Tuesday, October 13, 2015

Bulk Loading XACML Policies from File System with WSO2 Identity Server 5.1.0

Importing XACML policies from file system is not a new feature for WSO2 Identity Server, but if we consider IS 5.0.0 version, it was only capable of importing XACML policies one by one from the file system as shown in the screenshot below.

In a situation like we need to migrate an existing server that has so many XACML policies, we would have needed to import the policies one by one to the new system. However with IS 5.1.0 release, there is an option for loading a set of XACML policies at server startup. This blog post provides a step by step guide for using the bulk loading XACML policies feature of IS 5.1.0.

Note that this feature can be used only when no policies are added to Policy Administration Point (PAP) of the server. It can be a fresh start of the server, or else if it is not a fresh download of the server, you have to make sure that PAP does not have any policies already added.

As the first step, we need to select all the XACML policies we need to load to the system and copy the policy files to IS5.1.0_HOME/repository/resources/identity/policies/xacml/ directory.

Here I am copying 3 policy files. You can add as many as you wish.

You can see that in IS5.1.0_HOME/repository/resources/identity/policies/xacml/ directory, it contains a directory with name default. It contains some sample XACML policy files. If you enable this feature and start the server without copying the policy files to the xacml directory, the server will add all the sample policies in the default directory to PAP, but those policies will not be automatically published to Policy Decision Point (PDP). But when you enable this feature and start up the server with the policy files copied to xacml directory, those policies in xacml directory will be added to PAP and then will be automatically published to PDP as well.

Next step is to enable this feature from entitlement.properties configuration file located in IS5.1.0_HOME/repository/conf/identity/ directory.

Following are the two properties related to this feature.
PAP.Policy.Add.Start.Policy.File.Path=<path to XACML policies here>

For enabling this feature, you can set PAP.Policy.Add.Start.Enable to true. The PAP.Policy.Add.Start.Policy.File.Path property is optional where by default it is commented out (by placing a # in front of the property). If this property is commented out and if this feature is enabled, the XACML policies will be loaded from IS5.1.0_HOME/repository/resources/identity/policies/xacml/ directory. If you need to change this file path to a location in the file system where you keep the policy files, you can use this property and specify the absolute file path for loading the policy files.

After copying the XACML policy files and enabling the feature from the properties, start the server and login to the Management Console as admin.

Then go to Main -> Entitlement -> PAP -> Policy Administration and you can see the policies we copied to xacml directory are added to PAP.

Then go to Main -> Entitlement -> PDP -> Policy View and you can see the policies loaded from file system are already published to PDP.

If you have a server where you have some XACML policies already in PAP and if you enable this feature and restart the server, the policies will not be loaded from the file system. In order to load the policies from file system with this feature, PAP should have no policies already added. One thing you can do is to delete the existing policies in PAP and then enable this feature and restart the server. Since PAP has no policies now, it will load the policies from the file system. This feature will be much useful in migrations where you need to load all the existing XACML policies at once to the new system.

Note that this feature can load XACML policies from file system only to the Super Tenant of the Identity Server which is currently a limitation.

Tharindu Edirisinghe
Identity Server Team

No comments:

Post a Comment