Access Controls and Policies
Attribute names can be used to define policies and policies can be used to define access controls:
Policies are expressions involving attribute names, which can be evaluated to
true
orfalse
given an environment containing attribute values.Access controls were discussed earlier. They restrict the messages which can be received or sent by a worker.
Policies
Policies are boolean expressions constructed using attribute names. For example:
In the expression above:
and
,=
,member?
are operators.resource.version
,subject.name
,resource.admins
are identifiers.1
,"John"
are values.
Values can have the 5 following types:
String
Int
Float
Bool
Seq
: a sequence of values
This table lists all the available operators:
and
>= 2
Produce the logical conjunction of n expressions
or
>= 2
Produce the logical disjunction of n expressions
not
1
Produce the negation of an expression
if
3
Evaluate the first expression to select either the second expression or the third one
<
2
Return true if the first value is less than the second one
>
2
Return true if the second value is less than the first one
=
2
Return true if the two values are equal
!=
2
Return true if the two values are different
member?
2
Return true if the first value is present in the second expression, which must be a sequence Seq
of values
exists?
>= 1
Return true if all the expressions are identifiers with values present in the environment
We evaluate a policy by doing the following:
Each attribute
attribute_name/attribute_value
is added to the environment as an identifiersubject.attribute_name
associated to the valueattribute_value
(always as aString
). In the example of a policy given above the identifiersubject.name
means that we are expecting an attributename
associated to the identity which sent a message.The top-level expression of the policy is recursively evaluated by evaluating each operator and taking values from the environment when an expression is referencing an identifier.
The end result of a policy evaluation is simply a boolean saying if the policy succeeded or not.
Access controls
The library offers two types of access controls using policies:
AbacAccessControl
.PolicyAccessControl
.
AbacAccessControl
AbacAccessControl
This access control type is used as an IncomingAccessControl
(so it restricts incoming messages).
We define an AbacAccessControl
with the following:
A
Policy
which specifies which attributes are required for a given identity.An
IdentityRepository
which stores a list of the known authenticated attributes for a given identity.
When a LocalMessage
arrives to a worker using such an incoming access control, we do the following:
If an identity is not associated to this message (as
LocalInfo
), the message is rejected.Otherwise the attributes for this identity are retrieved from the repository.
The attributes are used to populate the policy environment.
The policy expression is evaluated. If it returns
true
the message is accepted.
PolicyAccessControl
PolicyAccessControl
This access control type is used as an IncomingAccessControl
(so it restricts incoming messages).
We define a PolicyAccessControl
with the following:
A
PolicyRepository
which stores a list of policies.A
Resource
and anAction
. They represent the access which we want to restrict.An
IdentityRepository
which stores a list of the known authenticated attributes for a given identity.
When a LocalMessage
arrives to a worker using this type of incoming access control, we do the following:
If an identity is not associated to this message (as
LocalInfo
), the message is rejected.Otherwise the attributes for this identity are retrieved from the repository.
The most recent policy for the resource and the action is retrieved from the policy repository.
The attributes are used to populate the policy environment.
The policy expression is evaluated. If it returns
true
the message is accepted.
The two major differences between this policy and the previous one are:
The
PolicyAccessControl
models aResource/Action
pair.Policies for that resource and action can be modified even if the worker they are attached to is already started.
Last updated