注册
登录
区块链扩展技术
如何创建XACML策略并请求在相同资源或不同资源中具有多个角色的单个用户
返回
如何创建XACML策略并请求在相同资源或不同资源中具有多个角色的单个用户
作者:
大黑骡子王
发布时间:
2025-03-04 06:33:57 (21小时前)
转自:
<p> <br/> 为单个用户和相同资源创建具有多个角色的XACML策略,以及如何创建请求和仅访问角色和资源的一个规则。</p><p>数据模型<br/>资源: - 公司<br/>角色:-…<br/> <br/></p>
收藏
举报
2 条回复
0#
回复此人
老人与海
|
2019-08-31 10-32
<div class =“post-text”itemprop =“text”> <P> 这是您正在寻找的政策 <a href="/questions/tagged/alfa" class="post-tag" title="show questions questionged'alfa'" rel="tag"> 阿尔法 </A> 。 </p> <pre class="lang-js prettyprint-override"> <code> namespace com.axiomatics.so.pankaj{ /** * Company policy */ policyset company{ target clause resource == "company" apply firstApplicable /** * Administrators can... */ policy administrator{ target clause role == "admin" apply firstApplicable /** * Create */ rule create{ target clause action == "create" permit } /** * Delete */ rule delete{ target clause action == "delete" permit } } /** * Visitors can... */ policy visitor{ target clause role == "visitor" apply firstApplicable /** * read */ rule read{ target clause action == "read" permit } } /** * Tenants can... */ policy tenant{ target clause role == "tenant" apply firstApplicable /** * Update */ rule update{ target clause action == "update" permit } } } </code> </pre> <P> } </p> <P> 您还需要定义将使用该策略的属性 </p> <pre class="lang-js prettyprint-override"> <code> attribute role{ category = subjectCat id = "com.axiomatics.so.role" type = string } attribute resource{ category = resourceCat id = "com.axiomatics.so.company" type = string } attribute action{ category = actionCat id = "com.axiomatics.so.action" type = string } </code> </pre> <P> 这导致XML中的以下XACML策略 </p> <pre class="lang-xml prettyprint-override"> <code> <?xml version="1.0" encoding="UTF-8"?><!--This file was generated by the ALFA Plugin for Eclipse from Axiomatics AB (http://www.axiomatics.com). --><!--Any modification to this file will be lost upon recompilation of the source ALFA file --> <xacml3:PolicySet PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:first-applicable" PolicySetId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company" Version="1.0" xmlns:xacml3="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"> <xacml3:Description>Company policy</xacml3:Description> <xacml3:PolicySetDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116 </xacml3:XPathVersion> </xacml3:PolicySetDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">company</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="com.axiomatics.so.company" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Policy PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.administrator" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Administrators can...</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116 </xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="com.axiomatics.so.role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="com.axiomatics.so.pankaj.company.administrator.create"> <xacml3:Description>Create</xacml3:Description> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="com.axiomatics.so.action" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> </xacml3:Rule> <xacml3:Rule Effect="Permit" RuleId="com.axiomatics.so.pankaj.company.administrator.delete"> <xacml3:Description>Delete</xacml3:Description> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="com.axiomatics.so.action" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> </xacml3:Rule> </xacml3:Policy> <xacml3:Policy PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.visitor" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Visitors can...</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116 </xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">visitor</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="com.axiomatics.so.role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="com.axiomatics.so.pankaj.company.visitor.read"> <xacml3:Description>read</xacml3:Description> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="com.axiomatics.so.action" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> </xacml3:Rule> </xacml3:Policy> <xacml3:Policy PolicyId="http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.tenant" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"> <xacml3:Description>Tenants can...</xacml3:Description> <xacml3:PolicyDefaults> <xacml3:XPathVersion>http://www.w3.org/TR/1999/REC-xpath-19991116 </xacml3:XPathVersion> </xacml3:PolicyDefaults> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">tenant</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="com.axiomatics.so.role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> <xacml3:Rule Effect="Permit" RuleId="com.axiomatics.so.pankaj.company.tenant.update"> <xacml3:Description>Update</xacml3:Description> <xacml3:Target> <xacml3:AnyOf> <xacml3:AllOf> <xacml3:Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <xacml3:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</xacml3:AttributeValue> <xacml3:AttributeDesignator AttributeId="com.axiomatics.so.action" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false" /> </xacml3:Match> </xacml3:AllOf> </xacml3:AnyOf> </xacml3:Target> </xacml3:Rule> </xacml3:Policy> </xacml3:PolicySet> </code> </pre> <H2> 样品响应&amp;请求 </H2> <pre class="lang-json prettyprint-override"> <code> { "Request": { "ReturnPolicyIdList": true, "AccessSubject": { "Attribute": [ { "AttributeId": "com.axiomatics.so.role", "Value": "admin" } ] }, "Resource": { "Attribute": [ { "AttributeId": "com.axiomatics.so.company", "Value": "company" } ] }, "Action": { "Attribute": [ { "AttributeId": "com.axiomatics.so.action", "Value": "create" } ] }, "Environment": { "Attribute": [] } } } </code> </pre> <P> 而且回应 </p> <pre class="lang-json prettyprint-override"> <code> { "Response" : { "Decision" : "Permit", "Status" : { "StatusCode" : { "Value" : "urn:oasis:names:tc:xacml:1.0:status:ok", "StatusCode" : { "Value" : "urn:oasis:names:tc:xacml:1.0:status:ok" } } }, "PolicyIdentifierList" : { "PolicyIdReference" : { "Id" : "http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company.administrator", "Version" : "1.0" }, "PolicySetIdReference" : { "Id" : "http://axiomatics.com/alfa/identifier/com.axiomatics.so.pankaj.company", "Version" : "1.0" } } } } </code> </pre> </DIV>
编辑
登录
后才能参与评论
