tutorial on xacml

27
Audumbar

Upload: cera

Post on 14-Jan-2016

69 views

Category:

Documents


3 download

DESCRIPTION

Tutorial on XACML. Audumbar. Access control and privacy. Who can access what , under what conditions , and for what purpose. XACML - About. The eXtensible Access Control Markup Language is an OASIS Standard The XACML standard provides Policy Language - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Tutorial on XACML

Audumbar

Page 2: Tutorial on XACML

Access control and privacy

Who can access what, under what conditions, and for what purpose

Page 3: Tutorial on XACML

XACML - AboutThe eXtensible Access Control Markup

Language is an OASIS StandardThe XACML standard provides

Policy LanguageRequest and Response LanguageStandard data-types, functions, combining

algorithmsExtensibility Privacy profile, RBAC profileAn architecture defining the major components

in an implementation

Page 4: Tutorial on XACML

General termsResource

Data, system component or serviceSubject

An actor who makes a request to access certain Resources.Action

An operation on resourceEnvironment

The set of attributes that are relevant to an authorization decision and are independent of a particular subject, resource or action

AttributesCharacteristics of a subject, resource, action or

environmentTarget

Defines conditions that determine whether policy applies to request

Page 5: Tutorial on XACML

Usage ScenarioPolicy Enforcement

Point (PEP) Entity protecting the

resource(e.g. file system)

Performs access control by making decision requests and enforcing authorization decisions.

PEP

Page 6: Tutorial on XACML

Usage ScenarioPolicy Administration

Point (PAP)

creates security policies and stores these policies in the repository.

PAP

Page 7: Tutorial on XACML

Usage ScenarioContext HandlerA Context is the

canonical representation of a decision request and an authorization decision.

Context Handler can be defined to convert the requests in its native format to the XACML canonical form and to convert the Authorization decisions in the XACML canonical form to the native format.

Context

Handler

Page 8: Tutorial on XACML

Usage ScenarioThe Policy

Decision Point (PDP)

Receives and examines the request

Retrieves applicable policies

evaluates the applicable policy and

Returns the authorization decision to PEP

PDP

Page 9: Tutorial on XACML

Usage ScenarioPolicy

Information Point (PIP)

serves as the source of attribute values, or the data required for policy evaluation.

PIP

Page 10: Tutorial on XACML

How does it work: Data Flow

Page 11: Tutorial on XACML

XACML Policy Structure

Page 12: Tutorial on XACML

Policy Language model

Page 13: Tutorial on XACML

XACML Policy Example<Policy PolicyId="ExamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-

overrides"> <Target> <Subjects> <AnySubject/></Subjects> <Resources><Resource>

<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">

<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://server.example.com/code /docs/developer-guide.html</AttributeValue>

<ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#anyURI"

AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch>

</Resource></Resources> <Actions><AnyAction/></Actions> </Target> <Rule RuleId="ReadRule" Effect="Permit"> …

</Rule> </Policy>

Page 14: Tutorial on XACML

Policy Example contd <Rule RuleId="ReadRule" Effect="Permit"> <Target> <Subjects><AnySubject/></Subjects>

<Resources><AnyResource/></Resources><Actions><Action>

<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue

DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue><ActionAttributeDesignator

DataType="http://www.w3.org/2001/XMLSchema#string” AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"/>

</ActionMatch></Action></Actions>

</Target><Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"><SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string”

AttributeId="group"/></Apply><AttributeValue

DataType="http://www.w3.org/2001/XMLSchema#string">developers</AttributeValue> </Condition></Rule>

Page 15: Tutorial on XACML

XACML Request Structure

Request

SubjectAttributes

ActionAttributes

EnvironmentAttributes

ResourceAttributes

Page 16: Tutorial on XACML

Request Example<Request>

<Subject>

<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"> <AttributeValue>[email protected]</AttributeValue>

</Attribute>

<Attribute AttributeId="group" DataType=“http://www.w3.org/2001/XMLSchema#string” Issuer="[email protected]">

<AttributeValue>developers</AttributeValue>

</Attribute>

</Subject>

<Resource>

<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"> <AttributeValue>http://server.example.com/code/docs/developer-

guide.html </AttributeValue>

</Attribute>

</Resource>

<Action>

<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"> <AttributeValue>read</AttributeValue>

</Attribute>

</Action>

</Request>

Page 17: Tutorial on XACML

XACML Response Structure

Response

Decision Obligations

Status

Page 18: Tutorial on XACML

XACML Response Example<Response>

<Result> <Decision>Permit</Decision> <Status> <StatusCode

Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> </Status> </Result>

</Response>

Effect:Permit/Deny/Not Applicable/Indeterminate

Page 19: Tutorial on XACML

Combining Algorithms Deny-overrides –

if any evaluation returns Deny, then the result must be Deny.

