Versions Compared

Old Version 16

changes.mady.by.user Greg Jansen

Saved on

compared with

New Version 17

changes.mady.by.user Greg Jansen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The Fedora XACML Policy Finder Module will implement XACML Policy Finder Module and retrieve the policy that is in scope for a given context node. It will search the tree for the closest parent with a policy property and return that XACML. It will also resolve internal URI references between policies at the request of the PDP, looking in the policy folder to find policies that are referenced in other policies.

Here is an example repository tree:

  • ROOT
    • collection A
      • policy property (REFERENCE to policy A)
    • collection B (inherits default policy set from ROOT)
    • policies
      • default policy set (XACML policy set links to B and C)
      • policy set A (nt:file, referenceable) (XACML policy set XML links to default and D)
      • policy B
      • policy C
      • policy D

...

On a related note, is there any utility in doing policy-set definitions more formally as nodes linked by properties, i.e. without XML? The target section would always be empty, such that it can be used for all requests. This would add ref integrity to the graph of policies. It could be worth exploring. Such policy set nodes would use properties to link to their constituent policies and to specify the combining algorithm. (They could be converted to XACML by our policy finder module on their way to the PDP.)

How to Map XACML Attributes to Repository Data

...

Given a particular ModeShape property has been found, the data-type can be tested vs. the requested data-type and they should match so that literal values in a policy can be compared with returned values.

Proposed

We build a Resource Attribute Finder Module that is configured with a map of the resource attributes supported in policies. Each attribute has an ID, a data type, an expression, and expression type/grammar. The expressions are interpreted relative to the context node in these grammars:

  • JCR 1.0 XPath
  • RDF Predicate URI (returns the objects of any triples where context nodes is the subject)

Issues

Do we need SPARQL? How do we inject the context node path or URI? (help)

Subject Attributes

Policies will want to reference attributes of the subject.

...

We can add the effective access roles to the XACML request, and/or make them available via the attribute finder module.

Proposed

We build a Subject Attribute Finder Module that is configured with a map of the subject attributes supported in policies. Each attribute has an ID, a data type, an expression and expression type/grammar:

  • group, string, header: X-forward-group-name, request-context
  • IP, string, IP, request-context
  • role, string, role, fedora-context (maps to the effective fedora roles for a node)

Issues

There has to be a cleaner way to express these mappings, right? A dotted expression language? (help)

Shall we use the JBoss PicketBox XACML Engine?

...