问题
The following rule says subjects with role "acme_manager" can perform any action on the resource "/acme/widgets":
<Rule Effect="Permit" RuleId="PermitRule">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/acme/widgets</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acme_manager</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
</Rule>
Would it be possible to create a more dynamic rule that says something like: "subjects with the role X_manager can perform any action on the resource /Y/widgets, if X equals Y"
So I could use the same policy to enforce:
- foo_manager ... /foo/widgets
- bar_manager ... /bar/widgets
- baz_manager ... /baz/widgets
- etc.
without creating multiple, similar policies.
回答1:
Yes of course, this is in fact one of the key benefits of XACML over other authorization frameworks and definitely over RBAC.
In XACML, there are 2 elements you can use to define the applicability of the authorization. These are:
- XACML targets
- targets exist in Policy Set elements, Policy elements, and Rule elements.
- targets are for simple matching between an attribute and a value e.g. role=="manager"
- XACML conditions: conditions exist in Rule elements only.
- conditions are for any type of matching including the one you are looking for. With conditions, you can compare any number of attributes e.g. userDepartment==resourceDepartment.
I recommend you use ALFA to write your policies. It's much easier than plain old XACML. ALFA is a free tool developed by Axiomatics (disclaimer: I work for Axiomatics). It is also in the process of being standardized at the OASIS XACML Technical Committee.
回答2:
I think there're 2 ways to do this:
Define two "VariableDefinition"s in your policy: one to get the part before the underscore character, the other to get the the part between the last two slash character. [i wonder if XACML's core spec has defined such function] then you can use the two "VariableDefinition"s under the "Rule". then use a standart string-equal function to compare them.
just define a new function of your own, and add that to your FunctionFactory that your PDP uses. These two approach is the same, your need to apply a specified funtion on some attribute instead of using the raw attributevalue directly.
来源:https://stackoverflow.com/questions/22262647/is-it-possible-to-compare-attributes-in-a-xacml-policy