I'd like to declare some policies likes:
some one can visit anything under the img path, but img folders are scattered everwhere, so the attributevalue in the xacml policy may seem like this: "/rootpath/**XPATH_PART**/img/*".
how to write policy of this kind.
I looked through the "XACML3.0 core spec", "Multiple Profile", they says
Each Individual Decision Request SHALL be identical to the original request context with two exceptions: the “multiple:content-selector” attribute SHALL NOT be present and an added “content-selector” attribute value SHALL be an XPath expression that evaluates to a single node in the <Content> element
I think this means that in the policy file, i cann't use XPath in the AttributeValue to refer to multiple resources like i said in the first place, right? because the request is resolved to individual request each asking for a resource with a specified attribute id.
Is there something in the specification i missed out or misunderstood? or can anyone suggest a better way to do what i want?
Now i'm wondering if using regular expression in the resource can do that. The corresponding function is
urn:oasis:names:tc:xacml:1.0:function:string-regexp-match.
P.S.: I'm trying to setup a authorization server for my company, XACML seems a good place to start with. But nobody around me knows about it. I would be appreciated if any one can give me any suggestion about setting up the access control system.
I chatted with some of my colleagues at Axiomatics and the conclusion is that you do not need XPath but rather regular expressions. XACML provides a regular expression function that works on URI data types. It is called anyURIRegexpMatch and it takes in a string (the regular expression) and the XACML attribute to which to apply the regular expression. It returns either true or false.
Your rule target would look as follows in ALFA (Axiomatics Language for Authorization):
policy matchResources{
apply firstApplicable
rule allow{
target clause anyURIRegexpMatch("^https?://(?:[a-z\\-]+\\.)+[a-z]{2,6}(?:/[^/#?]+)+\\.(?:jpg|gif|png)$", resourceId)
permit
}
}
See also this other example (XACML 2.0): How do I apply XACML rules to every child URI?
Related
I'm a beginner looking for some clarity on how to create configuration files for the DDS Recording Service in two areas.
If you are looking to record a set of specific topics from a domain how do you set up the topic group? Can you list the topics as individual <topic_expr> i.e.
<topic_group name="SomeTopics">
<topics>
<topic_expr>topic2</topic_expr>
<topic_expr>topic8</topic_expr>
</topics>
<field_expr>*</field_expr>
</topic_group>
When I tried something like this not all the listed topics would be recorded. Is there something I am overlooking?
Secondly, when you use -deserialize to you need to make any changes to the configuration file you used to record the database? As I sometimes get errors about how "rti dds failed to find" followed by something like X::Y::Z. Thanks.
The XSD schema for the configuration file does not expect you to use multiple <topic_expr> tags, but a single tag with a comma-separated list of Topic names. The RTI Recording Service User's Manual explains it as follows:
<topic_expr>POSIX fn expression</topic_expr>
Required.
A comma-separated list of POSIX expressions that specify the names of Topics to be included in the TopicGroup.
The syntax and semantics are the same as for Partition matching.
Default: Null
Note: Keep in mind that spaces are valid first characters in topic names, thus they can affect the matching process. For example, this will match both Triangle and Square topics (notice there is no space before Square):
<topic_expr>Triangle,Square</topic_expr>
However the following will only match Triangle topics (because there is a space before Square):
<topic_expr>Triangle, Square</topic_expr>
With regard to the -deserialize option, this is not applicable to the Recording Service but to the Converter tool (rtirecconv). If you want to record deserialized, you will have to indicate that in the Recording Service configuration, via the tag <deserialize_mode>. Again, see the User's Manual for details.
We are using WSO2 Identity Server 5.1.0 .
We have a location hierarchy like Plant1->Area1->unit1. Now if a user is having attribute for the Plant1, he should get access to unit1 as well (all children of the parent in a tree).
Can we specify this in XACML? We have the hierarchy stored in DB. We can provide the list of hierarchical elements as a list of attributes also if so required.
Problem explained in sample :
A user bob has been given access to area2 as shown below :
Plant1
|--Area1
|--Unit1
|--Area2
|--Unit2
We want to specify the Area2 location in XACML policy. Now if the request with area2 or unit2 comes that should be permitted while if the request with plant1, area1 or unit1 comes that should get denied.
I need the structure for XACML policy.
You can implement this with a custom PIP (Policy Information Point, aka Attribute Provider) in XACML implementations like AuthzForce. I don't know WSO2 IS as much but according to the doc, it is also extensible with custom PIPs, so I assume this should do the trick.
The idea is that in the XACML Policy, you use an AttributeDesignator with a custom AttributeId to indicate that the top parent value in the hierarchy of some attribute is requested, e.g. AttributeId = resource-id-parent for the parent value of resource-id attribute value.
