Attribute connectors
It is possible to have a setup where a policy decision cannot be reached solely on the information provided in the request. Access Decision Service can use attribute connectors to connect to external sources, where the information required may be found. For example, certain attributes of a policy may need to get their values from a database or an LDAP directory.
An attribute connector configuration contains information about the type of attribute source (for example, LDAP, SQL), the XACML attributes it provides, and how to obtain them.
The attribute connector configuration is part of the authorization domain configuration. If an attribute connector configuration exists in the authorization domain configuration, that attribute connector must be available to ADS at start-up. The attribute connector itself is then used at runtime during policy evaluation.
Standard attribute connectors
There are no default attribute connectors included with ADS. Instead, attribute connectors for connection to SQL and LDAP data sources must be downloaded and installed separately. Axiomatics currently provides three standard attribute connectors:
- LDAP Attribute Connector
- SQL Attribute Connector
- Table Attribute Connector
The LDAP Attribute Connector is used for connection to LDAP data sources. The SQL Attribute Connector and the Table Attribute Connector are both used for connections to SQL data sources.
The standard attribute connectors are managed in slightly different ways, depending on whether ADS is run in a Docker container or from the command line.
Note: The standard attribute connectors are developed, maintained, and released independently of releases of ADS. New and updated versions may be released and made available for download at any time.
Custom attribute connectors
It is possible to create custom attribute connectors, which may be used to fetch attributes that are not supported by the standard attribute connectors.
Custom attribute connectors, or Attribute Finders, are built for the Java ServiceLoader.
Note: When a custom Attribute Finder has been set up in ADS, the same Attribute Finder package must be made available to ASM as an attribute connector so that it shows up in the list of available Attribute Connector types that can be chosen in the ASM GUI.
Running ADS in a Docker container
ADS can work with different attribute connectors for different sources concurrently. For that reason, the Docker container has been prepared with a set of folders in which to place the attribute connectors.
Adding attribute connectors
Contact Axiomatics Customer Support for information on latest versions and available downloads.
Refer to the documentation accompanying each attribute connector for more information on changes and functional updates in new releases.
- Extract the contents of the downloaded attribute connector distribution file(s) in the file system and locate the attribute connector jar file(s). (See the included documentation for more information.)
- Stop ADS if it is running. (Press
CTRL+Cin the console if ADS is being run in the foreground, or navigate to thedocker/folder and issue the commanddocker-compose down.) - In a second file system window, navigate to
<root path>/docker/resources/attribute.connectors/
There you will find a folder for each of the standard attribute connectors, plus one for custom attribute connectors.
- Copy the attribute connector .jar file(s) to the relevant folder(s). For example, the
sql-attribute-connector-<version>.jarwould go into the<root path>/docker/resources/attribute.connectors/sql-attribute-connectorfolder, etc. - From the
docker/folder, run the commanddocker-compose build --no-cache ads. This will rebuild the Docker image that contains the attribute connectors. - Finally, also from the
docker/folder, run the commanddocker-compose up. This restarts ADS, which will now use the new attribute connector(s).
This concludes the installation.
Updating attribute connectors
To update one or more attribute connectors, the process is in essence the same as when adding attribute connectors. One extra step is necessary:
- Delete the previous version of the attribute connector before restarting ADS. There should be only one attribute connector in any one folder at any one time.
Custom attribute connectors
An Attribute Finder built for the Java ServiceLoader can be plugged into ADS by following these steps:
- Stop ADS if it is running. (Press
CTRL+Cin the console if ADS is being run in the foreground, or navigate to thedocker/folder and issue the commanddocker-compose down.) - Navigate to
<root path>/docker/resources/attribute.connectors/custom-attribute-connectors - Copy the the Attribute Finder (that is, the custom attribute connector .jar file) to this folder.
- From the
docker/folder, run the commanddocker-compose build --no-cache ads. This will rebuild the Docker image that contains the attribute connectors. - Finally, also from the
docker/folder, run the commanddocker-compose up. This restarts ADS, which will now use the custom attribute connector(s).
The custom-attribute-connectors folder may contain several different custom attribute connectors, but not multiple versions of the same custom attribute connector.
Running ADS on the command line
If an attribute connector configuration exists in the authorization domain configuration, ADS must be started with the jar file for that attribute connector in the classpath. The attribute connector itself is then used at runtime during policy evaluation.
There are no default attribute connectors included with the ADS jar file download. Instead, standard attribute connectors (see above) must be downloaded and installed separately.
Contact Axiomatics Customer Support for information on latest versions and available downloads.
Adding or updating attribute connectors
- Download and extract to a suitable location the attribute connectors needed for use.
After that, ADS needs to know how to locate them and all their dependencies, which is done by adding this information to the classpath. The process is the same for both adding and updating attribute connectors, standard or custom.
ADS can work with different attribute connectors for different sources concurrently. Jar files on the classpath are separated with a semi-colon (';') on Windows, and with a colon (':') on other platforms.
On Windows:
java -cp access-decision-service-<version>.jar;<path\to\>sql-attribute-connector-<version>.jar;<path\to\>Dependency1.jar;<path\to\>Dependency2.jar com.axiomatics.ads.App server <path\to\>deployment.yaml
On Linux:
java -cp access-decision-service-<version>.jar:<path/to/>sql-attribute-connector-<version>.jar:<path/to/>Dependency1.jar:<path/to/>Dependency2.jar com.axiomatics.ads.App server <path/to/>deployment.yaml
More information
Refer to the documentation for Axiomatics Services Manager for more information about attribute connectors.