We are using WSO2 Identity Server 5.1.0 .
We have a location hierarchy like Plant1->Area1->unit1. Now if a user is having attribute for the Plant1, he should get access to unit1 as well (all children of the parent in a tree).
Can we specify this in XACML? We have the hierarchy stored in DB. We can provide the list of hierarchical elements as a list of attributes also if so required.
Problem explained in sample :
A user bob has been given access to area2 as shown below :
Plant1
|--Area1
|--Unit1
|--Area2
|--Unit2
We want to specify the Area2 location in XACML policy. Now if the request with area2 or unit2 comes that should be permitted while if the request with plant1, area1 or unit1 comes that should get denied.
I need the structure for XACML policy.
You can implement this with a custom PIP (Policy Information Point, aka Attribute Provider) in XACML implementations like AuthzForce. I don't know WSO2 IS as much but according to the doc, it is also extensible with custom PIPs, so I assume this should do the trick.
The idea is that in the XACML Policy, you use an AttributeDesignator with a custom AttributeId to indicate that the top parent value in the hierarchy of some attribute is requested, e.g. AttributeId = resource-id-parent for the parent value of resource-id attribute value.
What your custom PIP does: when this custom attribute id resource-id-parent is requested, the PIP gets the value of the attribute resource-id from the request, i.e. "area2" or "unit2", then gets the corresponding top value in the hierarchy from your DB (or all the values above if you will) and return it as bag. Then, in the XACML Policy, you can use string-equal in a Match or string-at-least-one-member-of in a Condition to match the AttributeDesignator with "area2" (remember an AttributeDesignator always evaluate to a bag).
Related
I have a simple flow consisting of
GenerateFlowFile ----> PutS3Object ----> Wait
And the generated flow files are getting stored in the bucket correctly.
Now I want to add Metadata to my flow file.
If I add a property "Test1" to PutS3Object, it shows up as "X-Amz-Meta-Test1" in the metadata of the object.
But if I add a property "Test2" in GenerateFlowFile it doesn't show up in metadata.
I tried adding "Test2" as s3.usermetadata.Test2 but it still didn't work.
Is there a way to pass all the flow files attributes as metadata without explicitly adding properties in the PutS3Object.
PutS3Object only inserts metadata values that you have set as Dynamic Properties on the PutS3Object processor itself. Please see the docs link and look at the Dynamic Properties section.
PutS3Object does not just stick any Attribute you set as metadata, otherwise you would end up with potentially hundreds of metadata entries that you aren't interested in. The only Attribute it reads by default is filename - please see the Reads Attributes section of the docs.
If you have an existing Attibute, and you want to push the value of this Attribute into the metadata, you must add a Dynamic Property to PutS3Object and reference the value of the Attribute.
E.g. you have an Attribute called file_author with a value Steve and you want the S3 object to have the metadata field author with the value Steve:
You would add a Dynamic Property to PutS3Object with a name of author and a value of ${file_author}.
Edit:
You could fork PutS3Object into a custom processor to add the dynamic functionality you want, but I would recommend just using the standard PutS3Object config and manually configuring the Attributes you want.
How do I update the LDAP value using LDAP Output Step in Spoon?
I couldn't find any documentation on Pentaho's website. I am trying to update the group name of a particular user in Active Directory.
Until now, I was able to connect with the AD. But I can't make any changes to LDAP.
In General -> Settings, my operation is updated.
And in Fields -> Search Base, I defined the DC attributes. Eg: dc=xyz,dc=com.
And in Attributes, I defined the OU along with the value it should be changed too.
Is this how it should work?
I am getting an error saying "can not find DN(Distinguished Name) in the input stream!"
My guess is that you are using the values you want to inject instead of the fields containing those values. This step heavily relies upon fields coming in from previous steps.
In the image below you will see I am passing in the 'dn' field which is used in Settings > 'Dn fieldname' to lookup the field I want to alter.
Then under Fields I am mapping the incoming 'new_name' field to the property 'givenName' on the LDAP object identified by the DN.
