From: Mei-Xing Z. <Mei...@su...> - 2003-06-14 01:12:34
|
Hi Farrukh, Thanks for your reply. Our project code freeze date is next Friday(6/20). Could you fix these bugs and do the new XACML implementation early next week, so we can test our code before our code freeze date? We really appreciate if you could do so. At the meantime, I have more questions about defining the XACML policy file. Both Waikei and I are working on XACML right now. I will see both of us sending emails to you from our discussions. 1. I like to know how to define the resource access control in XACML file. For example, if I want to allow role of ContentOwner to have the permission to create/update/delete ExtrinsicObjects, Does the following policy I defined looks right to you? I have some specific questions embedded in the following policy: =================================== <Policy PolicyId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:policy:policyid:permit-owner-all-extrinsic" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Rule RuleId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:rule:ruleid:permit-owner-all-extrinsic" Effect="Permit"> <Description> A Subject with role of ContenOwner can perform any action on Extrinsicbjects(resource) owned by them. </Description> <Target> <Subjects> <Subject> <!-- Question: Is this needed since the condition seem cover it? --> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> ContentOwner </AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:subject:role" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <!-- match general ExtrinsicObject --> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string_equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string> ExtrinsicObject </AttributeValue> <!-- questions: Is AttributeId specified correctly? Is DataType specified correctly? According to the RIM spec, pg. 78, table 2, If the resouce attribute is <attribute>, AttributeId is: "urn:oasis:names:tc:xacml:1.0:resource:<attribute>", Specificly here, "urn:oasis:names:tc:xacml:1.0:resource:objectType". Is this correct? The DataType of objectType for a RegistryObjct is ObjectRef. It is specified in RIM spec, pg.25-26 attribute summary table. Can I use "string" for this case? --> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:objectType"/> </ResourceMatch> <!-- match a specific (CPA) ExtrinsicObject --> <!-- I have same questions for the following ResourceMatch block --> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string_equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string> CPA </AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:objectType"/> </ResourceMatch> </Resource> </Resources> <Actions> <AnyAction/> </Actions> </Target> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:anyURI-one-and-only"> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:ebxml-regrep:3.0:rim:acp:resource:owner" DataType="http://www.w3.org/2001/XMLSchema#anyURI"/> </Apply> </Condition> </Rule> </Policy> ================================= 2. Another general question is how to find the owner of a RegistryObject in the Database table? For example, for a SevericeObject, where do I find the owner for this service object in the database tables? Thanks, Mei >Date: Fri, 13 Jun 2003 18:54:20 -0400 >From: Farrukh Najmi <far...@su...> >User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3) Gecko/20030312 >X-Accept-Language: en-us, en >MIME-Version: 1.0 >To: Mei-Xing Zhao <Mei...@su...> >CC: ebx...@li... >Subject: Re: [Ebxmlrr-tech] XACML basic in ebxmlrr? >Content-Transfer-Encoding: 7bit > >Mei-Xing Zhao wrote: > >>Farrukh, >>I also have couple of questions: >> >>1. From your email below, you said you are going to implement Role Based Access >>Control (RBAC) in XACML support. What will this imp >>lementaton exactly covers? >> >The impl requires adding logic to process roles in subject attributes >handling in AuthorizationImpl class. > >> >>2. Few weeks again, you send a proposal for fixing the XACML security hole bug. >>Is bug fixed already or you are going to fix it nex >>t week? >> >To remind people, the security hole is that the ability to create new >roles is not restricted in current code base. This is not a real >security issue at present since RBAC is not supported anyway. Once RBAC >is implemented it would become a real security hole. That is why both >RBAC impl and restriction to who can create roles needs to be done. > >I am behind on that promise due to JavaOne and related activities. > >> >>3. This refers to 2). There are four things you were planning to fix. Just want >>to check with you which ones are ready and which on >>es still to be done. >> >> 1. Define a SubjectRole scheme is createMinDB and populate it with >> pre-defined roles (required by specs) >> >This is done. > >> >> 2. Assign the RegistryOperator user the role of RegistryAdministrator >> >I think this is done. > >> >> 3. Put checks in code to only allow RegistryAdministrator role to create >> new Roles >> >Not done > >> >> 4. Put checks in code to only allow RegistryAdministrator role to assign >> Roles to users >> >Note done. > >> >>Are these fixes all done? I think 1 and 2 are there. I am not sure about 3. and >>4. Could you let me know? >> >> >> >Thanks for your patience. > ******** Mei-Xing Zhao Enterprise Messaging & Integration, CSSIT Sun Microsystems, Inc. (510) 936-3520 x13520 (internal) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |