why using xacml as onem2m access control policy group name: wg4 source: wei zhou, catt,...
TRANSCRIPT
Why Using XACML as oneM2M Access Control Policy
Group Name: WG4Source: Wei Zhou, CATT, [email protected] Date: <2014-09-22>Agenda Item: <agenda item topic name>
What is XACML
• eXtensible Access Control Markup Language (XACML) is an XML-based access control language defined by the Organization for the Advancement of Structured Information Standards (OASIS). XACML access control framework conforms to the Attribute Based Access Control (ABAC).(Version 2.0, 2005; Version 3.0, 2013)
• The oneM2M authorization system shall select XACML as its access control policy description language.
XACML <Target> Element Structure
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">physician</AttributeValue> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example:attribute:role" DataType="http://www.w3.org/2001/XMLSchema#string"/></Match>
Value in policyMatch function
Value from request
XACML <Condition> Element Structure
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:3.0:example: attribute:physician-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <AttributeSelector MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" Path="md:record/md:primaryCarePhysician/md:registrationID/text()" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply></Apply>
XACML Attribute Categories
• Subject attribute category: Originator, Role, …• Resource attribute category: Resource URI, Creation
time, …• Action attribute category: Retrieve, Update, …• Environment attribute category: current time, IP
Address, …• It is extensible
XACML Defines 8 Rule and Policy Combining Algorithms
1. Deny-overrides2. Ordered-deny-overrides3. Permit-overrides4. Ordered-permit-overrides5. Deny-unless-permit6. Permit-unless-deny7. First-applicable8. Only-one-applicable
XACML Defines a lot of Attribute Identifiers
Identifier M/O
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:dns-name O
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address O
urn:oasis:names:tc:xacml:1.0:subject:authentication-method O
urn:oasis:names:tc:xacml:1.0:subject:authentication-time O
urn:oasis:names:tc:xacml:1.0:subject:key-info O
urn:oasis:names:tc:xacml:1.0:subject:request-time O
urn:oasis:names:tc:xacml:1.0:subject:session-start-time O
urn:oasis:names:tc:xacml:1.0:subject:subject-id O
urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier O
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject M
urn:oasis:names:tc:xacml:1.0:subject-category:codebase O
urn:oasis:names:tc:xacml:1.0:subject-category:intermediary-subject O
urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject O
urn:oasis:names:tc:xacml:1.0:subject-category:requesting-machine O
urn:oasis:names:tc:xacml:1.0:resource:resource-location O
urn:oasis:names:tc:xacml:1.0:resource:resource-id M
urn:oasis:names:tc:xacml:1.0:resource:simple-file-name O
urn:oasis:names:tc:xacml:1.0:action:action-id O
urn:oasis:names:tc:xacml:1.0:action:implied-action O
XACML Defines a lot of Data Types
Data-type M/O
http://www.w3.org/2001/XMLSchema#string M
http://www.w3.org/2001/XMLSchema#boolean M
http://www.w3.org/2001/XMLSchema#integer M
http://www.w3.org/2001/XMLSchema#double M
http://www.w3.org/2001/XMLSchema#time M
http://www.w3.org/2001/XMLSchema#date M
http://www.w3.org/2001/XMLSchema#dateTime M
http://www.w3.org/2001/XMLSchema#dayTimeDuration M
http://www.w3.org/2001/XMLSchema#yearMonthDuration M
http://www.w3.org/2001/XMLSchema#anyURI M
http://www.w3.org/2001/XMLSchema#hexBinary M
http://www.w3.org/2001/XMLSchema#base64Binary M
urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name M
urn:oasis:names:tc:xacml:1.0:data-type:x500Name M
urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression O
urn:oasis:names:tc:xacml:2.0:data-type:ipAddress M
urn:oasis:names:tc:xacml:2.0:data-type:dnsName M
