fiwarefiware-orionxacmlabacauthzforce

Monitoring Orion Context Broker to create new XACML rules


I would like to know if is possible achieve this work environment:

I'm building a secure Orion Context Broker through PEP, PDP, PAP, etc. I would like that, in case of Orion stores an abnormal value for an attribute, an alert was sent (an email, e.g) and, a new XACML rule was created so a role-user can see those values (before this happens he doesn't have to have permission to see it).

Is it possible? If it is, how can I achieve it? Is there any option to do it through jenkins?


Solution

  • in case of Orion stores an abnormal value for an attribute, an alert was sent ( e.g an email)

    The FIWARE component to use to send an eMail in this case would be Complex Event Processing - e.g. Perseo

    You can set up an EPL rule to send an eMail

    Set up an XACML rule to only allow access if an attribute is "abnormal"

    This looks like a standard <Condition> clause, for example, the following:

    <Condition>
       <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only">
             <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time"
               AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/>
          </Apply>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue>
       </Apply>
    </Condition>
    

    will only allow an action after a certain time of day.

    I guess you may be looking at using "urn:oasis:names:tc:xacml:1.0:function:double-greater-than" or urn:oasis:names:tc:xacml:1.0:function:integer-greater-than" in the <Condition> something like:

    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-equal">
       <SubjectAttributeDesignator SubjectCategory="urn:oasis:names:tc:xacml:1.0:subjectcategory:accesssubject" AttributeId="SubjectClassificationRank" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"></SubjectAttributeDesignator>
       <ResourceAttributeDesignator AttributeId="ResourceClassificationRank" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"></ResourceAttributeDesignator>
    </Apply>
    

    Now here is the tricky bit, you will need to amend the code of your PEP proxy to ensure you can pass the the value of the "abnormal" attribute so that Authzforce can adjudicate.

    The logic will need to be something like this:

    1. Whenever the PEP Proxy is invoked, within the PEP Proxy make a direct call to Orion to retrieve the current attribute value.
    2. Within your PEP Proxy amend the XML creation function to add the relevant attribute.
    3. Call Authzforce to check if the request is permitted

    The point here is that the standard code of the PEP Proxy won't have the necessary information to allow Authzforce to adjudicate, so you're going to have to add in more information.

    A simpler scenario of the same type occurs within the following Tutorial - here the User's eMail address is added to the request to Authzforce, you'll just have to apply the same principle.