xacml 3.0 new features and standardization status
DESCRIPTION
XACML 3.0 New Features and Standardization Status. Prepared for ITU-T by Hal Lockhart Oracle September 17, 2009. XACML Current Status. XACML 2.0 OASIS Standard – Feb 2005 ITU-T Recommendation X.1142 – Jun 2006 XACML 3.0 In progress Core & base profiles recently completed Public Review - PowerPoint PPT PresentationTRANSCRIPT
XACML 3.0 New Features and Standardization Status
Prepared for ITU-T by
Hal LockhartOracleSeptember 17, 2009
XACML Current Status XACML 2.0 OASIS Standard – Feb 2005 ITU-T Recommendation X.1142 – Jun 2006 XACML 3.0 In progress
Core & base profiles recently completed Public Review Administration/delegation {New} Hierarchical resource {Enhanced} Multiple resource {Enhanced} SAML {Enhanced} Digital Signature, Privacy, RBAC
XSPA Profile submitted for OASIS Standard Additional profiles under development
Obligation families, Export Compliance, Policy Distribution, Metadata, WS-XACML, Intellectual Property Control
Request Context Schema Generalization
Triggered by need to add “delegate” for reduction Eliminate <Subject>, <Environment>, <Resource> &
<Action> Elements Everything carried in <Attributes> Element URNs used to identify categories
XACML 2.0 Subject categories New URNs for Environment, Resource, Action & Delegate
Categories Generally upwardly compatible
Attribute selectors may require manual conversion Policy & Context Schemas combined
XACML 2.0 Request Context
<Request …> <Subject> <Attribute AttributeId=“ … subject-category” …> <AttributeValue> … access-subject</AttributeValue> </Attribute> <Attribute> AttributeId=“ … subject-id” …> <AttributeValue>John Smith</AttributeValue> </Attribute> <Attribute> AttributeId=“ … group” …> <AttributeValue>Engineer</AttributeValue> </Attribute> </Subject> <Resource> <Attribute> AttributeId=“ … resource-id” …> <AttributeValue>http://www.example.com/</AttributeValue> </Attribute> </Resource>…</Request>
XACML 3.0 Request Context
<Request …> <Attributes Category=“ … access-subject”> <Attribute> AttributeId=“ … subject-id” …> <AttributeValue>John Smith</AttributeValue> </Attribute> <Attribute> AttributeId=“ … group” …> <AttributeValue>Engineer</AttributeValue> </Attribute> </Attributes> < Attributes Category=“ … resource”> <Attribute> AttributeId=“ … resource-id” …> <AttributeValue>http://www.example.com/</AttributeValue> </Attribute> </Attributes>…</Request>
XACML 3.0 Administration/Delegation
Two primary use cases “HR-Admins can create policies concerning
the Payroll servers” “Jack can approve expenses while Mary is on
vacation” Backward compatible Defined as an optional Profile Policies can contain Issuer Policies can be Access or Admin Admin policies enable policy creation
Policy Evaluation
1. Select potentially applicable policies by Target matching
2. For each Policy evaluate Rules and combine
Target Match Evaluate condition Return Effect and associated Obligations
3. For each Policy Set combine policy results
4. Return Effect and Obligations
Policy Evaluation with Admin Policies
1. Select potentially applicable policies by Target matching
2. For each Policy evaluate Rules and combine Target Match Evaluate condition Return Effect and associated Obligations
3. For every un-trusted policy Find an applicable Admin policy which authorizes the Issuer Repeat until a chain to a trusted policy is found Discard unauthorized policies
4. For each Policy Set combine policy results
5. Return Effect and Obligations
Fine Points of Reduction
Access and Administrative policies are matched against the situation, not each other
Current vs. Historic attribute mode Indeterminate results must be propagated
for combining Maximum delegation depth Obligations in Administrative policies
apply to access decision
Obligation Families
Allows Obligations to be grouped in families with the same properties
Specific Obligations semantics still undefined Timing – before, after, with access or any Exclusive - Fallback = true or false Sequential
Ordered = true or false Repetitive = true or false Failure Mode = fail fast, continue or atomic
Work in process
New Combining Algorithms
More rational handling of Indeterminate Same algorithms for rule and policy combining Indeterminate are classified by possible effect Example: for deny overrides, if Indeterminate
rule or policy could only result in Permit & there is at least one Permit, result is Permit
New algorithms are mandatory to implement Old algs are present, but not recommended
Other new features
Multiple decisions in a single request, varying any attribute category (just Resource in 2.0)
Advice – like Obligations, but can be ignored if not understood by PEP
New XPath 2.0 functions New time duration functions Policy distribution protocol Decision request protocol based on WS-Trust Metadata profile Authorization API, Attribute Manifest File
Authorization API
XACML 2.0 Specifies Policy language evaluation semantics XML format for policy interchange Abstract format for inputs and outputs,
expressed in XML Protocol for remote requests using XML input
& output format XACML 2.0 does not specify
API for requesting policy decision
Authorization API Benefits
Needed for call to local PDP Local PDP required for low latency
calls Inefficient to serialize data to and from
XML XML form not required by the standard
Also useful to have standard API for remote requests Common code to build message
API General Characteristics Java initially, C++ and perhaps others to
follow Modeled on XACML Request/Response
Contexts Use XACML datatypes – in format natural to
language Mostly to be used by infrastructure
components Occasionally application may need to provide data Infrastructure could be Container, Aspects, tool-
generated code, etc.
Why not Java Authorization/JSR 115?
Java Authorization (with or w/o JSR 115) based on Permissions
Passive enforcement by container is a good idea
Limitations to use of XACML features No convenient, standard way to provide XACML
inputs No method to return outputs, e.g. Obligations,
missing Attributes New Resource type requires definition of new
permissions class (recompile)
API Overview Methods to build (and access) Request
Context Methods to process Response Context “decide” method to invoke PDP
Single or bulk decisions “whatIsAllowed” method to obtain allowed
alternatives Operates in the context of some scope Creates invokes a series of decisions Returns allowed alternatives within scope
Other convenience methods
The Input Attributes Problem
XACML Policies operate on data provided
Only PDP sees/evaluates policies What attributes should be provided? Where can attributes be obtained
from? How can the proper instance value
be obtained?
Attribute Manifest File
File in XML format identifies attributes to be added to Request Context
Name of Attribute, Issuer, datatype, location, access method, other attribute to use as key
Not all fields may be present Three usecases:
PDP advertizes required attributes PIPs are configured to add attributes to Request
Context Policy authoring tools use attribute name &
format
Multiple PIP’s – Enhancing Request Context
LDAP
Application
PEP
PDP
AMF
AMF
AMF
P
I
P
P
I
P
P
I
P
ReqCtx
ReqCtx
ReqCtx
OVD
DB
SAML
Multiple PIP’s – Reacting to Missing Attributes
LDAP
Application
PEP
PDP
AMF
AMF
AMF
P
I
P
P
I
P
P
I
P
RespCtxMiss Attr
OVD
DB
SAML
RespCtxMiss Attr
RespCtxMiss Attr
API and AMF Standardization Approach Contributed to OASIS XACML TC in July 2009
Intent is to standardize Interoperable components Open Source Project started to develop
implementations API
Mate with open source XACML impl Implement remote client Mate with JAAC
AMF Deployment time access methods
More info: http://www.openliberty.org/wiki/index.php/Main_Page#OpenAz
Projected Status - Spring 2010
Only XSPA Profile likely to reach OASIS Standard
Core & 1st set of Profiles will reach Committee Specification Need Implementations
TC may adopt XACML 2.0 Approved Errata