If all rules evaluate to Permit, then the result is Permit.

Permit-overrides – if any rule evaluates to Permit, then the result of

is Permit. If any rule evaluates to Deny and all other rules

evaluate to NotApplicable, then the result is Deny. If all rules are found to be NotApplicable, then the

result is NotApplicable.

Page 20: Tutorial on XACML

Combining Algorithms First applicable – rules evaluated in their listing

orderFor each rule, if the target matches and the

condition evaluates to True, then the result of that rule will be the evaluation of the policy (either Permit, Deny, or Indeterminate).

Otherwise, the algorithm goes to the next rule. If no rule applies, then the result is NotApplicable.

Only-one-applicable – For all of policies in the policy set, if no policy

applies, then the result is NotApplicable. If more than one policy applies, then the result is

Indeterminate. If only one policy applies, then the result is the result

of evaluating that policy.

Page 21: Tutorial on XACML

ExtensibilityExtensible XML attribute typesThe following XML attributes with values that are URIs,

may be extended by the creation of new URIs associated with new semantics for these attributes.AttributeId, DataType, FunctionId, MatchId,

ObligationId, PolicyCombiningAlgId, RuleCombiningAlgId, StatusCode, SubjectCategory.

For a given structured data-type, a community of XACML users MAY define new attribute identifiers for each leaf sub-element of the structured data-type that has a type conformant with one of the XACML-defined primitive data-types.

A community of XACML users MAY define a new function that can be used to compare a value of the structured data-type against some other value. This method may only be used by PDPs that support the new function.

Page 22: Tutorial on XACML

Privacy profileThis profile defines two attributes.

“urn:oasis:names:tc:xacml:2.0:resource:purpose”the purpose for which the data resource was collected

“urn:oasis:names:tc:xacml:2.0:action:purpose”the purpose for which access to the data resource is

requested

Matching purpose ruleDeny-Overridesaccess SHALL be denied unless the purpose for

which access is requested matches, by regular-expression match, the purpose for which the data resource was collected.

Page 23: Tutorial on XACML

RBAC profileScope

If a subject has roles R1 , R2, ... Rn enabled, can subject X access a given resource using a given action?

Is subject X allowed to have role Ri enabled?If a subject has roles R1 , R2, ... Rn enabled,

does that mean the subject will have permissions associated with a given role R'? That is, is role R' either equal to or junior to any of roles R1 , R2, …Rn?

Page 24: Tutorial on XACML

RBAC Profile PoliciesRole <PolicySet>,

Each Role <PolicySet> references a single corresponding Permission <PolicySet>

Permission <PolicySet>, • actual permissions associated with a given role, • references to Permission <PolicySet>s associated

with other roles that are junior to the given roleRole Assignment <Policy> or <PolicySet>

which roles can be enabled or assigned to which subjectsHasPrivilegesOfRole <Policy>

a <Policy> in a Permission <PolicySet> that supports requests

asking whether a subject has the privileges associated with a given role.

Page 25: Tutorial on XACML

XACML implementationsUsing SUN XACML implementation

Building a PDPBuilding a PEPCreating and Encoding PoliciesValidating policies and requestsSupporting attribute selectors

XACMLight Apache Axis2 Web Service XACML 2.0 PDP/PAP Implementation

XACML Policy editors

Page 26: Tutorial on XACML

LimitationsXACML is verbose and complex in some

ways.Interactions involving PAP, PIP, etc., are not

standardized.Policy administration, policy versioning, etc.,

are not standardized.

Page 27: Tutorial on XACML

References OASIS XACML Technical Committee Home

Pagehttp://www.oasis-open.org/committees/tc_home.php?

wg_abbrev=xacml

Sun's XACML Open Source Implementationhttp://sunxacml.sourceforge.net/