11 | | privilege or payment based |
12 | | tbd |
| 11 | Access control in SENSEI can be done on the basis of the user's privileges, or on the basis of payment. This choice is made by the resource provider. If the access control should be performed based on payment, the REP should be registered with a payment based AAA service. Instructions for this can be found [[wiki:PrivacyAndBilling|here]]. |
| 12 | If the access control should be performed based on privileges, the REP should be registered with a privilege based AAA service. Instructions for this can be found below. |
| 13 | ==== Defining an access policy ==== |
| 14 | First a set of policies must be defined to specify the access rules which should apply. These are specified in a text file with the .drl extension. |
| 15 | For the enthusiasts, a full description of the rules language can be found [[http://downloads.jboss.com/drools/docs/5.1.1.34858.FINAL/drools-expert/html/ch04.html|here]]. We would recommend keeping things simple, and therefore provide an example below. |
| 16 | {{{ |
| 17 | package com.thalesresearch.sensei.aaa |
| 18 | |
| 19 | import com.thalesresearch.sensei.aaa.service.authorisation.decisionmaker.policybased.AuthorisationPolicyEngine.AuthorisationRequest; |
14 | | === Defining an access policy === |
15 | | needs to refer to the STS role list |
16 | | tbd |
17 | | === Registering the policy === |
18 | | selection of AAA block |
19 | | registration of policy |
20 | | changing / removing the policy |
21 | | tbd |
22 | | === Enforcing the AAA decision === |
23 | | switching on the right bits in the REP |
24 | | tbd |
| 21 | // the default is to grant. so rules only need to specify the deny conditions |
| 22 | |
| 23 | rule "Only USER can access https://sensei-dev1.grid.pub.ro:8443/rep-sensors" |
| 24 | @url ("https://sensei-dev1.grid.pub.ro:8443/rep-sensors") |
| 25 | @allowed ("USER") |
| 26 | @denied ("All except USER") |
| 27 | @comment ("Role based rule for sensor resources") |
| 28 | when |
| 29 | a : AuthorisationRequest( url == "https://sensei-dev1.grid.pub.ro:8443/rep-sensors" && role != "USER" ) |
| 30 | then |
| 31 | System.out.println( a.getRole() + " not allowed to access https://sensei-dev1.grid.pub.ro:8443/rep-sensors" ); |
| 32 | a.setIsGranted(false); |
| 33 | end |
| 34 | |
| 35 | rule "Only ADMIN can access https://sensei-dev1.grid.pub.ro:8443/rep-accounting" |
| 36 | @url ("https://sensei-dev1.grid.pub.ro:8443/rep-accounting") |
| 37 | @allowed ("ADMIN") |
| 38 | @denied ("All except ADMIN") |
| 39 | @comment ("Role based rule for accounting resources") |
| 40 | when |
| 41 | a : AuthorisationRequest( url == "https://sensei-dev1.grid.pub.ro:8443/rep-accounting" && role != "ADMIN" ) |
| 42 | then |
| 43 | System.out.println( a.getRole() + " not allowed to access https://sensei-dev1.grid.pub.ro:8443/rep-accounting" ); |
| 44 | a.setIsGranted(false); |
| 45 | end |
| 46 | }}} |
| 47 | This shows 2 rules, which will be evaluated sequentially top to bottom. Each rule follows the pattern: |
| 48 | * rule "name", which can be anything |
| 49 | * @field ("content"), these are rule metadata used for logging. |
| 50 | * when<CR>a: AuthorisationRequest(condition) : the condition to be evaluated, which in these cases is the REP URL being access controlled and the role of the requester |
| 51 | * then: whether access should be granted or not. |
| 52 | |
| 53 | The roles which are evaluated in these rules are the roles contained in the tokens issued by the [wiki:Aaa|STS]. |
| 54 | ==== Registering the policy ==== |
| 55 | There may be multiple AAA services running in the domain, and the resource provider must choose which to use (in a real life deployment they may differ in terms of SLAs, or service cost etc). |
| 56 | |
| 57 | The AAA service implementation is provided as a WAR file deployed in a servelet container (see [wiki:Aaa|here]), and the policy files should be placed in the "WEB-INF/classes/authorisation-policies" folder of the WAR file, and the AAA service restarted. |
| 58 | |
| 59 | Adding, modifying or removing policies is done by changing the content of the "WEB-INF/classes/authorisation-policies" folder. |
| 60 | ==== Enforcing the AAA decision ==== |
| 61 | The REP must request an access control decision from the AAA service each time a client tries to access a service. To do this, the REP must know the URL of the |
| 62 | |