# Obligations
Obligations are defined using a yaml syntax described below.
## Table of Contents
1. [Common Elements](#common-elements)
- [Nodes](#nodes)
2. [Obligation](#obligation)
3. [Rule](#rule)
4. [Event Pattern](#event-pattern)
- [Subject](#subject)
- [Policy Class](#policy-class)
- [Operations](#operations)
- [Target](#target)
5. [Response](#response)
- [Condition](#condition)
- [Create Action](#create-action)
- [Assign Action](#assign-action)
- [Grant Action](#grant-action)
- [Deny Action (Prohibition)](#deny-action-prohibition)
- [Delete Action](#delete-action)
- [Function as Action](#function-as-action)
6. [Functions](#functions)
- [Built-in Functions](#built-in-functions)
- [child_of_assign](#child_of_assign)
- [parent_of_assign](#parent_of_assign)
- [create_node](#create_node)
- [current_process](#current_process)
- [current_target](#current_target)
- [current_user](#current_user)
- [get_children](#get_children)
- [get_node](#get_node)
- [get_node_name](#get_node_name)
- [is_node_contained_in](#is_node_contained_in)
- [to_props](#to_props)
- [Custom Functions](#custom-functions)
7. [Built-in PDP events](#built-in-pdp-events)
## Common Elements
### Nodes
A node represents a node in an NGAC graph. A node has a name, type, and properties. A node can also be derived from a function.
```yaml
name:
type:
properties:
- key: value
```
### Function
A function refers to a previously defined function that is supported by the Policy Machine Event Processing Point (EPP). A list of valid functions, as well as tutorial on how to add functions can be found [here](#functions).
_Example_
```yaml
function:
name:
args:
- ""
- function:
```
A function has a name and a list of arguments. The arguments are a list of string values or other functions.
## Obligation
There is one obligation per yaml file. An obligation can have zero or more rules.
```yaml
label:
rules:
```
- **_label_** *(required)* - A label to give the obligation.
- **_rules_** - Contains a set of zero or more rules.
## Rule
```yaml
label:
event:
response:
```
- **_label_** *(required)* - A label to give the rule. If one is not specified a random value will be used.
- **_event_** - The event pattern for this rule.
- **_response_** - The response to the event.
## Event Pattern
```yaml
event:
subject:
policyClass:
operations:
target:
```
The Event Pattern specifies an event involving the policy elements of the Policy Machine. An example is a user performing a read operation on an object. This is called an access event, which is the primary focus of obligations as described in the NGAC standard. An access event has four components: The subject, policy class, operations, and target. All of these are optional, but omitting them will have different consequences, which will be described in the sections below.
While the Policy Machine focuses on access events, it is possible to extend the functionality of the Event Pattern to other events such as time. The section [How to Extend the Event Pattern](#how-to-extend-the-event-pattern) section provides a tutorial on how this is possible with the Policy Machine.
### Subject
```yaml
subject:
user:
anyUser:
process:
```
The subject specification can be a user, any user, any user from a set of users and/or user attributes, or a process. If the subject is omitted than all events will match this component of an access event.
#### user
A user is identified by it's name.
#### any_user
```yaml
anyUser:
```
The `any_user` element accepts an array of strings representing user names. If the element is empty then any user will match.
#### process
```yaml
process:
```
The `process` element accepts a number as a process ID.
_Example:_
```yaml
anyUser: # any user
###
anyUser: # u1 or u2
- "u1"
- "u2"
process: 12345
```
### Policy Class
```yaml
policyClass:
anyOf:
---
eachOf:
```
The policy class specification can specify a particular policy class with a given name, any policy class, any policy class from a set, all policy classes from a set, or all policy classes. Only one of `anyOf` and `eachOf` are allowed.
_Example_
```yaml
###
policyClass: # any policy class
###
policyClass: # PC1 or PC2
anyOf:
- "PC1"
- "PC2"
###
policyClass: # PC1 and PC2
eachOf:
- "PC1"
- "PC2"
```
### Operations
```yaml
operations:
- "op"
```
The operations specification is a string array of operation names. Any event that matches an element of the array will match the operations event pattern.
_Example:_
```yaml
operations:
- "read"
- "write"
```
### Target
The target of an event can be
- A specific policy element
```yaml
policyElements:
- name: name
type: type
```
- Any policy element
```yaml
policyElements:
```
\* Omitting `policyElements` will have the same effect
- Any policy element that is contained in other policy elements
```yaml
containers:
- name:
type:
- name:
type:
```
- Any policy element from a set of policy elements
```yaml
policyElements:
- name: name
type: type
- name: name
type: type
```
- If both `policyElements` and `containers` are omitted it will be "any policyElement in any container"
- If `containers` is present then it will be "any policyElement in the containers", regardless of if policyElements is present
- If `policyElements` is present its "any policyElement from the list provided"
## Response
A response is a series of conditional actions. A condition can also be applied to the response itself.
```yaml
response:
condition:
condition!:
actions:
```
The **condition** and **condition!** elements can be used together. The actions will be executed if both are satisfied.
### Condition
A condition is a set of boolean expressions that if all evaluate to true, allow for a response or specific action to be executed.
