Search code examples
mapreduceaclaccess-controlxacmlabac

change ACL policy to XACML

I'm trying to test a security method in MapReduce and i'm wondering if my approach makes sens. I would like to transform access control list policy which exist in MapReduce to an XACML policy to do that i take the file where the ACL is defined and copy the name and value of each propriety then put it in a policy following the XACML format.

this is the ACL definition

<property>
  <name>mapreduce.job.acl-modify-job</name>
  <value>user </value>
</property>
<property>
  <name>mapreduce.job.acl-view-job</name>
  <value>user </value>
</property>

this is the policy in XACML

   <Policy PolicyId="GeneratedPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-permit-overrides">
  <Target>
    <Subjects>
      <Subject>
        <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user </AttributeValue>
          <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </SubjectMatch>
      </Subject>
    </Subjects>
    <Resources>
       </AnyResource>
    </Resources>
  </Target>
  <Rule RuleId="rule1" Effect="Permit">
    <Target>
      <Actions>
        <Action>
          <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">mapreduce.job.acl-view-job</AttributeValue>
            <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
          </ActionMatch>
        </Action>
      </Actions>
    </Target>
  </Rule>
  <Rule RuleId="rule2" Effect="Deny"/>
</Policy>

is this considred correct?

Solution

  • A couple of comments on your policy:

    • it uses XACML 2.0. That's old! Switch to XACML 3.0
    • You have a whitespace in the value <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">user </AttributeValue>. Get rid of it (unless you really mean to test on 'user '.
    • Your policy contains two rules:
      • the first one grants access if urn:oasis:names:tc:xacml:1.0:action:action-id == mapreduce.job.acl-view-job
      • the second one always denies access. I assume the intent is to deny access if no action matched. That's fine. I often call that a "catch-all" or safety-harness. There is another way of achieving this by using a combining algorithm on the policy called deny-unless-permit. If none of the rules apply, then the policy will yield deny. This only exists in XACML 3.0
    • Your policy uses a combining algorithm called permit-overrides (urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:ordered-permit-overrides). Generally I avoid using it because it means that in the case of a Deny and a Permit, Permit wins. That's too permissive to my liking. Use first-applicable (urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable) instead. You can read up on combining algorithms here.
    • Ultimately, to make your policy scale, you may want to externalize the list of users rather than have a value for each user inside the policy. So rather than comparing your username to Alice or Bob or Carol, you would compare to an attribute called allowedUsers which you'd maintain inside a database for instance.
    • Another tip: could you make your policy easier to understand and more scalable if you split the value mapreduce.job.acl-view-job into the different parts (appName="mapreduce"; objectType="job"; action="job"). That would let you have policies about viewing, editing, deleting jobs more easily.