I am using Authzforce 8.1.0
and I have already created a couple of RBAC
policy scenarios based on the examples given in Users' and Programmers Guider but I would like to create a simple ABAC
scenario.
As a newbie into XACML language, I am trying to follow some examples from here. More specifically I am trying to implement a policy similar to 4.1.1 Example policy.
Policy I want to create
Assume that a corporation named Medi Corp (identified by its domain name: med.example.com) has an access control policy that states, in English:
Any user with an e-mail name in the "med.example.com" namespace is allowed to perform any action on any resource.
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:schema:os
http://docs.oasis-open.org/xacml/FIXME.xsd"
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
<Description>
Medi Corp access control policy
</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>
Any subject with an e-mail name in the med.example.com domain
can perform any action on any resource.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
When I am trying to POST
this policy on {ip}:{port}/authzforce-ce/domains/{domainId}/pap/policies
I am getting the following error
Error
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
<message>Invalid parameters: cvc-elt.1: Cannot find the declaration of element 'Policy'.</message>
</error>
All the the examples I have seen in authzforce so far start with a <PolicySet>
declaration (in which we can declare multiple <Policy>
blocks, so I thought that this may be a problem and tried to include the policy in a policySet
as shown below:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="first_policyset_id"
Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny">
<Description>Policy for Github</Description>
<Target />
<Policy
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
<Description>
Medi Corp access control policy
</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>
Any subject with an e-mail name in the med.example.com domain
can perform any action on any resource.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
MustBePresent="false"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>
but now I am getting the following:
Response
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
<message>Failed to find a root PolicySet with id = 'first_policyset_id', Version=1.0,EarliestVersion=*,LatestVersion=*: Matched PolicySet 'first_policyset_id' (version 1.0) is invalid or its content is unavailable</message>
</error>
Which is the right format of a XACML request to make such a simple ABAC policy scenario? An example of a policy access request on this would be also greatly appreciated, thanks in advance!
This example from section 4.1.1 has known issues unfortunately, some of them I've reported on the xacml-comment mailing list. It should be fixed in the next version of the XACML spec. In the meantime, you need to fix these:
xsi:schemaLocation
altogether. Because the location http://docs.oasis-open.org/xacml/FIXME.xsd
is wrong and AuthzForce uses its own location for the XACML schema already.identifier:rule-combining-algorithm:deny-overrides
is wrong. Replace with urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides
.I also confirm that AuthzForce Server's REST API accepts only PolicySets as input on the /pap/policies
endpoint, so you have to wrap your Policy in a PolicySet, as you did. But you should change the PolicyCombiningAlgId to urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable
if you want the result of the PolicySet to be equivalent to the Policy.
--EDIT 2020-04-06--
So the fixed PolicySet is this:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PolicySet
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"
PolicySetId="PolicySet_1"
Version="1.0"
PolicyCombiningAlgId="urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:only-one-applicable">
<Description>Sample PolicySet</Description>
<Target />
<Policy
PolicyId="urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1"
Version="1.0"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides">
<Description>Medi Corp access control policy</Description>
<Target/>
<Rule
RuleId= "urn:oasis:names:tc:xacml:3.0:example:SimpleRule1"
Effect="Permit">
<Description>Any subject with an e-mail name in the med.example.com domain can perform any action on any resource.</Description>
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:rfc822Name-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">med.example.com</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name"
MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
</Policy>
</PolicySet>