如何在纯文本 XML 中分配角色/权限
Posted
技术标签:
【中文标题】如何在纯文本 XML 中分配角色/权限【英文标题】:How do I assign roles/permissions in a plaintext XML 【发布时间】:2020-07-15 22:10:33 【问题描述】:我有一个学校作业,我们必须在纯文本 XML 文档中生成一组策略,然后编写一些快速 Java 代码来读取该策略文档并将其文本化。我可以处理的 Java 部分,但是我正在努力寻找有关如何使用/编写纯文本 XML 以实际建立/执行我的策略的任何合适的教程。下面是我的 XML 文档的大纲以及我希望每个角色能够做什么:
<?xml version="1.0" encoding="UTF-8"?>
<bank>
<assets>
<!--
Vault should have a lock with two keys
Keys are 8 digit combinations unique to the key owners
Keys will be owned by the Bank Owner, Security Manager, and Bank Manager
Vault access requires 2 individuals with proper clearance and their keys and stays open for duration of working day
Vault is used to hold safety deposit boxes, and all cash/goods > $10k during the working day, or all cash/goods outside of working day
Vault closed at end of working day, after all other cash/goods have been deposited from their respective sources (i.e. safes'/tills' contents deposited to vault)
Deposits from safes/tills can occur after working hours (assumed that customer operations stop after working hours, but some internal bank operations may occur outside of customer service hours)
-->
<vault>
</vault>
<!--
Safe should hold cash/goods $2k< x <$10k during working day, nothing outside of working day
Safe access requires an 8 digit combination unique to that safe
Combination is owned by Bank Owner, Bank Manager, and Security Manager
Safe access requires:
Bank Owner
Bank Manager
Security Manager + Bank Owner
Security Manager + Bank Manager
Security Guard + Bank Owner
Security Guard + Bank Manager
-->
<safe>
</safe>
<!--
Till should hold cash/goods < $2k during working day, nothing outside of working day
Till access requires a 6 digit combination unique to that safe
Combination is owned by Bank Owner, Bank Manager, Teller, Security Manager, Security Guard
Safe access required:
Bank Owner
Bank Manager
Teller
Security Manager + Bank Owner
Security Manager + Bank Manager
Security Manager + Teller
Security Guard + Bank Owner
Security Guard + Bank Manager
Security Guard + Teller
-->
<till>
</till>
<!--
Assume each account is strictly a deposit/withdraw account with a single balance/no recurring debt/real-time instant transactions. Customers must deposit/withdraw in store.
Each account should have a random && unique 8 digit identifier
Each account should have a customer name connected to the 8 digit identifier
Each account should have a pin used by the user to access their account
Each account should have a balance (can be positive or negative)
If account balance is negative, customer cannot withdraw
-->
<account>
</account>
</assets>
<people>
<!--
Effectively act as the Admin role
Has access to all assets
Limitations:
Require 2nd person for access to vault
Require customer authentication (PIN) for any account changes outside of view/read only
Can create/modify/delete employee accounts (i.e. Bank Manager(s)/Teller(S))
Can create/modify/delete security accounts (i.e. Security Manager(s)/Security Guard(s))
-->
<bank_owner>
</bank_owner>
<!--
Has access to all assets
Limitations:
Require Bank Manager to be present to access vault
Require customer authentication (PIN) for any account changes outside of view/read only
Can create/modify/delete employee accounts
Create/Delete require Bank Manager sign-off (assume hiring or retiring/firing employee, need to maintain control of access to assets)
-->
<bank_manager>
</bank_manager>
<!--
Has access to Tills
Can create/modify/delete accounts
Deleting accounts requires sign off by Bank Manager or Bank Owner
Require Customer's PIN for modify/delete operations
When creating account, create customer PIN first, then account
-->
<teller>
</teller>
<!--
Has limited access to all assets EXCEPT customer accounts
Requires Bank Owner/Bank Manager/Teller to be present depending on what asset they're trying to access
-->
<security_manager>
</security_manager>
<!--
Has limited access to all assets EXCEPT customer accounts and vault
Requires Bank Owner/Bank Manager/Teller to be present depending on what asset they're trying to access
-->
<security_guard>
</security_guard>
<!--
Has access only to their account to withdraw/deposit
May create/modify/delete account when assisted by Bank Owner/Bank Manager/Teller
-->
<customer>
</customer>
</people>
</bank>
我的想法是编写一个带有几个构造函数的 Java 程序来生成用户并根据 XML 文档为他们分配角色/权限。所以基本上,构造一个具有某些角色的用户,然后用户+角色组合引用 XML 策略来确定用户可以/不能做什么/访问。
具体来说,我使用的是纯文本 XML 和 JDK-11.0.7。我在 Sublime 文本编辑器中完成所有操作并在命令行上编译。我没有 Eclipse 或任何其他 JDE,所以像 ALFA 之类的插件无法工作,而且我试图只使用纯文本,所以我认为(?)XACML 在这里也遥不可及。
不过,我需要的第一个帮助只是帮助/指导/链接到有关如何实际设置每个角色的属性的教程。我找到了大量资源,说明了什么是 RBAC/ABAC,或者如何实施您的政策,但没有任何资料能真正告诉我如何编写政策。
提前感谢您的帮助!
【问题讨论】:
我发了一篇文章可能对你有帮助medium.com/@agamgupta1988/… 【参考方案1】:我意识到我回答你的问题迟了,所以你可能已经完成了,所以这更像是一个教育性的回答。
可以使用标准的可扩展访问控制标记语言 (XACML) 来执行 ABAC 架构中的策略的实际实施。这是一个基于 XML 的标准。
对于一个学校项目,您不太可能创建一个完整的软件生态系统来实施 ABAC,这将是:
架构包含以下组件:
策略执行点 (PEP):这是一个组件 保护您要保护的应用程序。 PEP 拦截 流,对其进行分析,并向 PDP 发送授权请求(参见 以下)。然后它会收到它执行的决定(允许/拒绝)。
策略决策点 (PDP) 收到授权请求 (例如,Alice 可以查看记录 #123 吗?)并根据集合对其进行评估 已配置的策略。它最终达到一个 它发回给 PEP 的决定。评估期间 过程中,PDP 可能需要额外的元数据,例如用户的工作 标题。为此,它可以转向政策信息点 (PIP)
策略信息点 (PIP) 是 PDP 之间的接口 和基础数据源,例如一个 LDAP、一个数据库、一个 REST 服务 其中包含有关用户、资源或其他的元数据。您可以使用 PIP 用于检索 PDP 在运行时可能需要的信息,例如风险 分数、记录的位置或其他。
我建议使用 WSO2 或 AuthZForce 等开源软件来使用这些组件。
您可以在 XACML 中编写策略,然后将它们导入到此软件中。
这对于学校项目甚至工作项目都很有用。
如果您有任何问题,请告诉我。
【讨论】:
以上是关于如何在纯文本 XML 中分配角色/权限的主要内容,如果未能解决你的问题,请参考以下文章