Example of Authorization Requests and Policies¶
The following examples of policies and associated requests are meant to illustrate some of the possible policies, requests, and resulting authorization decisions.
Note, the examples below use the PAP’s simplified policy language to express policies. So please review this syntax, before proceeding, if you are not yet familiar with it.
User Based Authorization¶
In this example one user is permitted, and one is denied, the ability to submit jobs on the CERN CE resource. Each user is identified by a X.509 subject DN. This example also shows how identity-based access control is simply a degenerate case of attribute-based access control.
Authorization Policy¶
resource "http://cern.ch/authz/ce1" {
action "http://cern.ch/authz/actions/ce-submit" {
rule permit {
subject="CN=John Doe,OU=Standard Commercial Certificate,O=Acme,L=Zuerich,ST=Zuerich,C=CH"
}
rule deny {
subject="CN=Jane Smith,OU=Standard Commercial Certificate,O=Acme,L=Zuerich,ST=Zuerich,C=CH"
}
}
}
Requests¶
A request of:
- resource attributes:
- id:
urn:oasis:names:tc:xacml:1.0:resource:resource-id
, value:http://cern.ch/authz/ce1
- any other attributes
- id:
- action attributes:
- id:
urn:oasis:names:tc:xacml:1.0:action:action-id
, value:http://cern.ch/authz/actions/ce-submit
- any other attributes
- id:
- subject attributes:
- id:
urn:oasis:names:tc:xacml:1.0:subject:subject-id
, value:CN=John Doe,OU=Standard Commercial Certificate,O=Acme,L=Zuerich,ST=Zuerich,C=CH
- id:
would result in an authorization decision of permit
because the
given resource and actions IDs match what was given in the policy and
the subject ID DN matches what was given in the permit rule. If the
request contained any other resource, action, or subject attribute these
would be ignored since the policy does not reference them. If the
request had not contained the attributes listed it would have resulted
in an authorization decision of not applicable
since no policy would
have matched the request.
A request of:
- resource attributes:
- id:
urn:oasis:names:tc:xacml:1.0:resource:resource-id
, value:http://cern.ch/authz/ce1
- any other attributes
- id:
- action attributes:
- id:
urn:oasis:names:tc:xacml:1.0:action:action-id
, value:http://cern.ch/authz/actions/ce-submit
- any other attributes
- id:
- subject attributes:
- id:
urn:oasis:names:tc:xacml:1.0:subject:subject-id
, value:CN=Jane Smith,OU=Standard Commercial Certificate,O=Acme,L=Zuerich,ST=Zuerich,C=CH
- id:
would result in an authorization decision of deny
since the resource
and action IDs match and this time the subject ID matches the
requirement for the deny rule.
Note, in the second request, if the subject ID had contained at least
the values
CN=John Doe ,OU=Standard Commercial Certificate,O=Acme,L=Zuerich,ST=Zuerich,C=CH
and
CN=Jane Smith,OU=Standard Commercial Certificate,O=Acme,L=Zuerich,ST=Zuerich,C=CH
the authorization decision would have been permit
since the permit
rule would have been evaluated first and would have returned the result.
Per-VO Pilot Job Authorization Policy¶
This example shows a policy that allows pilot jobs from one VO, atlas, and denies pilot jobs from others. It also demonstrates rules that rely on more than one attribute.
Authorization Policy¶
resource "http://cern.ch/authz/ce1" {
action "http://cern.ch/authz/actions/ce-submit" {
rule permit {
vo="atlas"
pilot-job="true"
}
rule deny {
pilot-job="true"
}
}
}
Requests¶
A request of:
- resource attributes:
- id:
urn:oasis:names:tc:xacml:1.0:resource:resource-id
, value:http://cern.ch/authz/ce1
- any other attributes
- id:
- action attributes:
- id:
urn:oasis:names:tc:xacml:1.0:action:action-id
, value:http://cern.ch/authz/actions/ce-submit
- any other attributes
- id:
- subject attributes:
- id:
http://authz-interop.org/xacml/subject/vo
, value:atlas
- id:
http://example.org/authz/attribute/pilot-job
, value:true
- id:
would result in a decision of permit
since the atlas VO is permitted
to submit pilot jobs. A request where the VO was lhcb
or cms
would result in a decision of deny
since these VOs are not permitted
to submit jobs.
A request of: * resource attributes:
- id:
urn:oasis:names:tc:xacml:1.0:resource:resource-id
, value:http://cern.ch/authz/ce1
- any other attributes * action attributes:
- id:
urn:oasis:names:tc:xacml:1.0:action:action-id
, value:http://cern.ch/authz/actions/ce-submit
- any other attributes * subject attributes:
- id:
http://authz-interop.org/xacml/subject/vo
, value:atlas
would result in a decision of not applicable
since the current
policy indicates that only jobs from the VO atlas that are also pilot
jobs are permitted. Requests without a pilot-job attribute are not
addressed by this policy.