Diagrams providing details on the syntax and usage of ACL file components.
Sybase CEP Engine access control ACL files use a simplified version of the eXtensible Access Control Markup Language (XACML). The following diagram illustrates the overall structure of the IP-access ACL file:
The rest of this section discusses in detail the syntax and usage of the components shown in the diagram. The syntax illustrations in the following discussions use several conventions:
Items appearing in italics are stand-in values, for which you should replace with the actual information. For example, replace policy-name with the appropriate name for a policy.
Square brackets ([ ]) show optional items.
A pipe character (|) separates members in a list of items, from which you can choose only one item.
The ellipsis marking inside square brackets ([...]) represents an optional repetition of the previous component type. You may repeat these components as many times as you want..
Syntax:
<PolicySet xmlns=" http://www.sybase.com/access_control/"> policy [policy] [...] </PolicySet>
Description:
The entire contents of the ACL must be contained in the "PolicySet" element, which specifies the CEP Engine access control policy set. The "PolicySet" element contains one or more "Policy" elements.
Syntax:
<Policy PolicyId=" policy-name "> rule [rule] [...] </Policy>
Description:
The "Policy" element defines a single access policy. An ACL file's "PolicySet" contains one or more "Policy" elements. The "Policy" element requires:
A "PolicyId" property, which specifies a unique name for the policy.
One or more "Rule" elements.
Syntax:
<Rule RuleId=" rule-name " Effect=" effect "> target </Rule>
Effect: Permit or Deny
Description:
The "Rule" element defines a single rule for an access policy. A single "Policy" element contains one or more "Rule" elements. The "Rule" element requires:
A "RuleId" property, which specifies a unique name for the rule.
An "Effect" property, which specifies whether to permit or deny certain actions, which certain IP addresses, host names, users, or groups try to perform on certain Sybase CEP Engine resources. Note that the "Effect" property specifies only Permit or Deny. The specifics of what the rule is permitting or denying are included in the "Target" element.
A single "Target" element.
Syntax:
<Target> <Subjects> <AnySubject/> | restricted-subjects </Subjects> <Resources> resource [ resource ] [...] </Resources> <Actions> action [ action ] [...] </Actions> </Target>
restricted-subjects: Come in four varieties, as listed here. You can specify more than one subject.
Restricted Subject Type |
Syntax Description |
host-subject |
May include any of the following:
|
user-subject |
<User>user-name</User> where user-name is a case-insensitive POSIX regular expression that matches a defined user name. |
group-subject |
<Group>group-name</Group> where group-name is a case-sensitive POSIX regular expression that matches a defined user group name. |
shared-secret-subject |
<SharedSecret/> |
resource: Resources can be set to any of the following values. Multiple resources can also be specified.
<AnyResource/>
<Server/>
<Workspace>workspace</Workspace> where workspace is a case-insensitive POSIX regular expression that matches the name of a workspace on Sybase CEP Server.
<Project>project</Project> where project is a case-insensitive POSIX regular expression that matches the name of a project in a workspace, using the workspace-name/project-name format.
<Stream>data-stream</Stream> where data-stream is a case-insensitive POSIX regular expression that matches one or more Sybase C8 streams, using the workspace-name/project-name/[submodule-name][.../]data-stream-name format.
You can get information used in specifying the "Stream" resource in the ACL file from Sybase CEP Studio, where it is displayed in the Properties View when the workspace, project or stream are selected. The CCL URI displayed in Sybase CEP Studio uses the following format:
ccl://host-name:port/Stream/path
The data-stream specification in the "Stream" resource uses the path portion of this URI, for example:
myworkspace/myproject/instream
action: Actions can be set to any of the following values. Multiple actions can be specified.
<AnyAction/>
<Connect/>
<Read/>
<Write/>
<StartStop/>
<CreateDestroy/>
<GetStatus/>
Description:
The "Target" element is contained within the "Rule" element. The "Target" contains three elements, which answer the following questions within the rule:
The "Subjects" element answers the question of which hosts, users and/or user groups are permitted or denied access to a resource.
The "Resources" element answers the question of which resources are being made accessible or inaccessible to the subjects.
The "Actions" element answers the question of which actions pertaining to the resource are permitted or not permitted to the subject.
Specify the "Subjects", "Resources" and "Actions" elements, using the syntax detailed in the syntax section. These settings are further explained in this section:
"Subjects": The empty "AnySubject" element (<AnySubject/>) creates a rule that applies to any host, user, or user group that attempts to perform the specified action on the specified resource. To restrict the rule to certain hosts, users, or user groups, use one or more host-subject, user-subject, and/or group-subject elements instead of "AnySubject".
Specify a special empty shared-secret-subject (specified as <SharedSecret/>) once at the beginning of the ACL file to enable Sybase CEP Server connectivity.
host-subject elements include "Hostname", "IP" and "IPRange" elements. You can specify any number of these in any combination in a single "Target" element.
user-subject elements include the "User" element. You can specify any number of "User" elements in a single "Target" element.
group-subject elements include the "Group" element. You can specify any number of "Group" elements in a single "Target" element.
If you specify multiple subjects in a single "Target", the rule applies to any host, user, or group that meets the criteria for at least one subject specification from each of the included groups. For example, a "Target" that includes a "Hostname" subject, an "IPRange" subject, and two "User" subjects applies to either of the indicated users when the computer from which they try to access the resource either matches the "Hostname" or falls within the "IPRange".
Here are some examples of "Subjects" elements:
<Subjects> <AnySubject/> </Subjects> <Subjects> <Hostname>.*\.sybase\.com</Hostname> </Subjects> <Subjects> <IP>192.168.10.10</IP> <IPRange>192.168.0.12/24</IPRange> </Subjects> <Subjects> <IP>192.168.10.10</IP> <User>jdoe</User> <Group>qagroup</Group> </Subjects>
"Resources": The empty "AnyResource" element (specified as <AnyResource/>) creates a rule that applies to any Sybase CEP Server resource requested by one of the subjects. To restrict the rule to certain resources, use the "Server", "Workspace", "Project", and/or "Stream" elements, in any combination. (The "Server" resource setting is typically used in conjunction with the "Connect" action, to permit or deny access to Sybase CEP Server.)
If you identify multiple resources, the subjects are allowed or denied access to any of the specified resources. For more information about how a resource hierarchy is used to grant or deny access to various resources, see "ACL Policy Set Implementation".
Here is an example of a "Resources" element:
<Resources> <Stream>Production/.*/StreamIn</Stream> <Stream>Production/.*/StreamOut</Stream> </Resources>
"Actions": The "AnyAction" element (specified as <AnyAction/>) creates a rule that applies to any actions that the subject attempts on the specified resource. To restrict the rule to certain actions, use the "Connect", "Read", "Write", "Start/Stop", "Create/Destroy", and/or "GetStatus" elements, in any combination. If you identify multiple resources, the subjects are allowed or denied access to any of the specified actions. All elements contained inside an "Actions" element are empty. Here is an example of an "Actions" element:
<Actions> <StartStop/> </Actions>
Action requests are interrelated. The ability to perform certain actions depends on access to certain other types of actions:
Connection to a resource should be enabled in order to allow any other action on that resource. Connections can be enabled explicitly by using the "Connect" action, or by using the "AnyAction" action. If the connection is not enabled, the subject is not allowed to perform actions on the resource, even if a rule states that those actions are permitted.
To enable "GetStatus" for a status stream, the subject should also be enabled to "Read" from the status stream.
To enable SOAP calls to access resources, the resource should also be enabled to "GetStatus", "StartStop" or "Read".