MHonArc v2.5.2 -->
xacml message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Subject: Re: [xacml] <ContextPrincipal>/<AttributeDesignator> proposal
since i expect that these documents will take on something of a life of
their own, i would like to suggest a section that lists the version and
name of any external standard relied upon. for example:
EXTERNAL REFERENCE
the descriptions herein are based upon the defintions listed below:
J2SE v1.40
http://java.sun.com/j2se/1.4/index.html
XPATH v1.0
http://www.w3.org/TR/1999/REC-xpath-19991116
[...]
or some such. thoughts?
b
Anne Anderson wrote:
> Michiharu suggested the following outline for such proposals.
> I think it is excellent, so I will follow it and encourage others
> to do the same.
>
> - Access request description in English
> - XACML Context specification of the above
> - Sample J2SE policy in English
> - XACML policy specification of the above
> (not exact one, simplified description is enough)
> - How XACML policy specification refers to each attribute in XACML Context
> - Desirable final decision
> - ...
>
> NOTE: I have specified a complete context and policy below,
> although my current proposal is addressed to the ContextPrincipal
> syntax.
>
> EXAMPLE ACCESS REQUEST DESCRIPTION IN ENGLISH
>
> Read access has been requested for the file
> "/net/saguaro/home/zoe/status.txt".
>
> The user executing the thread from which the access request was
> generated was authenticated as both
> o "cn=Anne,ou=SunLabs,o=Sun,c=US", and as
> o "Anne.Anderson@Sun.COM"
>
> The executing code for the thread that generated the access
> request was downloaded from "http://java.sun.com/jdk1.4/classes";.
>
> The code was signed by two certificates with subject names
> o "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US", and
> o "cn=SunSigner,o=Sun,c=US".
>
> PROPOSED XACML CONTEXT SPECIFICATION OF THE ABOVE
>
> <xacml:RequestContext>
> <xacml:ContextPrincipals>
> <xacml:SimplePrincipal PrincipalType="j2se:RequestingUser">
> <xacml:NameIdentifier Format="itu:X500DistinguishedName">
> "cn=Anne,ou=SunLabs,o=Sun,c=US"
> </xacml:NameIdentifier>
> </xacml:SimplePrincipal>
> <xacml:SimplePrincipal PrincipalType="j2se:RequestingUser">
> <xacml:NameIdentifier Format="ietf:RFC822Name">
> "Anne.Anderson@Sun.COM"
> </xacml:NameIdentifier>
> </xacml:SimplePrincipal>
> <xacml:SimplePrincipal PrincipalType="j2se:CodeSource">
> <xacml:NameIdentifier Format="ietf:URL">
> "http://java.sun.com/jdk1.4/classes";
> </xacml:NameIdentifier>
> <xacml:Attribute AttributeName="SignedBy"
> AttributeFamily="j2se:Policy"
> Issuer="j2se:com.sun.labs.isrg.ClassLoader"
> IssueInstant="2002-05-28T00:00:00Z">
> <xacml:AttributeValue>
> "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US"
> </xacml:AttributeValue>
> <xacml:AttributeValue>
> "cn=SunSigner,o=Sun,c=US"
> </xacml:AttributeValue>
> </xacml:Attribute>
> </xacml:SimplePrincipal>
> </xacml:ContextPrincipals>
> <xacml:ContextResource>
> <xacml:ResourceSpecifier ResourceURI="file:/net/saguaro/home/zoe/status.txt"/>
> </xacml:ContextResource>
> <xacml:ContextAction>
> <xacml:Action>
> "read"
> </xacml:Action>
> </xacml:ContextAction>
> </xacml:RequestContext>
>
> SAMPLE POLICY IN ENGLISH
>
> Grant read access to resource "file:/net/saguaro/home/zoe/*" if
> the requesting user is "Zoe@Sun.COM" or if the executing code
> was signed by "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US".
>
> XACML POLICY SPECIFICATION OF THE ABOVE
>
> The following two rules are included in an xacml:policyStatement
> where the ruleCombiningAlgId allows access if any rule allows
> access.