```yaml
condition:
- function:
- function:
```
### Negated Condition
A negated condition is a set of boolean expressions that if all evaluate to false, allow for a response or specific action to be executed.
```yaml
condition!:
- function:
- function:
```
### Actions
Each individual action can have conditions that must be met for the action to be executed.
```yaml
actions:
- condition:
condition!:
create:
- condition:
assign:
```
### Create Action
- a set of rules
- a set of nodes
#### rules
```yaml
create:
- label:
event:
response:
```
#### nodes
Create a single node and assign it to an already existing node in the graph. An array of commands is accepted to create
more than one node. **Functions are not allowed here**.
```yaml
create:
- what:
name: node1
type: UA
where:
name: container1
type: UA
```
### Assign Action
```yaml
assign:
what:
where:
```
The `what` and `where` nodes. The node in `what` will be assigned to the node in `where`.
### Grant Action
Associate the node in `subject` with the node in `target`.
```yaml
grant:
subject:
operations:
target:
```
- `subject` a node that will be the subject of the association.
- `operations` is an array of operations to add to the association.
- `target` a node that will be the target of the association.
### Deny Action (Prohibition)
Deny a subject a set of operations on a set of target attributes. The subject can be a function, a process, or a node.
The operations are an array of string. The target of the deny can be the intersection of a set of containers.
It can also be the complement of the logical evaluation of the containers. Each container is identified by a name and type (properties are optional).
If more than one node matches the provided name and type all will be taken into account. It is possible to take the complement
of an individual container using the `complement` element. A deny also has a label that can be used to reference it later (i.e. to delete).
没有合适的资源?快使用搜索试试~ 我知道了~
ngac:下一代访问控制
共89个文件
go:78个
md:3个
json:2个
需积分: 35 4 下载量 43 浏览量
2021-03-18
10:14:24
上传
评论
收藏 115KB ZIP 举报
温馨提示
ngac 下一代访问控制 这是NIST参考核心实现“ Policy Machine”的Golang端口。 此端口支持Neo4j作为我们的持久图。为了运行它,它将需要安装插件。配置文件位于,可以运行Cypher脚本以快速满足配置要求。 在这里找到他们的文档: 去做 义务JSON解组器-文件将为JSON(遵循原始JSON模式)。 遵循
资源详情
资源评论
资源推荐
收起资源包目录
ngac-master.zip (89个子文件)
ngac-master
api
obligations.json 23KB
go.mod 248B
pkg
pdp
decider
decider.go 1KB
policyReviewDecider_test.go 36KB
policyReviewDecider.go 12KB
epp.go 2KB
pdp.go 2KB
service
obligations.go 2KB
guard
obligations.go 2KB
guard.go 2KB
prohibitions.go 2KB
graph.go 8KB
prohibitions.go 2KB
graph.go 15KB
service.go 997B
audit
path.go 970B
policyReviewAuditor_test.go 32KB
policyClass.go 323B
auditor.go 868B
policyReviewAuditor.go 15KB
explain.go 1KB
pap
obligationsAdmin.go 1KB
policy
super_policy.go 8KB
policy_test.go 2KB
graphAdmin.go 8KB
pap.go 1009B
prohibitionsAdmin.go 1KB
pip
tx
tx.go 399B
txGraph.go 13KB
memTx.go 2KB
txObligations.go 3KB
txProhibitions.go 3KB
pip.go 918B
obligations
obligations.go 759B
action.go 4KB
mem_obligations.go 2KB
obligation.go 12KB
obligation_test.go 416B
function.go 1KB
README.md 15KB
mem_obligations_test.go 821B
graph
model.go 4KB
searcher.go 4KB
mem_graph_test.go 10KB
mem_graph.go 9KB
neo4j
test_db.cypher 393B
graph_test.go 10KB
test_config.yaml 151B
graph.go 19KB
graph.go 4KB
prohibitions
prohibition.go 3KB
mem_prohibitions_test.go 3KB
prohibitions.go 918B
mem_prohibitions.go 2KB
context
context.go 2KB
operations
operations.go 3KB
policies
rbac
rbac.go 6KB
config
config.go 2KB
common
functionalEntity.go 431B
epp
functionEvaluator.go 2KB
parentOfAssignExecutor.go 1KB
functionExecutor.go 1KB
toPropertiesExecutor.go 841B
createNodeExecutor.go 3KB
epp.go 11KB
events.go 8KB
currentProcessExecutor.go 609B
getChildrenExecutor.go 854B
getNodeExecutor.go 2KB
getNodeNameExecutor.go 1KB
options.go 276B
currentUserExecutor.go 594B
isNodeContainedInExecutor.go 2KB
childOfAssignExecutor.go 1KB
currentTargetExecutor.go 593B
go.sum 30KB
scripts
db.cypher 381B
README.md 993B
configs
config.yaml 87B
test
graph_test.go 2KB
test_event.json 1KB
functions_test.go 13KB
internal
set
interator.go 1KB
safe_test.go 6KB
set_test.go 17KB
unsafe.go 5KB
safe.go 3KB
set.go 3KB
README.md 48B
共 89 条
- 1
君倾策
- 粉丝: 21
- 资源: 4635
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论0