Security of Distributed Systems Part II Elisa Bertino CERIAS and CS ECE Departments Purdue University Elisa Bertino Pag 1 Purdue University XACML Topics Goals Approach Examples Summary Elisa Bertino Pag 2 Purdue University Goals Define a core XML schema for representing authorization and entitlement policies Target any object referenced using XML Fine access control grained control Access control based on subject and object attributes Access control based on the object contents if the object is not an XML document the object attributes can be used Consistent with and building upon SAML Elisa Bertino Pag 3 Purdue University XACML Key Aspects General purpose authorization policy model and XML based specification language XACML is independent of SAML specification Triple based policy syntax Object Subject Action Negative authorization is supported Input output to the XACML policy processor is clearly defined as XACML context data structure Input data is referred by XACML specific attribute designator as well as XPath expression Extension points function identifier data type rulecombining algorithm policy combining algorithm etc A policy consists of multiple rules A set of policies is combined by a higher level policy PolicySet element Elisa Bertino Pag 4 Purdue University XACML Protocol Policy Enforcement Point PEP XACML Request Response Policy Decision Point PDP Policy Information Point PIP Policy Access Point PAP Elisa Bertino Pag 5 Purdue University XACML Protocol When a client makes a resource request upon a server the PEP is charged with AC In order to enforce AC policies the PEP will formalize the attributes describing the requester at the PIP and delegate the authorization decision to the PDP Applicable policies are located in a policy store managed by the PAP and evaluated at the PDP which then returns the authorization decision Using this information the PEP can deliver the appropriate response to the client Elisa Bertino Pag 6 Purdue University XACML Protocol 1 The Policy Administration Point PAP creates security policies and stores these policies in the appropriate repository 2 The Policy Enforcement Point PEP performs access control by making decision requests and enforcing authorization decisions 3 The Policy Information Point PIP serves as the source of attribute values or the data required for policy evaluation 4 The Policy Decision Point PDP evaluates the applicable policy and renders an authorization decision Note The PEP and PDP might both be contained within the same application or might be distributed across different servers Elisa Bertino Pag 7 Purdue University XACML Protocol XACML Request Subject Object Action XACML Response Permit Permit with Obligations Deny NotApplicable the PDP cannot locate a policy whose target matches the required resource Indeterminate an error occurred or some required value was missing Elisa Bertino Pag 8 Purdue University Data Flow Model access requester 2 access request PEP 11 obligations obligations service 7 resource resource 3 request 10 response PDP 8 request context 9 response context context handler 4 attribute 6 attribute query 1 policy PIP 5c resource attributes 5b envrionment attributes 5a subject attributes PAP Elisa Bertino subjects Pag 9 environment Purdue University Data Flow Model 1 2 3 4 5 6 7 8 9 PAPs write policies and policy sets and make them available to the PDP These policies or policy sets represent the complete policy for a specified target The access requester sends a request for access to the PEP The PEP sends the request for access to the context handler in its native request format optionally including attributes of the subjects resource action and environment The context handler constructs an XACML request context and send it to the PDP The PDP requests any additional subject resource action and environment attributes from the context handler The context handler requests the attributes from a PIP The PIP obtains the requested attributes The PIP returns the requested attributes to the context handler Optionally the context handler includes the resource in the context Elisa Bertino Pag 10 Purdue University Data Flow Model 10 The context handler sends the requested attributes and optionally the resource to the PDP The PDP evaluates the policy 11 The PDP returns the response context including the authorization decision to the context handler 12 The context handler translates the response context to the native response format of the PEP The context handler returns the response to the PEP 13 The PEP fulfills the obligations 14 Not shown If access is permitted then the PEP permits access to the resource otherwise it denies access Elisa Bertino Pag 11 Purdue University XACML Schemas Request Schema Policy Schema PolicySet Combining Alg Request Subject Resource Action Policy Combining Alg Rule Effect Target Response Schema Response Decision Obligation Subject Resource Action Environment Effect Condition Elisa Bertino Obbligation Pag 12 Purdue University XACML Schemas Request Schema Request Subject Resource Action Policy Schema PolicySet Combining Alg Policy Combining Alg Rule Effect Response Schema Response Decision Obligation Subject Resource Action Condition Obligation Elisa Bertino Pag 13 Purdue University Policies and PolicySet The key top level element is the PolicySet which aggregates other PolicySet elements or Policy elements The Policy element is composed principally of Target RuleSet and Obligation elements and is evaluated at the PDP to yield and access decision Since multiple policies may be found applicable to an access decision and since a single policy can contain multiple Rules Combining Algorithms are used to reconcile multiple outcomes into a single decision The Target element is used to associate a requested resource with an applicable Policy It contains conditions that the requesting Subject Resource or Action must meet for a Policy Set Policy or Rule to be applicable to the resource The Target includes a build in scheme for efficient indexing lookup of Policies Rules provide the conditions which test the relevant attributes within a Policy Any number of Rule elements may be used each of which generates a true or false outcome Combining these outcomes yields a single decision for the Policy which may be Permit Deny Indeterminate or a NotApplicable decision Elisa Bertino Pag 14 Purdue University Policies and Policy Sets Policy Smallest element PDP can evaluate Contains Description Defaults
View Full Document
Unlocking...