WSO2 API Manager 1.8 - Trying out XACML - Error creating the policy

1
votes

I am trying to see how XACML can be used with the API Manager for controlling access to some of the resources. I have followed the blog post here,

http://wso2.com/library/articles/2014/02/use-of-wso2-api-manager-to-validate-fine-grained-policy-decisions-using-xacml/

I have also tried following one more post from the following link, http://niranjankaru.blogspot.fr/2014/11/user-role-based-access-to-api-using.html

Also, I have gone through most of the Stackoverflow question regarding this topic. The following are my questions,

  1. Are the versions of the "XACML (4.2.2)" and "XACML Mediation (4.2.2)" compatible with the API Manager 1.8?
  2. I'm getting an error when I try to create a policy. I'm using the simple policy editor in the "Add New Policy" page and following the same instructions as given in the first blog link.

The error shown in the UI is,

"Error while adding entitlement policy. Invalid Entitlement Policy. Policy is not valid according to XACML schema"

and the log has the following error,

ERROR - EntitlementUtil XACML policy is not valid according to the schema :cvc-complex-type.2.4.a: Invalid content was found starting with element 'Description'. One of '{"urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Description, "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyIssuer, "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":PolicyDefaults, "urn:oasis:names:tc:xacml:3.0:core:schema:wd-17":Target}' is expected.

As I am not editing policy by hand and using the Simple Policy Editor and entering all the fields required, I did not expect this error. Any idea if this can be a real error or due to some version mismatch?

1
wso2wso2-am
Can you share your policy? I will be able to validate it with the Axiomatics Policy Server. There are have been similar bug reports on the WSO2 IS before so I am not surprised.David Brossard
I have not written this policy. I'm using a UI within WSO2 management console to create this policy. Also, I'm new to XACML, so I won't be able to provide a XML version of the policy I'm trying to create using the UImanoj
The creation of the policy itself is failing, so I'm not finding any reference to the policy it is internally creating and validatingmanoj
Can you use a different authoring tool e.g. the ALFA Plugin for Eclipse?David Brossard

1 Answers

1
votes

I think you have installed the XACML features in the APIM. Issues must be due to version mismatch in the OSGI bundle that contains in APIM 1.8.0 and the XACML feature that you have installed. I have seen there are lot issues after installing the XACML feature in APIM. Because APIM 1.8.0 and IS 5.0.0 have not been released in same time. Therefore there are some version mismatch issues. You download IS 5.0.0 and try to create policies and see whether there are issues are generating.

However, if you going for proper deployment, I think what is in above article is not correct. Normally XACML engine must be externalized and run as separate entity. It can not be within the API Gateway. Therefore it is better to use different server for running a XACML engine. you can find more details from here. Also in above article, it just have install XACML feature in APIM.. But you can call the WSO2IS using entitlement mediator. you just want to provide the proper url for it in the mediator configuration. It is suggest to use WSO2IS and try out above article. You can find more details about creating XACML policies from here using WSO2IS XACML editor.