>
> <xacml:rule ruleId="sunlabs:rule9" effect="Permit">
> <xacml:target>
> <xacml:subjects>
> <xacml:Attribute AttributeName=
> "RequestContext/ContextPrincipals
> /SimplePrincipal[@PrincipalType="j2se:RequestingUser"]
> /NameIdentifier[@Format="ietf:RFC822Name"]">
> <xacml:AttributeValue>
> "Zoe@Sun.COM"
> </xacml:AttributeValue>
> </xacml:Attribute>
> </xacml:subjects>
> <xacml:resources>
> <xacml:Attribute AttributeName=
> "RequestContext/ContextResource
> /ResourceSpecifier[@ResourceURI="file:/net/saguaro/home/zoe/*"]"
> </xacml:Attribute>
> </xacml:resources>
> <xacml:actions>
> <xacml:Attribute AttributeName=
> "RequestContext/contextAction/Action">
> <xacml:AttributeValue>
> "read"
> </xacml:AttributeValue>
> </xacml:Attribute>
> </xacml:actions>
> </xacml:target>
> </xacml:rule>
>
> <xacml:rule ruleId="sunlabs:rule10" effect="Permit">
> <xacml:target>
> <xacml:subjects>
> <xacml:Attribute AttributeName=
> "RequestContext/ContextPrincipals
> /SimplePrincipal[@PrincipalType="j2se:CodeBase"]
> /Attribute[@AttributeName="SignedBy" and
> @AttributeFamily="j2se:Policy"]">
> <xacml:AttributeValue>
> "cn=J2SESigner,ou=JavaSoft,o=Sun,c=US"
> </xacml:AttributeValue>
> </xacml:Attribute>
> </xacml:subjects>
> <xacml:resources>
> <xacml:Attribute AttributeName=
> "RequestContext/ContextResource
> /ResourceSpecifier[@ResourceURI="file:/net/saguaro/home/zoe/*"]"
> </xacml:Attribute>
> </xacml:resources>
> <xacml:actions>
> <xacml:Attribute AttributeName=
> "RequestContext/contextAction/Action">
> <xacml:AttributeValue>
> "read"
> </xacml:AttributeValue>
> </xacml:Attribute>
> </xacml:actions>
> </xacml:target>
> </xacml:rule>
>
> HOW XACML POLICY SPECIFICATION REFERS TO EACH ATTRIBUTE IN XACML CONTEXT
>
> In the example above, I have used full XPATH expressions (to the
> best of my ability) starting from RequestContext to refer to
> attributes in the request context.
>
> Under the xacml:rule/target/subjects section of a rule, it should be
> possible to assume the root is RequestContext/ContextPrincipals,
> and then use an XPATH expression to navigate from there.http://java.sun.com/j2se/1.4/index.html
> Similarly, it should be possible to assume under
> xacml:target/resources that the root of the XPATH is
> RequestContext/ContextResource.
>
> In the xacml:rule/conditions sections of a rule, it would be
> necessary to specify the root explicitly (as I did in my
> examples), since there is no context to narrow it.
>
> DESIRABLE FINAL DECISION
>
> 1. Support multiple SimplePrincipal (or ComplexPrincipal? Not
> sure we need multiple elements here) elements under
> ResourceContext.
> 2. Each SimplePrincipal has an associated xml attribute named
> "PrincipalType" that is a URI. This is used to indicate the
> role the SimplePrincipal plays in this particular request
> (requesting user, delegating user, requesting machine,
> requesting process ID, requesting code source location, etc.).
> Communities of users, such as J2SE, would specify the
> PrincipalTypes that apply to them. Standards groups could
> specify PrincipalTypes that apply to multiple communities of
> users.
> 3. An xacml:Attribute that applies to a particular
> SimplePrincipal is included as a subelement under the
> SimplePrincipal to which it applies. This means the Attribute
> does not need to include Holder, since the Holder will be the
> xacml:NameIdentifier of the SimplePrincipal.
>
> QUESTION
>
> 1. Why can't AttributeName be a URL, and use the namespace
> identifier to indicate the AttributeFamily? E.g., instead of
> <xacml:Attribute AttributeName="SignedBy"
> AttributeFamily="j2se:Policy"
> Issuer="j2se:com.sun.labs.isrg.ClassLoader"
> IssueInstant="2002-05-28T00:00:00Z">
> use
> <xacml:Attribute AttributeName="j2sePolicy:SignedBy"
> Issuer="j2se:com.sun.labs.isrg.ClassLoader"
> IssueInstant="2002-05-28T00:00:00Z">
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [Elist Home]
Powered by eList eXpress LLC