Every time an object is accessed, the ABAC policies are evaluted using the attributes relevant to the requesting session. The policy is evaluated as a logical expression, using limited python syntax. The namespace available includes the following. Some attributes may be zero length strings, if they are not in the current session. Some attributes may also use a “dictlib.Obj” syntax where you can use obj.name syntax instead of obj['name'] – for performance, this is not available in all cases.

  • re – regular expression library (re from python)
  • rx() – shortcut for re.search
  • cert_cn – common name of the client SSL certificate pending implementation
  • user_name – the HTTP Basic Auth username pending implementation
  • ip – the client IP address (as a string)
  • token_nbr – the internal number of the authorized token
  • token_name – the name of the authorized token
  • http_headers – a dictionary containing the HTTP headers of the current session (dictlib.Obj dot parameter notation is available)
  • groups – a sub dictionary containing all of the available groups of tokens (dictlib.Obj dot parameter notation is available)
  • action – the action being performed (read, write)
  • sensitive – a boolean expression defining if the current access request is for sensitive data or not (to be decrypted). If a policy of this nature evaluates false, the data element is not decrypted, but the overall object may still be returned.
  • obj_type – the type of object (config, instance, service, etc)
  • obj – the object in question
  • pwin(password, group) – true if password matches any of the hashes in the designated group object

There are two data elements that are used to define a complete ABAC scenario for an object:

  • The Policy – where the access expression is defined
  • The Policy Scope – an object that defines how the policy is matched to other objects

The Policy Scope is a separate expression that is used to limit policies to specific data.

Policies should be focused on analyzing data unique to the session, not the object. Where Policy Scopes should be focused on the object itself. Scope expressions are evaluated whenever an object changes, where Policy objects are evaluated when an object is accessed.

Example Policy Expressions:

    token_name == "master"     # the master user (i.e. root)
    rx(r'^10\.0', ip)
    token_name in groups.dev_team
    token_name in groups.dev_team and sensitive == True and rx(r'^10\.0', ip)

Example Scope Expressions:

    obj['name'][:3] == "res"
    obj_type == "config"
    rx("-common-", obj.name)


» Next: Install