[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Minutes from Thursday night meeting
I'm attaching the BHSSF Policy Language Model Proposal (item 3 of the meeting
agenda) so that it will be clear for the rest of the submitters team what the
subject of the discussion was.
Konstantin
// BHSSF's proposed changes to rights model of access policy
//
//File: DfResourceAccessControl.idl
//
#ifndef _DF_RESOURCE_ACCESS_CONTROL_IDL_
#define _DF_RESOURCE_ACCESS_CONTROL_IDL_
#include <orb.idl>
#include "Security.idl"
#include "SecurityLevel2.idl"
#include "NamingAuthority.idl"
#pragma prefix "omg.org"
module DfResourceAccessControl
{
interface DynamicAttributeEval; // forward
//*********************************************************
// Basic Types
//*********************************************************
typedef SecurityLevel2::CredentialsList CredentialsList;
typedef Security::AttributeList AttributeList;
typedef Security::SecAttribute SecAttribute;
typedef Security::DelegationState DelegationState ;
//Konstantin's proposal makes this structure obsolete
enum PermissionControlModel {GRANTED_RIGHTS, DENIED_RIGHTS};
typedef sequence<boolean> Booleans;
typedef sequence<octet> ResourceKey;
typedef string ResourceType;
const ResourceType BASECLASS = "BASECLASS"; //
NamingAuthority::QualifiedNameStr
const ResourceType SUBCLASSTYPE = "SUBCLASS";
const ResourceType ATOMICTYPE = "ATOMIC";
struct ResourceNameComponent {
string id;
ResourceType kind;
};
typedef sequence<ResourceNameComponent> ResourceName;
struct DynamicAttrInfo {
DynamicAttributeEval evaluator;
ResourceKey key;
AttributeList dyn_attrs;
};
struct ResourceDef {
ResourceNameComponent local_name; // Name & Kind
//Konstantin's proposal makes control_model extension obsolete
//PermissionControlModel control_model; // Denied or Granted rights
boolean supports_dynattr;
};
//typedef Security::ExtensibleFamily ExtensibleFamily;
//typedef Security::RightsCombinator RightsCombinator;
struct ExtensibleFamily {
unsigned short family_definer;
unsigned short family;
};
enum RightsCombinator {
SecAllRights,
SecAnyRight
};
// extension of Security::Right...
struct Right {
//Konstantin's proposal makes this extension obsolete
//PermissionControlModel control_model;
ExtensibleFamily rights_family;
string right;
};
typedef sequence<Right> RightsList;
typedef TimeBase::IntervalT IntervalT;
typedef sequence<IntervalT> TimeIntervals;
//***************************************************************
// interface ResourceAccessPolicy
//***************************************************************
interface ResourceAccessPolicy{
void add_rights(
in SecAttribute priv_attr,
in DelegationState del_state,
in RightsList rights,
in TimeIntervals deny_times
);
void remove_rights(
in SecAttribute priv_attr,
in DelegationState del_state,
in RightsList rights
);
void replace_rights (
in SecAttribute priv_attr,
in DelegationState del_state,
in RightsList rights,
in TimeIntervals deny_times
);
RightsList get_rights (
in SecAttribute priv_attr,
in DelegationState del_state,
in ExtensibleFamily rights_family
);
};
//******************************************************************
// Start of Konstantin's proposal
//******************************************************************
// This is what we have today:
// ## Security service required rights rules syntax
// <authorization_rule> ::= <combinator> "(" <clause_body>* ")"
//
// <clause_body> ::= <right> {"," <right>}*
//
// <combinator> ::= "any"
// | "all"
//
// ## This is what Konstantin has suggested
// ## proposed HRAC authorization rules syntax
// <authorization_rule> ::= <combinator> "(" <clause_body>* ")"
//
// <clause_body> ::= <element> { "," <element> }*
//
// <element> ::= <complex_element>
// | <simple_element>
//
// <simple_element> ::= "negated" <atomic_element>
// | <atomic_element>
//
// <atomic_element> ::= <right>
// | <privelege_attribute>
// | <time_intervals>
// | <other>
//
// <combinator> ::= "any"
// | "all"
//
// Examples of syntactically valid authorization rules:
//:= "any" (A) //"any" is redundant here but IDL code (below) is simple
//:= "all" ("negated" A) //"all" is redundant here but IDL code is simple
//:= "all" ( "negated" A, B)
//:= "any" ( A, B, "negated" C)
//:= "all" ( "any" (A, B), D, "all" ("negated" E, F))
//
// Real life examples:
// := "any" (right.manage, right.set, right.use)
// full version of the same rule
// := "any" ({element_type=right,rights_family="OMG",right="manage"},
// {element_type=right,rights_family="OMG",right="set"},
// {element_type=right,rights_family="OMG",right="use"})
// Interpretation: Any user with effective rights either "manage", or "set", or "use" are
// authorized
//
//:= "all" (right.get, right.use, not right.set)
// full version of the same rule
//:= "all" ({element_type=right,rights_family="OMG",right="get"},
// {element_type=right,rights_family="OMG",right="use"}, "negated"
// {element_type=right,rights_family="OMG",right="set"})