XACML Defines a lot of FunctionsFunction M/Ourn:oasis:names:tc:xacml:1.0:function:string-equal Murn:oasis:names:tc:xacml:1.0:function:boolean-equal Murn:oasis:names:tc:xacml:1.0:function:integer-equal Murn:oasis:names:tc:xacml:1.0:function:double-equal Murn:oasis:names:tc:xacml:1.0:function:date-equal Murn:oasis:names:tc:xacml:1.0:function:time-equal Murn:oasis:names:tc:xacml:1.0:function:dateTime-equal Murn:oasis:names:tc:xacml:3.0:function:dayTimeDuration-equal Murn:oasis:names:tc:xacml:3.0:function:yearMonthDuration-equal Murn:oasis:names:tc:xacml:3.0:function:string-equal-ignore-case Murn:oasis:names:tc:xacml:1.0:function:anyURI-equal Murn:oasis:names:tc:xacml:1.0:function:x500Name-equal Murn:oasis:names:tc:xacml:1.0:function:rfc822Name-equal Murn:oasis:names:tc:xacml:1.0:function:hexBinary-equal Murn:oasis:names:tc:xacml:1.0:function:base64Binary-equal Murn:oasis:names:tc:xacml:1.0:function:integer-add Murn:oasis:names:tc:xacml:1.0:function:double-add Murn:oasis:names:tc:xacml:1.0:function:integer-subtract Murn:oasis:names:tc:xacml:1.0:function:double-subtract Murn:oasis:names:tc:xacml:1.0:function:integer-multiply Murn:oasis:names:tc:xacml:1.0:function:double-multiply Murn:oasis:names:tc:xacml:1.0:function:integer-divide Murn:oasis:names:tc:xacml:1.0:function:double-divide Murn:oasis:names:tc:xacml:1.0:function:integer-mod M
XACML Request and Response Contexts
Attribute categories:•Subject•Resource•Action•Environment•New defined attribute categories (e.g. Token)
Authorization decision:•"Permit"•"Deny"•"Indeterminate"•"NotApplicable"
Using XACML in oneM2M Authorization Architecture
Access Requester
Resource
PolicyEnforcement
Point(PEP)
PolicyDecision
Point(PDP)
Access Request Access
PolicyInformation
Point(PIP)
PolicyRetrieval
Point(PRP)
XACML RequestContext
XACML ResponseContext
XACML Request Context
XACML Policy Set
Attribute Request
Attribute Response
Mapping oneM2M request parameters to the XACML request context
Parameter in oneM2M
Description Attributes Category in XACML
AttributeId in XACML
DataType in XACML
to URI of target resource urn:oasis:names:tc:xacml:3.0:attribute-category:resource
urn:oasis:names:tc:xacml:1.0:resource:resource-id
ttp://www.w3.org/2001/XMLSchema#anyURI
fr Identifier representing the originator of the request
urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
urn:oasis:names:tc:xacml:1.0:subject:subject-id
http://www.w3.org/2001/XMLSchema#string
role Role of the originator urn:oasis:names:tc:xacml:1.0:subject-category:access-subject
TBD http://www.w3.org/2001/XMLSchema#string
op Requested operation urn:oasis:names:tc:xacml:3.0:attribute-category:action
urn:oasis:names:tc:xacml:1.0:action:action-id
http://www.w3.org/2001/XMLSchema#string
rq_time Context information urn:oasis:names:tc:xacml:3.0:attribute-category:environment
urn:oasis:names:tc:xacml:1.0:environment:current-time
http://www.w3.org/2001/XMLSchema#time
rq_loc Context information urn:oasis:names:tc:xacml:3.0:attribute-category:environment
TBD TBD
rq_ip Context information urn:oasis:names:tc:xacml:3.0:attribute-category:environment
urn:oasis:names:tc:xacml:1.0:subject:authn-locality:ip-address
urn:oasis:names:tc:xacml:2.0:data-type:ipAddress
fc Filter criteria urn:oasis:names:tc:xacml:3.0:attribute-category:resource
TBD http://www.onem2m.org/xml/protocols#filterCriteria
Mapping from oneM2M access control decision to XACML authorization decision
Access control decision in oneM2M
Description Authorization decision in XACML
TRUE or 1 The requested access is permitted.
“Permit”
FALSE or 0 The requested access is denied. “Deny”
XACML is Extensible
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute IncludeInResult="false" AttributeId="urn:onem2m:names:attribute:role" Issuer="onem2m.example.com">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string" >002-Device Configuration</AttributeValue>
</Attribute> <Attribute IncludeInResult="false"
AttributeId="urn:onem2m:names:attribute:token" Issuer="onem2m.example.com">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#base64Binary">TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGhpcyByZWFzb24sIGJ1dCBieSB0aGlzIHNpbmd1bGFyIHBhc3Npb24gZnJvbSBvdGhlciBhbmltYWxzLCB3aGljaCBpcyBhIGx1c3Qgb2YgdGhlIG1pbmQsIHRoYXQgYnkgYSBwZXJzZXZlcmFuY2Ugb2YgZGVsaWdodCBpbiB0aGUgY29udGludWVkIGFuZCBpbmRlZmF0aWdhYmxlIGdlbmVyYXRpb24gb2Yga25vd2xlZGdlLCBleGNlZWRzIHRoZSBzaG9ydCB2ZWhlbWVuY2Ugb2YgYW55IGNhcm5hbCBwbGVhc3VyZS4=
</AttributeValue> </Attribute></Attributes>
Example of adding role and token in XACML request context