Skip to main content

ABAC

ABAC ๋ชจ๋ธ์ด๋ž€?โ€‹

ABAC๋Š” ์†์„ฑ-๊ธฐ๋ฐ˜ ์ ‘๊ทผ ์ œ์–ด(Attribute-Based Access Control)์ž…๋‹ˆ๋‹ค. ์ด๊ฒƒ์€ ๋ณด์•ˆ ์ฃผ์ฒด(Subject), ๋Œ€์ƒ(Object) ํ˜น์€ ์•ก์…˜(Action) ์˜ ์†์„ฑ(Attribute) ์„ ์‚ฌ์šฉํ•ด์„œ ์ ‘๊ทผ ์ œ์–ด๋ฅผ ์„ค์ • ํ•  ์ˆ˜ ์žˆ๋‹ค๋Š” ๋œป์ž…๋‹ˆ๋‹ค. XACML์ด๋ผ๋Š” ๋ณต์žกํ•œ ABAC ์ ‘๊ทผ ์ œ์–ด ์–ธ์–ด์— ๋Œ€ํ•ด ์•„๋งˆ ๋“ค์–ด๋ณธ ์ ์ด ์žˆ์„ ๊ฒƒ์ž…๋‹ˆ๋‹ค. XACML๊ณผ ๋น„๊ตํ•˜๋ฉด, Casbin์˜ ABAC๋Š” ๋งค์šฐ ๋‹จ์ˆœํ•ฉ๋‹ˆ๋‹ค. ABAC ๋ชจ๋ธ์—์„œ๋Š” ๋ฌธ์ž์—ด ๋Œ€์‹ , ๊ตฌ์กฐ์ฒด(ํ˜น์€ ํด๋ž˜์Šค, ํ”„๋กœ๊ทธ๋ž˜๋ฐ ์–ธ์–ด์— ๋”ฐ๋ผ ๋‹ค๋ฆ„) ์ธ์Šคํ„ด์Šค๋ฅผ ์‚ฌ์šฉํ•ด์„œ ๋ชจ๋ธ์„ ๊ตฌ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.

ABAC ์ž‘์„ฑ ์˜ˆ์ œ:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == r.obj.Owner

Matcher ์กฐ๊ฑด์‹์—์„œ r.obj ๋Œ€์‹  r.obj.Owner๋ฅผ ์‚ฌ์šฉํ•˜์˜€์Šต๋‹ˆ๋‹ค. Enforce() ํ•จ์ˆ˜์— ์ „๋‹ฌ๋œ r.obj์—๋Š” ๋ฌธ์ž์—ด ๋Œ€์‹  ๊ตฌ์กฐ์ฒด(ํ˜น์€ ํด๋ž˜์Šค) ์ธ์Šคํ„ด์Šค๊ฐ€ ๋“ค์–ด๊ฐˆ ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค. Casbin์€ ๋ฆฌํ”Œ๋ ‰์…˜์„ ์‚ฌ์šฉํ•ด์„œ obj ๊ตฌ์กฐ์ฒด(ํ˜น์€ ํด๋ž˜์Šค) ์ธ์Šคํ„ด์Šค์—์„œ ๋ฉค๋ฒ„ ๋ณ€์ˆ˜๋ฅผ ์ถ”์ถœํ•ฉ๋‹ˆ๋‹ค.

์—ฌ๊ธฐ์„œ r.obj์˜ ๊ตฌ์กฐ์ฒด(ํ˜น์€ ํด๋ž˜์Šค) ์„ ์–ธ์€ ๋‹ค์Œ๊ณผ ๊ฐ™์Šต๋‹ˆ๋‹ค.

type testResource struct {
    Name  string
    Owner string
}

ABAC ์‚ฌ์šฉ๋ฒ•โ€‹

๊ฐ„๋‹จํžˆ, ABAC๋ฅผ ์‚ฌ์šฉํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” ๋‹ค์Œ 2๊ฐ€์ง€๊ฐ€ ํ•„์š”ํ•ฉ๋‹ˆ๋‹ค.

  1. ์กฐ๊ฑด์‹์— ์†์„ฑ์„ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค.
  2. Casbin์˜ Enforce() ํ•จ์ˆ˜์— ๊ตฌ์กฐ์ฒด(ํ˜น์€ ํด๋ž˜์Šค) ์ธ์Šคํ„ด์Šค๋ฅผ ์ธ์ž๋กœ ์ „๋‹ฌํ•ฉ๋‹ˆ๋‹ค.
danger

Currently, only request elements like r.sub, r.obj, r.act and so on support ABAC. You cannot use it on policy elements like p.sub ๊ฐ™์ด policy ๋ž€์—๋Š” ์‚ฌ์šฉํ•  ์ˆ˜ ์—†์Šต๋‹ˆ๋‹ค. ์™œ๋ƒํ•˜๋ฉด, Casbin์˜ ์ •์ฑ…(Policy)์• ๋Š ๊ตฌ์กฐ์ฒด(ํ˜น์€ ํด๋ž˜์Šค)๋ฅผ ์„ ์–ธํ•  ์ˆ˜ ์—†๊ธฐ ๋•Œ๋ฌธ์ž…๋‹ˆ๋‹ค.

tip

You can use multiple ABAC attributes in a matcher, for example: m = r.sub.Domain == r.obj.Domain.

tip

If you need to use comma in policy which conflicts with csv's separator and we need to escape it. Casbin parses policy file through csv library, you could surround statement with quotation marks. For example, "keyMatch("bob", r.sub.Role)" will not be split.

Scaling the model for complex and large number of ABAC rules.โ€‹

The above instance of ABAC implementation is at its core very simple, but oftentimes the authorization system needs a very complex and large number of ABAC rules. To fit this necessity the above implementation will increase the verbosity of the model to a large extent. So, itโ€™s wise to add the rules in the policy instead of in the model. This is done by introducing a eval() functional construct. Below is the example instance to manage such ABAC models.

This is the definition of the CONF file used for defining the ABAC model.

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub_rule, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = eval(p.sub_rule) && r.obj == p.obj && r.act == p.act

Here, p.sub_rule is of type struct or class(user-defined type) which consists of necessary attributes to be used in the policy.

This is the policy that is used against the model for Enforcement. Now, you can use the object instance which is passed to eval() as a parameter to define certain ABAC constraints.

p, r.sub.Age > 18, /data1, read
p, r.sub.Age < 60, /data2, write