So my DN to lookup and the value to set the field to are coming from my transformation stream. I only statically identify the Attribute on the LDAP object to be mapped.
the dn is not right. dn is cn + ou-structure like ou + domain-structure like dc.
If you dont know the cn, you cant define the dn. You must take a LDAP-Input with query like your uid for getting dn.
With this dn you can update attributes with LDAP-Output, if you have rights for writing.
How to access the corresponding FieldDefinition, if I have only the jcr property name at hand.
Is there any desired functionality,like find a field definition by a jcr property name ? If not, how would I access configured field definitions in java code ?
Scenario : I need to determine, if a given jcr property name was configured to be an i18n-capable field in definition ?
The answer is you can never be sure if property was configured to be i18n-able (or have any other trait) at the time it was last edited as definition might have changes since.
However to achieve what you want (obtain the definition), what you need to do is:
get a parent node of the property in question,
get value of it's mgnl:template property. That's your templateId,
use the templateId to obtain template from the registry,
read value of dialog property of the template, that's your dialogId
use the dialogId to obtain dialog from the registry
scan tabs in the dialog to find property definition with name of the jcr property you have started with
I'd like to declare some policies likes:
some one can visit anything under the img path, but img folders are scattered everwhere, so the attributevalue in the xacml policy may seem like this: "/rootpath/**XPATH_PART**/img/*".
how to write policy of this kind.
I looked through the "XACML3.0 core spec", "Multiple Profile", they says
Each Individual Decision Request SHALL be identical to the original request context with two exceptions: the “multiple:content-selector” attribute SHALL NOT be present and an added “content-selector” attribute value SHALL be an XPath expression that evaluates to a single node in the <Content> element
I think this means that in the policy file, i cann't use XPath in the AttributeValue to refer to multiple resources like i said in the first place, right? because the request is resolved to individual request each asking for a resource with a specified attribute id.
Is there something in the specification i missed out or misunderstood? or can anyone suggest a better way to do what i want?
Now i'm wondering if using regular expression in the resource can do that. The corresponding function is
urn:oasis:names:tc:xacml:1.0:function:string-regexp-match.
P.S.: I'm trying to setup a authorization server for my company, XACML seems a good place to start with. But nobody around me knows about it. I would be appreciated if any one can give me any suggestion about setting up the access control system.
I chatted with some of my colleagues at Axiomatics and the conclusion is that you do not need XPath but rather regular expressions. XACML provides a regular expression function that works on URI data types. It is called anyURIRegexpMatch and it takes in a string (the regular expression) and the XACML attribute to which to apply the regular expression. It returns either true or false.
Your rule target would look as follows in ALFA (Axiomatics Language for Authorization):
policy matchResources{
apply firstApplicable
rule allow{
target clause anyURIRegexpMatch("^https?://(?:[a-z\\-]+\\.)+[a-z]{2,6}(?:/[^/#?]+)+\\.(?:jpg|gif|png)$", resourceId)
permit
}
}
See also this other example (XACML 2.0): How do I apply XACML rules to every child URI?
If I have an API
https://api.example.org/api/v1/resources
and there is access to a resource with id
https://api.example.org/api/v1/resources/:id
How can I write a XACML policy where the resource is an URL with a resource id (the second URL from above)?
How can I put a placeholder/variable there so that I can write a rule for it?
Are you saying that you need to write separate policies for various possible id? E.g.
P1 that handles access to resource https://api.example.org/api/v1/resources/:1 and
P2 that handles access to resource https://api.example.org/api/v1/resources/:2 etc.
If so, the idea would be to use an attribute id, say the resource-id attribute, to capture the value of the id in the URL at the PEP side and pass it to the PDP and to write policies where the target is specified as string-equals(resource-id,1) for P1 and string-equals(resource-id,2) for P2 etc.
(edit)
Based on the clarification, provided, you can do it as follows:
The reasoning in such a case will be similar. You write a Policy that handles all rules for resources and specify its target as string-equals(resource-type,"resources") and in that policy specify rules for each resource-id. At the rule level the target would be string-equals(resource-id,"1"), string-equals(resource-id,"2") etc.