Versions Compared

Old Version 28

changes.mady.by.user Greg Jansen

Saved on

compared with

New Version 29

changes.mady.by.user Greg Jansen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Authoring XACML policies is an involved technical process, with behavior hinging upon the total policy set. For this reason policies/sets will be centralized, named and reused as much as possible. (Less is more)
  • Administrators may choose to enforce a different set of XACML policies at any point within the repository tree.
  • Metadata, such as ACLs or rights statements, can be used to avoid authoring more XACML.
    • Node properties can determine the relevant policy within a set and the outcome from within that policy.
    • Policies may depend upon an access role attribute.
    • Policies may reference any value obtained via a SPARQL query, relative to the content node, but the query must be mapped to a XACML attribute in configuration.
  • Policies (and/or sets of them) must be stored in the repository.
  • Policies must be enforced on externally managed content, i.e. projected nodes within a federated node. (inc. filesystem connector)
  • Must be able to authorize based on requesting I.P. address
  • Must be able to authorize based on resource mixin types
  • Must be able to authorize based on Hydra rightsMetadata datastream
  • Must be able to authorize based on resource mimetype

Decisions Needed

How to Map to XACML Policies

This includes how policies are stored in the repository and how they are linked with content objects.

...

Attempting to address all of these issues through the Sequencer approach to policy references, see above. This would map the XACML policy tree into the repository without sacrificing any of the expressiveness of XACML or creating a more robust translation.

...

Finding Attributes of Repository Resources and Users

Policies will need to refer to resource, subject and environment attributes to evaluate requests. How will the PDP resolve the referenced attributes? What is the most straightforward way to create an extensible mapping of XACML attribute to contextual repository data, given a node path?

When a property is not set, then the attribute finder needs to return an empty-set. (This is true for all attribute finding.)

Resource Attributes

Uses cases mention enforcement scenarios based on resource attributes, namely mime-type and mix-in types.

...

There has to be a cleaner way to express these mappings, right? A dotted expression language? (help) Resolving this by creating a number of standard subject attributes, while leaving the door open for mapping new ones from HTTP headers or request attributes.

...

JBoss PicketBox XACML Engine

...

PicketLink and PicketBox projects use the same XACML PDP, which is the Sun XACML implementation repackaged by JBoss. (PicketLink is a larger umbrella project of security services.)

...

We still need to implement the interfaces and JBoss documentation is an issue. However, JBoss source includes several examples of attribute/policy locators, which are our main extension points.

Local

...

PDP

...

Is this better implemented as a remote or a local PDP service. The PDP can be used as a bean without the webapp runtime, or it can be configured as a separate service (SOAP). The trade-offs are identified in the table below.

...

Local. This presents fewer obstacles in the short term and we have no use cases yet which dictate that a remote XACML PDP is needed. A local PDP makes this authz delegate easier to configure since no fedora, modeshape or SOAP XACML clients need to be set up between the separately running services. If we ever need the PDP to be remote we can do the extra plumbing to make it so.

...

Cascading

...

Deletes

When Modeshape checks for permission to remove a node and the authz delegate returns true, there are no followup checks for removal of the child nodes. The children, and their children, etc.. are deleted along with the parent, but the AuthZ Delegate gets no permission callback for them.

...

This is helpful reading for writing a finder:
http://sunxacml.sourceforge.net/guide.html#extending-finder

Note: When an attribute has not value, then the attribute finder needs to return an empty-set. (This is true for all attribute finding.)

PolicyFinderModule (w/PolicyLocator for JBossPDP configuration)

...