoader"
    >                       IssueInstant="2002-05-28T00:00:00Z">
    
    
    


    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Powered by eList eXpress LLC