XACML-MULTIDOMAIN project source code files are made avaialable under the Apache License, Version 2.0 (Apache-2.0), located into the LICENSE file.
This element corresponds to the implementation of the XACML framework. It comprises:
-
Policy Administration Point (PAP) which is responsible for managing the authorisation policies (XACML) of multiple domains which are defined according to a triplet (subject, resource, action). It is made up of two developments:
- a Frontend, that offers a Graphic User Interface (GUI), is in VueJS version (Javascript framework).
- a Backend is in Python version, accessible by the Frontend via an Application Programming Interface (API).
-
Policy Decision Point (PDP), in Python version, responsible for issuing possitive/negative verdicts whenever an authorisation request is received.
This project consist on the next files/folders:
-
XACML_DATA: Contains the data stored by the PAP-Backend (XACML authorisation policies XACML).
-
xacml-pap-frontend: Offers a web environment to manage XACML authorisation policies XACML which are based on subjects, actions and resources and policies (PAP-Frontend).
-
xacml-pap-backend: Offers an API that allows to store the configuration defined by the security administrator (XACML authorisation policies) in the PAP-Frontend (PAP-Backend).
-
XACML_PDP_PYTHON: Offers an endpoint to verify if a subject can perform an action over a specific resource through XACML authorisation policies (PDP). (DEPRECATED - It provides also the endpoint to obtain the attribute list required to define the presentation required in scenarios where a verifier credentials element is present).
Files to deploy the component:
-
docker-compose.yml: To deploy all the components (PAP and PDP).
-
.env: Configuration file for environment variables of PAP and PDP.
-
File to monitor.
- monitor_PAP_Backend.sh: To test if the PAP-Backend component is running or not.
- monitor_PAP_Frontend.sh: To test if the PAP-Frontend component is running or not.
- monitor_PDP_Py.sh: To test if the PDP component (Python) is running or not.
-
File to clean docker logs.
- deleteLogs.sh: To clean logs of the component (registered and used by docker). NOTE: This script remove the logs of all dockerized services present in the machine not only the logs of XACML Framework.
To run this component is neccessary to install the docker-compose tool.
https://docs.docker.com/compose/install/
Review the contain of .env and docker-compose.yml to configure the execution. Focusing on .env file, which contains the environment variables of the different elements:
-
Replace
<rest-api_ip>with theIPwhere the REST API server is deployed in the.envfile. -
Replace
<REST-API_IP>in the PDP.py file with the IP where the REST-API server is deployed.
After the review of the configuration files of the How to deploy section, the next step is to obtain the docker images. To do this:
docker-compose buildFinally, to launch images:
docker-compose up -dXACML-PAP, as mentioned above, it’s a GUI for managing XACML policies (configuration), it’s not interfering in the obtaining authorisation requests verdict.
Before defining attributes and policies, a domain must be created or selected. The domain is free to align with different concepts like host, virtual machine, partner, application, service, etc... it depends on the high-level concept chosen to create different XACML authorization policies. Clicking "Create new domain" will allow you to create and include a new domain in the selector element of the "Domain panel".
For testing the 'fluidos-idm' functionality, create the domain fluidosOpencall
Once the domain is choosen or created, click “Manage Attributes” button (Administration panel) to define the resources, actions and subjects. To save click “Save All Attributes” and “Back”.
For testing the 'fluidos-idm' functionality, create the following attributes:
-
Resource: create the resource
https://<pepproxy_ip>:1027/fluidos/idm/.*on theType Resource Namefield. Do not modify theType Resource IDfield. -
Action: create the action
POSTon theType Action Namefield. Do not modify theType Action IDfield. -
Subject: create the subject
FluidosNodeon theType Subject Namefield. Selecturn:ietf:params:scim:schemas:core:2.0:idon theType Subject IDfield.
Finally, click “Manage Policies” button (Administration panel) to define the policies. Here you can see all attributes defined previously. In this page you must define Policies and into them rules. Each rule can link resources, actions and subjects and establish if this combination is “Permit” or “Deny”.
For testing the 'fluidos-idm' functionality, create the following policy and rule:
- To test if containers are running:
docker ps -asThe system must return that the status of the containers is up.
- To show the XACML-PAP-Backup container logs.
docker-compose logs -f xacml-pap-backend- To show the XACML-PAP-Frontend container logs.
docker-compose logs -f xacml-pap-frontend- To show the PDP (Python) container logs.
docker-compose logs -f xacml-pdpIf the certificates were renovated and "PDP_Protocol"="https", you need to refresh them in PDP service (Python). Once certificate files are ubicated at the corresponding folder following prerequisites indications, access to the project directory and run:
docker-compose restart xacml-pdpTo solve it automatically, you must add something like this in the crontab, to restart the component each 4 hours:
0 0,4,8,12,16,20 * * * cd {{projectFolder}}; docker-compose restart xacml-pdp
RECOMMENDED, monitor each minute, through crontab, if several security components are running:
#To monitor PAP-Backend.
* * * * * cd {{projectFolder}}; ./monitor_PAP_Backend.sh >> nohup_PAP_Backend.out 2>&1
#To monitor PAP-Frontend.
* * * * * cd {{projectFolder}}; ./monitor_PAP_Frontend.sh >> nohup_PAP_Frontend.out 2>&1
#To monitor PDP (Python).
* * * * * cd {{projectFolder}}; ./monitor_PDP_Py.sh >> nohup_PDP_Py.out 2>&1
NOTE: Before configure it, be sure to define:
- {{Protocol}}://{{IP}}
- {{projectPath}}
RECOMMENDED, to prevent PDP (Python) logs from filling up the hard drive include in crontab to clean the logs periodically. --> Logs stored in the container of PDP (Python).
#To remove PDP (Phyton) logs.
0 0 * * 6 cd {{projectFolder}}; cat /dev/null > pdp.log
RECOMMENDED, to prevent XACML logs from filling up the hard drive include in crontab to clean the logs periodically. --> Logs stored by docker technology related to services.
NOTE: This script remove the logs of all dockerized services present in the machine not only the logs of XACML.
# Assign permissions
sudo chmod 755 deleteLogs.sh
# Copy to /usr/bin
sudo su
cd /usr/bin/
cp {{projectFolder}}/deleteLogs.sh ./
# Configure schedule in /etc/crontab
cd /etc
vi crontab
# Add this line
0 0 * * 6 root /usr/bin/deleteLogs.sh
Access to PAP through a web explorer to http://localhost:9091/pap/. You will see the main webpage of the PAP service.