Difference between revisions of "GVPolicy"

From GreenVulcano Wiki
Jump to: navigation, search
(Description)
 
(2 intermediate revisions by 2 users not shown)
Line 3: Line 3:
 
GVPolicy element defines the configuration of the {{GVESB}} ACL Policy framework.
 
GVPolicy element defines the configuration of the {{GVESB}} ACL Policy framework.
  
An access control list (ACL) defines a set of authorization constraints attached to a GreenVulcano® ESB services.
+
An access control list (ACL) defines a set of authorization constraints attached to a {{GVESB}} services.
When a client invoke a GreenVulcano® ESB service in an ACL-based security model, the ESB first checks the ACL for an  
+
When a client invoke a {{GVESB}} service in an ACL-based security model, the ESB first checks the ACL for an  
 
applicable entry to decide whether the requested operation is authorized.
 
applicable entry to decide whether the requested operation is authorized.
 
When you create a service, you can configure its access control list for a specific combination of roles, client subnet  
 
When you create a service, you can configure its access control list for a specific combination of roles, client subnet  
Line 25: Line 25:
 
* [[Description]]
 
* [[Description]]
 
* [[#Roles|Roles]]
 
* [[#Roles|Roles]]
 +
* [[#Addresses|Addresses]]
 
* [[#ACLGreenVulcano|ACLGreenVulcano]]
 
* [[#ACLGreenVulcano|ACLGreenVulcano]]
  
 
===Roles===
 
===Roles===
  
This element defines the roles to be used in ACL configuration.
+
This element defines the [[#Role|Roles]] to be used in ACL configuration.  
Might contain more [[#Role|Role]] elements.
 
  
 
====Role====
 
====Role====
 +
Defines a policy role.
  
 
Its attributes are:
 
Its attributes are:
Line 39: Line 40:
 
|-
 
|-
 
| name || required || Role name
 
| name || required || Role name
 +
|}
 +
 +
Its subelements are:
 +
* [[Description]]
 +
 +
===Addresses===
 +
 +
This element defines the [[#AddressSet|AddressSet]] to be used in ACL configuration.
 +
 +
====AddressSet====
 +
Defines a policy list of IP or sub-nets.
 +
 +
Its attributes are:
 +
{|class="gvtable"
 +
! Attribute !! Type !! Description
 +
|-
 +
| name || required || AddressSet name
 +
|}
 +
 +
Its subelements are:
 +
* [[Description]]
 +
* [[#Address|Address]]
 +
 +
=====Address=====
 +
 +
Its attributes are:
 +
{|class="gvtable"
 +
! Attribute !! Type !! Description
 +
|-
 +
| address || required || IP or sub-net mask
 
|}
 
|}
  
Line 61: Line 92:
 
====DefaultRes====
 
====DefaultRes====
  
This element defines a default ACL definition.
+
This element defines a default ACL definition, to be applied to all Services.
  
 
The following table shows its attributes:
 
The following table shows its attributes:
Line 72: Line 103:
 
Its subelements are:
 
Its subelements are:
 
* [[Description]]
 
* [[Description]]
* [[IdentityCondition#ACL|ACL]]
+
* [[#ACL|ACL]]
  
 
====ServiceRes====
 
====ServiceRes====
  
This elements defines a GVCore group/service/operation ACL definition.
+
This elements defines a GVCore Group/Service/Operation ACL definition.
  
 
The following table shows its attributes:
 
The following table shows its attributes:
Line 84: Line 115:
 
| type || fixed || "resource"
 
| type || fixed || "resource"
 
|-
 
|-
| group || required || Group name.
+
| group || required|optional || Group name.
 
|-
 
|-
| service || required || Service name.
+
| service || required|optional || Service name.
 
|-
 
|-
| operation || required || Operation name.
+
| operation || required|optional || Operation name.
 
|}
 
|}
  
 
Its subelements are:
 
Its subelements are:
 
* [[Description]]
 
* [[Description]]
* [[IdentityCondition#ACL|ACL]]
+
* [[#ACL|ACL]]
 +
 
 +
===ACL===
 +
This element defines a resource/condition [http://en.wikipedia.org/wiki/Access_control_list ACL] (Access Control List).
 +
 
 +
Its subelements are:
 +
* [[#RoleRef|RoleRef]]
 +
* [[#AddressSetRef|AddressSetRef]]
 +
 
 +
====RoleRef====
 +
Defines an ACL role reference.
 +
The following table shows its attributes:
 +
{|class="gvtable"
 +
! Attribute !! Type !! Description
 +
|-
 +
| name || required || Point to a [[#Role|Role]] definition
 +
|}
 +
 
 +
 
 +
====AddressSetRef====
 +
Defines an ACL address set reference.
 +
The following table shows its attributes:
 +
{|class="gvtable"
 +
! Attribute !! Type !! Description
 +
|-
 +
| name || required || Point to a [[#AddressSet|AddressSet]] definition
 +
|}
 +
 
  
 
{{VOTE}}
 
{{VOTE}}

Latest revision as of 11:02, 2 January 2015

Description

GVPolicy element defines the configuration of the GreenVulcano® ESB ACL Policy framework.

An access control list (ACL) defines a set of authorization constraints attached to a GreenVulcano® ESB services. When a client invoke a GreenVulcano® ESB service in an ACL-based security model, the ESB first checks the ACL for an applicable entry to decide whether the requested operation is authorized. When you create a service, you can configure its access control list for a specific combination of roles, client subnet or client specific IP.

GreenVulcano® ESB Configuration

Configuring GVPolicy with Vulcon

Element GVPolicy belongs to GVCore and it is visualized from the VulCon® Core View.

The following table shows the GVPolicy attributes:

Attribute Type Description
type fixed This attribute must assume the value module.
name fixed This attribute must assume the value POLICY_MANAGER.

Its subelements are:

Roles

This element defines the Roles to be used in ACL configuration.

Role

Defines a policy role.

Its attributes are:

Attribute Type Description
name required Role name

Its subelements are:

Addresses

This element defines the AddressSet to be used in ACL configuration.

AddressSet

Defines a policy list of IP or sub-nets.

Its attributes are:

Attribute Type Description
name required AddressSet name

Its subelements are:

Address

Its attributes are:

Attribute Type Description
address required IP or sub-net mask

ACLGreenVulcano

ACLGreenVulcano is the implementation that associates an ACL to a resource (ex. a GreenVulcano® ESB service)

The following table shows its attributes:

Attribute Type Description
type fixed This attribute must assume the value acl-manager
class fixed This attribute must assume the value it.greenvulcano.gvesb.policy.impl.ACLGreenVulcano

Its subelements are:

DefaultRes

This element defines a default ACL definition, to be applied to all Services.

The following table shows its attributes:

Attribute Type Description
type fixed "resource"

Its subelements are:

ServiceRes

This elements defines a GVCore Group/Service/Operation ACL definition.

The following table shows its attributes:

Attribute Type Description
type fixed "resource"
group optional Group name.
service optional Service name.
operation optional Operation name.

Its subelements are:

ACL

This element defines a resource/condition ACL (Access Control List).

Its subelements are:

RoleRef

Defines an ACL role reference. The following table shows its attributes:

Attribute Type Description
name required Point to a Role definition


AddressSetRef

Defines an ACL address set reference. The following table shows its attributes:

Attribute Type Description
name required Point to a AddressSet definition


{{#w4grb_rate:}} <w4grb_ratinglist latestvotes items="5" nosort/>