2

I'm new to XACML architecture and would appreciate if you can help me with next question.

Is it possible to use multiple PIP in a way that answer extracted from one PIP is used as input parameter for other PIP?

If so can you provide me with simple XML request example?

Thanks in advance

David Brossard
  • 13,584
  • 6
  • 55
  • 88
Mark
  • 61
  • 3

1 Answers1

2

Yes, it is possible to use multiple PIPs in a way that an attribute resolved by a PIP can be used as an input to another PIP.

Based on XACML architecture, it's up to the PDP to decide how to resolve attributes using PIPs.

How it works on a high level:

  1. Input request(from PEP) to PDP contains an attribute say Subject-ID=Alice
  2. The PDP evaluates the XACML policy based on the attributes from the input request. E.g., The policy says permit if Action-ID=Read
  3. Since there is no Subject-ID defined in the policy, PDP tries to ask a PIP or PIPs to resolve Action-ID and provides PIPs the value it has which is Subject-ID(from the input request). E.g., Let's say we have 2 PIPs - PIP A can resolve resource-ID from Subject-ID and PIP B can resolve Action-ID from resource-ID
  4. Here, what happens is PDP first resolves resource-ID based on the Subject-IDfrom input request using PIP A and then uses resource-ID to resolve Action-ID using PIP B which is then utilized by PDP to evaluate the the policy. If PIP B returns Alice, you get a permit decision else it would be NotApplicable

Note that this depends on how PDP is implemented to resolve attributes using chained PIPs as in your use case.

PDP from a company called Axiomatics is capable of performing a chained PIP lookup.

Disclosure: I work for Axiomatics where we provide XACML based access control solutions

neonidian
  • 1,221
  • 13
  • 20
  • Thanks I got the idea. – Mark Feb 12 '19 at 17:37
  • I confirm this is definitely implementation-specific, the logic is a bit different in [AuthzForce PDP](https://github.com/authzforce/core), which also supports PIP chaining. Also PDP should be designed to prevent loops in PIP chaining, typically resulting from bad configuration. E.g. PIP1 resolves attribute A based on attribute B, PIP2 resolves B based on C, PIP3 resolves C based on A --> endless loop (assuming neither of A, B or C is in the initial request). This is an edge case, but should be addressed to be safe. – cdan Feb 13 '19 at 23:07
  • @CyrilDangerville In your example, how can PIP1 resolve attribute A from B since you have mentioned - 'assuming neither of A,B or C is in the initial request'. If a PDP is implemented according to the [XACML 3.0 specs](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html#_Toc325047178), the PDP will assume an empty bag for attribute A from PIP1 as in your example since PIP1 does not have attribute B to resolve attribute A. The same applies for PIP2 and PIP3. Let me know if I misunderstood your example. – neonidian Feb 14 '19 at 10:10
  • Yes, I should clarify that you can have PIP chaining as follows: if a PIP requires/depends on attribute B to get attribute A (like PIP1 previously), it calls back the PDP's *context handler* (using the term from the spec you linked to) requesting B. If B is not in the request *context*, then the *context handler* may request another PIP that can provide B, like PIP2. Again, if PIP2 requires C to get B, it calls back the *context handler*. – cdan Feb 16 '19 at 23:36
  • ... (continued) If C is in the request *context* (e.g. it was in the initial XACML Request, or provided by some PIP previously), then the *context handler* provides it back to PIP2, then PIP2 can get B back to *context handler*, then back to PIP1 which finally gets A and we are done. But if C is not in the request *context* as well, this goes on with another PIP (like PIP3 previously). In short, with such PIP chaining, the PDP can resolve any attribute A for which there is a PIP dependency path (or tree) from A to attributes present in the request. – cdan Feb 16 '19 at 23:36
  • 1
    ... (continued) But PDP or *context handler* should make sure that it does not end up in loop, e.g. if PIP3 requires A to get C, we are back to the beginning. – cdan Feb 16 '19 at 23:40