Add to collection(s) Add to saved
  1. No category

Multi-Request_Response_Correlation_in_AzAPI

advertisement 
Multi-Request Response
Correlation in AzAPI
What is the problem?
• XACML 3.0 multi-decision profile (and to a lesser
extent XACML 2.0 multi-resource) permits
multiple decisions in a single request
• AzAPI also will support multi-decision requests
(currently only resource-action pairs)
• Different mechanisms are used to correlate
requests and responses
• AzAPI glue layer needs to match them up
When does this matter
• Case 1: Support for remote PDP
– Glue layer needs to parse XML response, construct
AzAPI Response Context
• Case 2: When mating AzAPI with local XACML
3.0 PDP that uses internal structure like the XML
Response Context
• Not needed for PDP that can act directly on AzAPI
Request and Response Context Objects
Assumptions
• Discussion ignores hierarchical multidecision requests (XML or not) [2.1, 2.2]
• Also ignores use of multiple attributes of
same category [2.3]
• PDP always returns multiple individual
decisions, any aggregation is done in
AZAPI glue layer
XACML 3.0 Multi-decision
Request Context with References
<Request …
<Attributes Id=”S1” Category="… access-subject">
<Attribute AttributeId="… subject-id"
<AttributeValue DataType="… #string">Jack</AttributeValue>
</Attribute>
</Attributes>
<Attributes Id=”R1” Category="… resource">
<Attribute AttributeId="… resource-id" >
<AttributeValue DataType="… #string"> … Res1</AttributeValue>
</Attribute>
</Attributes>
<Attributes Id=”R2” Category="… resource">
<Attribute AttributeId="… resource-id" >
<AttributeValue DataType="… #string"> … Res2</AttributeValue>
</Attribute>
</Attributes>
continued
XACML 3.0 Multi-decision
Request Context with References
<Attributes Id=”A1” Category="… action">
<Attribute AttributeId="… action-id" >
<AttributeValue DataType="… #string">read</AttributeValue>
</Attribute>
</Attributes>
<MultiRequests>
<RequestReference>
<AttributesReference #S1 </AttributesReference>
<AttributesReference #R1 </AttributesReference>
<AttributesReference #A1 </AttributesReference>
</RequestReference>
<RequestReference>
<AttributesReference #S1 </AttributesReference>
<AttributesReference #R2 </AttributesReference>
<AttributesReference #A1 </AttributesReference>
</RequestReference>
</MultiRequests>
</Request>
XACML 3.0 Correlation
• Any <Attribute> can include the
IncludeInResult=“True” XML Attribute
• Attributes can be included which are not
used for decision, but simply for
correlation
AzAPI Multi-Request Support
• Currently Request Context can contain
Resource-Action Associations
• Generalize these to Associations of any
Category
• Response is linked to Association
Glue Layer Request
Implementation
• Generate <Attributes> for every category
instance with unique Id
• For each Association
– Generate synthetic <Attribute> called
something like “AZAPI-decision-id” assign
values 1,2,3 etc.
– Generate <RequestReference> to Attributes in
Association and common Attributes
Glue Layer Response Processing
• For each <Decision> in <Response> check
value of decision-id
• Link Response to indicated Association
• Discard decision-id Attribute
• Perform any requested combining of
decisions
Related documents
PotentialPresentation
PotentialPresentation
Using XACML Policies to Express OAuth Scope
Using XACML Policies to Express OAuth Scope
XACML and the Cloud
XACML and the Cloud
Ravindra Karanjekar - Successful Models in Healthcare
Ravindra Karanjekar - Successful Models in Healthcare
Pedigreed Attribute eLicitation Method (PALM)
Pedigreed Attribute eLicitation Method (PALM)
4_Software_Metrics
4_Software_Metrics
Understanding Work Teams Chapter TEN
Understanding Work Teams Chapter TEN
Questions October 4
Questions October 4
Open Source GIS: Web Maps, Desktop GIS and GeoDatabases
Open Source GIS: Web Maps, Desktop GIS and GeoDatabases
Attributed Graphs
Attributed Graphs
Brief 5-E Presentation
Brief 5-E Presentation
ISA 662 Information System Security
ISA 662 Information System Security
Download
advertisement