Download
1 / 10
100 likes | 262 Views
Multi-Request Response Correlation in AzAPI. What is the problem?. XACML 3.0 multi-decision profile (and to a lesser extent XACML 2.0 multi-resource) permits multiple decisions in a single request AzAPI also will support multi-decision requests (currently only resource-action pairs)
E N D
What is the problem? • XACML 3.0 multi-decision profile (and to a lesser extent XACML 2.0 multi-resource) permits multiple decisions in a single request • AzAPI also will support multi-decision requests (currently only resource-action pairs) • Different mechanisms are used to correlate requests and responses • AzAPI glue layer needs to match them up
When does this matter • Case 1: Support for remote PDP • Glue layer needs to parse XML response, construct AzAPI Response Context • Case 2: When mating AzAPI with local XACML 3.0 PDP that uses internal structure like the XML Response Context • Not needed for PDP that can act directly on AzAPI Request and Response Context Objects
Assumptions • Discussion ignores hierarchical multi-decision requests (XML or not) [2.1, 2.2] • Also ignores use of multiple attributes of same category [2.3] • PDP always returns multiple individual decisions, any aggregation is done in AZAPI glue layer
XACML 3.0 Multi-decision Request Context with References <Request … <Attributes Id=”S1” Category="… access-subject"> <Attribute AttributeId="… subject-id" <AttributeValue DataType="… #string">Jack</AttributeValue> </Attribute> </Attributes> <Attributes Id=”R1” Category="… resource"> <Attribute AttributeId="… resource-id" > <AttributeValue DataType="… #string"> … Res1</AttributeValue> </Attribute> </Attributes> <Attributes Id=”R2” Category="… resource"> <Attribute AttributeId="… resource-id" > <AttributeValue DataType="… #string"> … Res2</AttributeValue> </Attribute> </Attributes> continued
XACML 3.0 Multi-decision Request Context with References <Attributes Id=”A1” Category="… action"> <Attribute AttributeId="… action-id" > <AttributeValue DataType="… #string">read</AttributeValue> </Attribute> </Attributes> <MultiRequests> <RequestReference> <AttributesReference #S1 </AttributesReference> <AttributesReference #R1 </AttributesReference> <AttributesReference #A1 </AttributesReference> </RequestReference> <RequestReference> <AttributesReference #S1 </AttributesReference> <AttributesReference #R2 </AttributesReference> <AttributesReference #A1 </AttributesReference> </RequestReference> </MultiRequests> </Request>
XACML 3.0 Correlation • Any <Attribute> can include the IncludeInResult=“True” XML Attribute • Attributes can be included which are not used for decision, but simply for correlation
AzAPI Multi-Request Support • Currently Request Context can contain Resource-Action Associations • Generalize these to Associations of any Category • Response is linked to Association
Glue Layer Request Implementation • Generate <Attributes> for every category instance with unique Id • For each Association • Generate synthetic <Attribute> called something like “AZAPI-decision-id” assign values 1,2,3 etc. • Generate <RequestReference> to Attributes in Association and common Attributes
Glue Layer Response Processing • For each <Decision> in <Response> check value of decision-id • Link Response to indicated Association • Discard decision-id Attribute • Perform any requested combining of decisions
