2

Hi I just want to know how can I match XACML 3.0 Request from the PEP against the Policies stored in policy store using PDP. How I will evaluate particular request against the multiple policies stored in policy store.

David Brossard
  • 13,584
  • 6
  • 55
  • 88
Utsav
  • 1,593
  • 4
  • 22
  • 46

3 Answers3

1

XACML request is matched with the "Target" element of the policies that are stored in PDP policy store. Once target element is matched for policies, Those matched policies (applicable policies) are evaluated (rules of the policies) according to the policy order and results are combined according to the policy combining algorithm of the policy store. If PEP wants to know that; what PEP policies are matched for given XACML request, PEP can send the XACML request with "ReturnPolicyIdList" attribute as "true".

<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="true">

Then XACML response would returns the matched policies in the XACML response.

Rashmi Pandit
  • 23,230
  • 17
  • 71
  • 111
Asela
  • 5,781
  • 1
  • 15
  • 23
  • so this is the responsibility of PDP to match the Target Element and combine the matched policies results. But I am not sure of how you are doing this in Balana sample. How you are loading the policies in PDP to match. Where is PIP implemenation in Balana XACML 3.0 ? – Utsav Jan 10 '14 at 09:57
  • It is an extension point that can be implemented. Balana has default implementation as file based policies store. In this implementation, it would match the all policies in the file store against the request in and return the applicable polices (as policy Set) in to Balana engine. Please find the jave code here http://svn.wso2.org/repos/wso2/trunk/commons/balana/modules/balana-core/src/main/java/org/wso2/balana/finder/impl/FileBasedPolicyFinderModule.java – Asela Jan 10 '14 at 10:35
  • so you mean to say that PIP is the part of PDP itself in the current implementation of Balana. So in the current samples provided by you we are loading all the policies directly from the resource folder from the file system. – Utsav Jan 10 '14 at 11:12
  • Yes.. PIP can be a part of the PDP. It is an extension point.. there can be multiple PIPs that can be plugged in to the PDP – Asela Jan 10 '14 at 11:38
  • then how it will work means how multiple PDP will communicate to multiple PIP. As of now in the current implementation PIP is the part of PDP , so when i am going to host my PDP as a service then how PIP will work I am not clear about this functionality , can you please describe in terms of Balana XACML. Is their separate PIP source code by which PDP can communicate provided by you or i can hope it will come in new relaase. – Utsav Jan 10 '14 at 11:42
  • Basically PIP is a java class that you extends. Say, your PIP is a JDBC user store. Then, In your PIP java class, you want to write some code to call to the JDBC user store and retrieve user attributes. So if there multiple PDP, you want to put this class in to all PDPs. You can see a proper sample on writing PIP from here.. http://xacmlinfo.org/2011/12/18/writing-jdbc-pip-module/ But it is for WSO2IS... Same way would be with Balana also.... – Asela Jan 10 '14 at 15:37
0

In addition to Asela's answer, I'd like to add that a "policy store" is implementation-specific.

The way Asela describes it essentially means that the policy store acts a policy set with a combining algorithm and no target.

David Brossard
  • 13,584
  • 6
  • 55
  • 88
  • XACML request only contains subject , resource and actions values and the policy will contain Target element based on that PDP will automatically evaluate, but what will happen if I will have same Target Element defined in each policy. – Utsav Jan 10 '14 at 11:48
  • 1
    If you have the same target element, then all policies would be applicable to the request. Than all of them would be evaluated. All policies in the policy store would taken as one policy set. – Asela Jan 10 '14 at 15:45
  • so if all the policies are evaluated then this is very complex because if I have matching 100 or more policies it will consume more time to match and this will create a performance issue , not sure correct me if I am wrong . – Utsav Jan 13 '14 at 07:00
0

Adding my experience of using WSO2 Identity Server as a PDP

So you can add multiple policy files in IS. But you have to give ranking to each policy file.

So what i think is, those policies get validated in the order of ranking which we provide and for whichever policy the target element gets matched first get evaluated first.

swapy
  • 290
  • 2
  • 9