What your custom PIP does: when this custom attribute id resource-id-parent is requested, the PIP gets the value of the attribute resource-id from the request, i.e. "area2" or "unit2", then gets the corresponding top value in the hierarchy from your DB (or all the values above if you will) and return it as bag. Then, in the XACML Policy, you can use string-equal in a Match or string-at-least-one-member-of in a Condition to match the AttributeDesignator with "area2" (remember an AttributeDesignator always evaluate to a bag).
Owl-s ontology describe an programing language for web services (like [bpel]).
What is the way to use the process binding in a perform to tell the ordering of the parameters in an Owl-s Process ?
example:
Considere this call :
myProcess(myFirstParameter, mySecondParameter)
In owl-s we get something like this :
Perform(MyProcess,hasDataFrom(Binding(TheParam(myFirParameter), TheParam(MySecondParameter) )))
What are the axiom(s) to add to the ontology to tell the process that the correct call is
is:
myProcess(myFirstParameter, mySecondParameter)
and not:
myProcess(mySecondParameter, myFirstParameter)
?
The section 5.5 Specifying Data Flow and Parameter Bindings of the w3c submission give very little information about this. And I can't find an example of an non atomic process using more than one parameters or not relying on the WSDL binding. Can someone show me an example of parameters binding that work ?
Context of the question :
WSDL is not an option because the services to perfome can be : human,
rest, kqml ... (and also wsdl but not all).
Right now, my ontology is encoded as java class(one class
per-concept), so I am using an ArrayList for the parameter ordering.
But tomorow I have to export it.
If I have an API
https://api.example.org/api/v1/resources
and there is access to a resource with id
https://api.example.org/api/v1/resources/:id
How can I write a XACML policy where the resource is an URL with a resource id (the second URL from above)?
How can I put a placeholder/variable there so that I can write a rule for it?
Are you saying that you need to write separate policies for various possible id? E.g.
P1 that handles access to resource https://api.example.org/api/v1/resources/:1 and
P2 that handles access to resource https://api.example.org/api/v1/resources/:2 etc.
If so, the idea would be to use an attribute id, say the resource-id attribute, to capture the value of the id in the URL at the PEP side and pass it to the PDP and to write policies where the target is specified as string-equals(resource-id,1) for P1 and string-equals(resource-id,2) for P2 etc.
(edit)
Based on the clarification, provided, you can do it as follows:
The reasoning in such a case will be similar. You write a Policy that handles all rules for resources and specify its target as string-equals(resource-type,"resources") and in that policy specify rules for each resource-id. At the rule level the target would be string-equals(resource-id,"1"), string-equals(resource-id,"2") etc.
So I have this .rdf that I have loaded onto Stardog and then I am using Pubby running over Jetty, to browse the triple store.
In my rdf file, I have several blank nodes which is given a blank node identifier by stardog. So this is a snippet of the rdf file.
<kbp:ORG rdf:about="http://somehostname/resource/res1">
<kbp:canonical_mention>
<rdf:Description>
<kbp:mentionStart rdf:datatype="http://www.w3.org/2001/XMLSchema#integer">1234</kbp:mentionStart>
<kbp:mentionEnd rdf:datatype="http://www.w3.org/2001/XMLSchema#integer">1239</kbp:mentionEnd>
</rdf:Description>
</kbp:canonical_mention>
So basically I have some resource "res1" which has links to blank node which has a mention start and mention end offset value.
The snippet of the config.ttl file for Pubby is shown below.
conf:dataset [
# SPARQL endpoint URL of the dataset
conf:sparqlEndpoint <http://localhost:5822/xxx/query>;
#conf:sparqlEndpoint <http://localhost:5822/foaf/query>;
# Default graph name to query (not necessary for most endpoints)
conf:sparqlDefaultGraph <http://dbpedia.org>;
# Common URI prefix of all resource URIs in the SPARQL dataset
conf:datasetBase <http://somehostname/>;
...
...
So the key thing is the datasetBase which maps URIs to URL.
When I try to map this, there is an "Anonymous node" link but upon clicking, nothing is displayed. My guess is, this is because the blank node has some identifier like _:bnode1234 which is not mapped by Pubby.
I wanted to know if anyone out there knows how to map these blank nodes.
(Note: If I load this rdf as a static rdf file directly onto Pubby, it works fine. But when I use stardog as a triple store, this mapping doesn't quite work)
It probably works in Pubby because they are keeping the BNode id's available; generally, the SPARQL spec does not guarantee or require that BNode identifiers are persistent. That is, you can issue the same query multiple times, which brings back the same result set (including bnodes) and the identifiers can be different each time. Similarly, a bnode identifier in a query is treated like a variable, it does not mean you are querying for that specific bnode.
Thus, Pubby is probably being helpful and making that work which is why using it directly works as opposed to a third party database.
Stardog does support the Jena/ARQ trick of putting a bnode identifier in angle brackets, that is, <_:bnode1234> which is taken to mean, the bnode with the identifier "bnode1234". If you can get Pubby to use that syntax in queries for bnodes, it will probably work.
But generally, I think this is something you will have to take up with the Pubby developers.