// Interpretation: Only users with effective rights "get" and "use" but not "set" are authorized
//
//:= any (PrimaryGroupId.wheel)
// full version of the same rule
//:= "any" (
//{element_type=privelege_attribute,attrbute_family=1,
// attribute_type=PrimaryGroupId,defining_authorty="OMG",value="wheel"} )
// Interpretation: All members of group "wheel" are authorized
//
//:= all ( not AccessId.gates)
// full version of the same rule
//:= "all" ( "negated"
// {element_type=privelege_attribute,attrbute_family=1,attribute_type=AccessId,
// defining_authorty="OMG",value="gates"} )
// Interpretation: Everyone, except user "gates", is authorized
//
//:= all (not AccessId.gates, PrimaryGroupId.wheel)
// full version of the same rule
//:= "all" ("negated"
// {element_type=privelege_attribute,attrbute_family=1,attribute_type=AccessId,
// defining_authorty="OMG",value="gates"},
// {element_type=privelege_attribute,attrbute_family=1,
// attribute_type=PrimaryGroupId,defining_authorty="OMG",value="wheel"})
// Interpretation: everyone in group wheel, except user "gates", is authorized
//
//:= any (PrimaryGroupId.wheel, not time.[Saturday,Sunday], right.manage)
// full version of the same rule
//:= "any"
// ({element_type=privelege_attribute,attrbute_family=1,
// attribute_type=PrimaryGroupId,defining_authorty="OMG",value="wheel"}),
// "negated" {element_type=time_interval,time=[Saturday,Sunday]},
// {element_type=right,rights_family="OMG",right="manage"})
// Interpretation: Any one during the week days or members of group "wheel" or users with
// effective right "manage" are authorized
//
// Where A, B, C, D, E, F are <element>
// Comparison of "required" element A is evaluated to True if A is successfully
// matched with the corresponding "effective" element.
// Explanation of "matching with the corresponding effective element":
// For right -- if principal has the same effective right
// For privilege attribute -- if principal credentials have corresponding
// security attribute with identical values for all members of SecAttribute
// structure
// For time_intervals -- if current time falls between high and low boundaries
// defined in any element of the time_intervals sequence.
//
//******************************************************************
// Actual interfaces defined in bottom top order
//******************************************************************
enum Combinator {
AllElements,
AnyElement
};
enum AtomicElementType {
PrivelegeAttributeType,
RightType,
TimeIntervalsType,
OtherType
};
union AtomicElement switch (AtomicElementType) {
case PrivelegeAttributeType : SecAttribute privelege;
case RightType : Right right;
case TimeIntervalsType : time_intervals;
case OtherType : Any other;
};
struct SimpleElement {
bool negated;
AtomicElement atomic_element;
};
typedef sequence< SimpleElement > SimpleElements;
struct AuthorizationRule {
SimpleElements simple_elements,
sequence< AuthorizationRule > complex_elements;
Combinator combinator,
};
//******************************************************************
// interface ResourceRepository
//*****************************************************************
interface ResourceRepository {
void create_resource_def (
in ResourceDef resource);
void delete_resource_def (
in ResourceDef resource);
void add_subclass (in ResourceName parent,
in ResourceDef child);
void remove_subclass (in ResourceName parent,
in ResourceName child);
void add_dynattribute_support (
in ResourceName name,
in DynamicAttrInfo dynamic_info,
in AttributeList dyn_attrs);
DynamicAttrInfo get_dynattribute_support(
in ResourceName name);
void set_permission_control (
in ResourceName name,
in PermissionControlModel control_model);
void set_resource_key (
in ResourceName name,
in ResourceKey key);
// former set_required_rights
void set_authorization_rule(
in string intent,
in ResourceName resource_name,
in AuthorizationRule rule,
);
// former get_required_rights
void get_authorization_rule(
in string intent,
in ResourceName resource_name,
out AuthorizationRule attributes,
);
};
//******************************************************************
// interface DynamicAttributeEval
//*****************************************************************
interface DynamicAttributeEval {
boolean has_attribute(
in ResourceKey resource_key,
in CredentialsList existing_credentials,
in SecAttribute dynamic_attr);
Booleans has_attributes(
in ResourceKey resource_key,
in CredentialsList existing_credentials,
in AttributeList dynamic_attrs);
};
//******************************************************************
// interface AccessDecision
//*****************************************************************
interface AccessDecision {
struct AccessDef {
string intent;
ResourceName name;
};
typedef sequence<AccessDef> MultipleAccessDef;
boolean access_allowed(
in string intent,
in ResourceName name,
in CredentialsList credentials);
Booleans multiple_access_allowed(
in MultipleAccessDef requested_access,
in CredentialsList credentials);
};
};
#endif // DfResourceAccessControl