2

I'm going to secure my Spring Cloud Application with OAuth2 and XACML (using AuthZForce).

I've implemented a simple ABAC solution, that can handle the following use-case, but I want to switch to XACML. Is it possible?

old domain

I have (in database):

  • policies (e.g. subject.id==resource.ownerId), that are checked by the enfocement-point to make a decision
  • permissions (e.g. DELETE_USER), that have some defined policies
  • roles (e.g. EMPLOYEE), that hold some permissions
  • features (e.g. PREMIUM), that hold some default and by company usable roles and permissions
  • companies, that have some features
  • users, that are assigned to company

use-case

Now a user from a company can create a new role ROLE_X. He can assign some permissions to this role.

UPDATE

Because this question originally contains two different questions, I decided to outsource the second question (AuthZForce for Spring Cloud)

benkuly
  • 1,144
  • 10
  • 28

1 Answers1

2

Where you store policies is largely irrelevant. It will depend on the engine you use e.g. AuthZForce (I've pinged the author so he can chip in), SunXACML, WSO2, or Axiomatics.

Disclaimer: I work for Axiomatics. We do use a database to store XACML policies but that does not change the authorization requirements or modelling.

I have a couple comments on your original post.

  • subject.id==resource.ownerId is what we typically call a condition in XACML. You compare 2 attributes together to implement a relationship.
  • You mention permissions e.g. DELETE_USER. In XACML you typically split those up into atomic attributes e.g. an action on the one hand and an object or resource on the other (USER). While RBAC is role- and permission-based, ABAC is attribute-based. Ideally those attributes denote a single aspect (being a user, trying to delete...)
  • ROLE still exists in ABAC. It will be the basis for your policies.
  • features and companies are attributes you would use.

With that in mind, you can write policies such as the following (using ALFA notation):

namespace axiomatics{

    namespace user{
        attribute role{
            category = subjectCat
            id = "axiomatics.user.role"
            type = string
        }
        attribute company{
            category = subjectCat
            id = "axiomatics.user.company"
            type = string
        }
        attribute userId{
            category = subjectCat
            id = "axiomatics.user.userId"
            type = string
        }
    }

    namespace action{
        attribute actionId{
            category = actionCat
            id = "axiomatics.action.actionId"
            type = string
        }        
    }

    namespace resource{
        attribute company{
            category = resourceCat
            id = "axiomatics.resource.company"
            type = string
        }
        attribute owner{
            category = resourceCat
            id = "axiomatics.resource.owner"
            type = string
        }
    }

    policyset springapp{
        apply firstApplicable
        policy employees{
            target clause user.role == "employee"
            apply firstApplicable
            /**
             * Employees can create roles in their own company
             */
             rule createRole{
                 target clause action.actionId=="create"
                 condition user.company==resource.company
                 permit
             }
             /**
              * Employees can delete roles they own
              */
            rule allowDelete{
                target clause action.actionId == "delete"
                condition user.userId == resource.owner
                permit
            }
        }
    }
}
David Brossard
  • 13,584
  • 6
  • 55
  • 88
  • thank you for the detailed answer. I see that my own solution is similar to XACML and thats perfect, because the migration wouldn't be that hard. But it is important for me to store policies in database (to change them on runtime). Do you know which free or open source solutions support this? – benkuly Jun 15 '17 at 17:35
  • I would assume all open source engines can read XACML policies from a database. Try AT&T XACML, WSO2, or AuthZForce, the one you mentioned. It is one of the newest and most complete ones in the OSS community – David Brossard Jun 15 '17 at 19:59
  • Do you know how or should I start a new question. The problem is that they all have no or sparsely documentations, so I don't know which one is the most suitable for database-policies. – benkuly Jun 16 '17 at 07:54
  • 2
    Hello, as one of AuthzForce developers, I can help but I need to clarify your requirements first. As far as I understand, you need a XACML PDP that can load XACML policies from a database for evaluation. Any policy storage format in particular? Any datatype type or product in particular? To better address your use case, I invite you to contact us on our mailing list mentioned in the Support section of [AuthzForce homepage](https://authzforce.ow2.org). Thank you. – cdan Jun 16 '17 at 23:23
  • 2
    I also recommend you have a look at [XACML RBAC profile](http://docs.oasis-open.org/xacml/3.0/rbac/v1.0/xacml-3.0-rbac-v1.0.html) to get examples of role-based policies and understand how to achieve that with XACML. AuthzForce supports this profile. – cdan Jun 16 '17 at 23:30
  • Thank you! Because your answer could be relevant to other people, we should discuss it here :) I updated my question. – benkuly Jun 17 '17 at 10:02
  • Some typo in my first comment. I meant "database type" instead of "datatype type". – cdan Jun 21 '17 at 13:16
  • I decided to outsource the databse question related to AuthZForce: https://stackoverflow.com/q/44697729/7226417 – benkuly Jun 22 '17 at 11:19