/identity-authz-apl

Attribute-based access control (ABAC), also known as policy-based access control, defines an access control paradigm whereby access rights are granted to users through the use of policies which reason over data in attributes. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.). Read more here - https://en.wikipedia.org/wiki/Attribute-based_access_control ABAC Policy Language is used by ABAC to author policies. A policy consists of rules, which have "when" conditions and "then" actions. Policies are executed in a bounded time, goaled to reach a decision as quickly as possible in deterministic, fast and reliable way. Further light-weight execution consumes minimal resources.

Primary LanguageJavaMIT LicenseMIT

ABAC Policy Language

Build Status Coverage Maven Central

All Contributors

Secure, fast and reliable policies are protecting your resources

Here is a medium article to get you started in 3mins. This example is also part of unit tests - com.intuit.apl.DoctorPatientTest.

Attribute-based access control (ABAC), also known as policy-based access control, defines an access control paradigm whereby access rights are granted to users through the use of policies which combine attributes together. The policies can use any type of attributes (user attributes, resource attributes, object, environment attributes etc.). Read more here - https://en.wikipedia.org/wiki/Attribute-based_access_control

ABAC Policy Language is used by ABAC to author policies. A policy consists of rules, which have "when" conditions and "then" actions. Policies are executed in a bounded time, goaled to reach a decision as quickly as possible in deterministic, fast and reliable way. Further light-weight execution consumes minimal resources.

Hello World

Can a user (Subject) access a report in a given flavour of product?

Let us use ABAC to decide that.

A simple rule allowing admin, standard user or bookkeeper to access the report in a particular flavour of product could be written like this,

rule: CustomDetailedReportQBOPlus #comment ...
description: Allow CustomDetailedReport for QBO Plus
salience: 1
when:
  - containsAnyIgnoreCase({"admin", "user", "bookkeeper"}, sub["role"])
  - env["product"] == "QBO"
  - env["sku"] == "PLUS"
  - res["id"] == "CustomDetailedReport"
then:
  - decision=permit

This rule has multiple parts. It has a name and description. Salience lets it run at priority. Two conditions in "when" check whether suk of the product is PLUS and if resource id is "CustomDetailedReport", i.e. the resource on which access is requested.

When both the conditions are true, rule is said to fire. On firing of rule, action statements in rule are executed. Here action is to set a deny decision. Once a decision is reached APL engine aborts further rule evaluation.

This project demonstrates how the clients can use standalone policy engine.

How to use

Include maven dependency for apl,

    <dependency>
      <groupId>com.intuit.apl</groupId>
      <artifactId>apl-core</artifactId>
      <version>0.23</version>
    </dependency>

The latest release is 0.23.

How to run sample helloworld

cd samples/helloworld

Build it

mvn clean install

Run it

mvn exec:java -Dexec.mainClass=com.sample.apl.HelloWorld

Features

  • Domain Specific Language for policies for ABAC. Conditions are based on attributes, actions can provide decisions and obligations only. No arbitrary logic allowed like network calls, DB access, complex computation.
  • Policies take micro-seconds to give answers and consume less than a kb of heap.
  • Support for functions, attributes
  • Optimized execution, evaluates repeating conditions only once per execution. RETE based algorithm. Stops when a decision is reached.
  • Supports salience in rules. This allows higher priority rules to first get a chance to fire.
  • Ability to explain an execution. You wrote a policy, want to know how a certain decision was made, how a rule got fired, explain can give insights into execution and good troubleshooting information on rules.
  • Quota for policies. Lengthy and slow policies can hog resources. Quota based system ensures that this is not allowed and execution is bounded.
  • Support modularity. Define policies in packages and import them.
  • Supports multiple policy files for a single resource decision making. Easy to combine policies as they are rule based. ABAC allows resource hierarchies where policies for parent resource are also included in decision making.
  • Rules that always evaluate to true or false are detected and highlighted.
  • Inconsistent rules are detected and highlighted.
  • Variables can be used in conditions after values are assigned. Variables are accessed by using $ before a variable.
  • 3 kinds of rules - deny, permit and default rules. Deny rules should have salience higher than permit, which should be higher than default. Also, only one default rule expected. Engine warns on violations.
Drools APL
Type General purpose, feature rich Domain specific for ABAC
Execution time ~1ms ~20 μs
Heap per execution 130 KB <1KB
Jar size >5MB 45KB (+280KB SPEL, +250KB YAML)

Upcoming features

  • Compile the policies for even faster execution.

Details

Sample rule file

Another sample rule file

Source code for main Java class

Explain

APL engine can be asked to explain a policy execution. This explanation provides insights into the policy. Below is a sample explaination.

APL Explain :

Inputs:

     Subject:                role -> admin,        
     Resource:               id -> CustomDetailedReport,        
     Action:                 name -> execute,       
     Environment:            product -> QBO, sku -> BASIC,       


Variables:
   
    Number of varaibles: 16
    
    product
    role
    bookkeeper
    CustomDetailedReport
    admin
    BASIC
    ADVANCED
    2019-05-15
    2019-05-17
    resOwnerId
    yyyy-MM-dd
    id
    sku
    user
    QBO
    PLUS

Stats:

     Rules:                 4
     Rules Fired:           1
     Conditions:            15
     UniqueConditions:      10
     Actions:               6
     ExecutedActions:       2
     HalfBakedRules:        1
     Parsing(µs):           12924
     Execution(µs):         133
     ConditionExecution(µs):109
     RuleExecution(µs):     23


Execution:
EXECUTION STEP CONDITION OUTPUT
0 containsAnyIgnoreCase({"admin", "user", "bookkeeper"}, sub["role"]) T
1 env["product"] == "QBO" T
3 res["id"] == "CustomDetailedReport" T
5 env["sku"] == "BASIC" T
2 env["sku"] == "PLUS" F
4 sub["id"] != null F
    Rules fired:

                             Name : Deny CustomDetailedReport for QBO Basic
                             Description : rule description

    Decision:                DENY


Rules having always false conditions:

                             Half baked rule



    Rules having always true conditions :



    Rete Execute Process:

Contributing

For information on how to contribute to APL, please read through the contributing guidelines.

License

For information on license, please read through the license.

Contributors ✨

All Contributors

Thanks goes to these wonderful people (emoji key):


ravichauhan03

💻

charugarg93

💻

Bala Dutt

💻

Sachin Maheshwari

💻

raghusc

💻

This project follows the all-contributors specification. Contributions of any kind welcome!