Difference between revisions of "GVPolicy"

From GreenVulcano Wiki
Jump to: navigation, search
(Description)
 
(3 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
GVPolicy element defines the configuration of the {{GVESB}} ACL Policy framework.
 
GVPolicy element defines the configuration of the {{GVESB}} ACL Policy framework.
  
An access control list (ACL),in {{GVESB}}, define a set of authorizations attached to a {{GVESB}} services.
+
An access control list (ACL) defines a set of authorization constraints attached to a {{GVESB}} services.
When a subject requests an invocation of {{GVESB}} service in an ACL-based security model, {{GVESB}} first checks the ACL for an applicable entry to decide whether the requested operation is authorized. When you create a service, you can configure your service access control list for a specific role, a subnet or a specific ip.
+
When a client invoke a {{GVESB}} service in an ACL-based security model, the ESB first checks the ACL for an  
 +
applicable entry to decide whether the requested operation is authorized.
 +
When you create a service, you can configure its access control list for a specific combination of roles, client subnet  
 +
or client specific IP.
  
 
=={{GVESB}} Configuration==
 
=={{GVESB}} Configuration==
Line 22: Line 25:
 
* [[Description]]
 
* [[Description]]
 
* [[#Roles|Roles]]
 
* [[#Roles|Roles]]
 +
* [[#Addresses|Addresses]]
 
* [[#ACLGreenVulcano|ACLGreenVulcano]]
 
* [[#ACLGreenVulcano|ACLGreenVulcano]]
  
 
===Roles===
 
===Roles===
  
This element defines the roles to be used in ACL configuration.
+
This element defines the [[#Role|Roles]] to be used in ACL configuration.  
Might contain more [[#Role|Role]] elements.
 
  
 
====Role====
 
====Role====
 +
Defines a policy role.
  
 
Its attributes are:
 
Its attributes are:
Line 36: Line 40:
 
|-
 
|-
 
| name || required || Role name
 
| name || required || Role name
 +
|}
 +
 +
Its subelements are:
 +
* [[Description]]
 +
 +
===Addresses===
 +
 +
This element defines the [[#AddressSet|AddressSet]] to be used in ACL configuration.
 +
 +
====AddressSet====
 +
Defines a policy list of IP or sub-nets.
 +
 +
Its attributes are:
 +
{|class="gvtable"
 +
! Attribute !! Type !! Description
 +
|-
 +
| name || required || AddressSet name
 +
|}
 +
 +
Its subelements are:
 +
* [[Description]]
 +
* [[#Address|Address]]
 +
 +
=====Address=====
 +
 +
Its attributes are:
 +
{|class="gvtable"
 +
! Attribute !! Type !! Description
 +
|-
 +
| address || required || IP or sub-net mask
 
|}
 
|}
  
Line 58: Line 92:
 
====DefaultRes====
 
====DefaultRes====
  
This element defines a default ACL definition.
+
This element defines a default ACL definition, to be applied to all Services.
  
 
The following table shows its attributes:
 
The following table shows its attributes:
Line 69: Line 103:
 
Its subelements are:
 
Its subelements are:
 
* [[Description]]
 
* [[Description]]
* [[IdentityCondition#ACL|ACL]]
+
* [[#ACL|ACL]]
  
 
====ServiceRes====
 
====ServiceRes====
  
This elements defines a GVCore group/service/operation ACL definition.
+
This elements defines a GVCore Group/Service/Operation ACL definition.
  
 
The following table shows its attributes:
 
The following table shows its attributes:
Line 81: Line 115:
 
| type || fixed || "resource"
 
| type || fixed || "resource"
 
|-
 
|-
| group || required || Group name.
+
| group || required|optional || Group name.
 
|-
 
|-
| service || required || Service name.
+
| service || required|optional || Service name.
 
|-
 
|-
| operation || required || Operation name.
+
| operation || required|optional || Operation name.
 
|}
 
|}
  
 
Its subelements are:
 
Its subelements are:
 
* [[Description]]
 
* [[Description]]
* [[IdentityCondition#ACL|ACL]]
+
* [[#ACL|ACL]]
 +
 
 +
===ACL===
 +
This element defines a resource/condition [http://en.wikipedia.org/wiki/Access_control_list ACL] (Access Control List).
 +
 
 +
Its subelements are:
 +
* [[#RoleRef|RoleRef]]
 +
* [[#AddressSetRef|AddressSetRef]]
 +
 
 +
====RoleRef====
 +
Defines an ACL role reference.
 +
The following table shows its attributes:
 +
{|class="gvtable"
 +
! Attribute !! Type !! Description
 +
|-
 +
| name || required || Point to a [[#Role|Role]] definition
 +
|}
 +
 
 +
 
 +
====AddressSetRef====
 +
Defines an ACL address set reference.
 +
The following table shows its attributes:
 +
{|class="gvtable"
 +
! Attribute !! Type !! Description
 +
|-
 +
| name || required || Point to a [[#AddressSet|AddressSet]] definition
 +
|}
 +
 
  
 
{{VOTE}}
 
{{VOTE}}

Latest revision as of 11:02, 2 January 2015

Description

GVPolicy element defines the configuration of the GreenVulcano® ESB ACL Policy framework.

An access control list (ACL) defines a set of authorization constraints attached to a GreenVulcano® ESB services. When a client invoke a GreenVulcano® ESB service in an ACL-based security model, the ESB first checks the ACL for an applicable entry to decide whether the requested operation is authorized. When you create a service, you can configure its access control list for a specific combination of roles, client subnet or client specific IP.

GreenVulcano® ESB Configuration

Configuring GVPolicy with Vulcon

Element GVPolicy belongs to GVCore and it is visualized from the VulCon® Core View.

The following table shows the GVPolicy attributes:

Attribute Type Description
type fixed This attribute must assume the value module.
name fixed This attribute must assume the value POLICY_MANAGER.

Its subelements are:

Roles

This element defines the Roles to be used in ACL configuration.

Role

Defines a policy role.

Its attributes are:

Attribute Type Description
name required Role name

Its subelements are:

Addresses

This element defines the AddressSet to be used in ACL configuration.

AddressSet

Defines a policy list of IP or sub-nets.

Its attributes are:

Attribute Type Description
name required AddressSet name

Its subelements are:

Address

Its attributes are:

Attribute Type Description
address required IP or sub-net mask

ACLGreenVulcano

ACLGreenVulcano is the implementation that associates an ACL to a resource (ex. a GreenVulcano® ESB service)

The following table shows its attributes:

Attribute Type Description
type fixed This attribute must assume the value acl-manager
class fixed This attribute must assume the value it.greenvulcano.gvesb.policy.impl.ACLGreenVulcano

Its subelements are:

DefaultRes

This element defines a default ACL definition, to be applied to all Services.

The following table shows its attributes:

Attribute Type Description
type fixed "resource"

Its subelements are:

ServiceRes

This elements defines a GVCore Group/Service/Operation ACL definition.

The following table shows its attributes:

Attribute Type Description
type fixed "resource"
group optional Group name.
service optional Service name.
operation optional Operation name.

Its subelements are:

ACL

This element defines a resource/condition ACL (Access Control List).

Its subelements are:

RoleRef

Defines an ACL role reference. The following table shows its attributes:

Attribute Type Description
name required Point to a Role definition


AddressSetRef

Defines an ACL address set reference. The following table shows its attributes:

Attribute Type Description
name required Point to a AddressSet definition


{{#w4grb_rate:}} <w4grb_ratinglist latestvotes items="5" nosort/>