Attribute Connectors

It is possible to have a setup where a policy decision cannot be reached using only the information provided in the request. In such cases, Access Decision Service (ADS) can use Attribute Connectors. These connectors act as Policy Information Points (PIP), connecting to external sources that hold the necessary attribute values. For instance, some policy attributes might need to retrieve their values from a database or an LDAP directory.

Axiomatics provides several standard Attribute Connectors, while custom Attribute Connectors can be created to fetch attributes that are not supported by the default options.

An Attribute Connector configuration contains information specifies the attribute source type, the XACML attributes it provides, and how to obtain them. This configuration is part of the authorization domain configuration. If an Attribute Connector configuration exists in the authorization domain configuration, that specific Attribute Connector must be available to ADS at startup. The Attribute Connector is then utilized at runtime during the policy evaluation process.

Standard Attribute Connectors

The standard Attribute Connectors are managed in slightly different ways, depending on whether ADS runs as a JAR from the command line or is deployed using Kubernetes (K8s). When run from the command line, no default Attribute Connectors are included with ADS, so they must be downloaded and installed separately. However, when deployed with Kubernetes, the ADS image includes the standard Attribute Connectors by default.

Axiomatics currently provides the following standard Attribute Connectors:

• LDAP Attribute Connector

  Used for connection to LDAP data sources.

• SQL and Table Attribute Connectors

  Both used for connections to SQL data sources.

• HTTP Attribute Connector

  Used to connect to a web service and retrieve its payload which it then returns to the PDP.

• Parser Attribute Connectors

  Takes a string in a structured format and extracts nested values from it. Consists of the following:

  • JSON Parser

  • XML Parser

  • JWT Parser

Learn more in the Attribute Connectors documentationOpens in a new tab and contact the Axiomatics Customer SupportOpens in a new tab for information on latest versions and available downloads.

note

The standard attribute connectors are developed, maintained, and released independently of releases of ADS. New and updated versions may be released and made available for download at any time.

Custom Attribute Connectors

You can create custom Attribute Connectors to fetch attributes not supported by the standard ones.

These custom Attribute Connectors, also known as Attribute Finders, are built for the Java ServiceLoader.

note

When you set up a custom Attribute Finder in ADS, you also need to make that same Attribute Finder package available to ASM as an Attribute Connector. This ensures it appears in the list of available Attribute Connector types you can choose from in the ASM GUI.

Manage Attribute Connectors

Management of Attribute Connectors in ADS depends on your deployment type, as described in the relevant sections Deployment using JAR file and Deployment using Kubernetes.

Download Attribute Connectors

For specific information on how to download each Attribute Connector, follow the respective links below:

Table

Table Attribute Connector installationOpens in a new tab

LDAP

LDAP Attribute Connector installationOpens in a new tab

SQL

SQL Attribute Connector installationOpens in a new tab

HTTP

HTTP Attribute Connector installationOpens in a new tab

Parsers

Parser Attribute Connectors installationOpens in a new tab

Update Attribute Connectors

Follow the instructions below to update the Attribute Connectors based on your deployment type:

JAR

1. Download the Attribute Connector(s) as described above.

2. Extract the contents of the downloaded Attribute Connector distribution file(s).

3. Under your deployment's lib directory, replace the old Attribute Connector JAR file(s) with the new ones.

   # ADS file structure - attribute connectors jar files #
   ├─ access-decision-service-2.2.0.jar
   ├─ deployment.yaml
   ├─ lib
       ├─ sql-attribute-connector-<sql_ac_version>.jar
       ├─ jbdc-driver.jar

4. Start the deployment process as described in the Start the application section.

Kubernetes

Updating Attribute Connectors in K8s deployments is possible by building a custom image that will then be pushed to a local or remote Docker registry configured by you.

1. Download the Attribute Connector(s) as described above.

2. Extract the contents of the downloaded Attribute Connector distribution file(s).

3. Under your deployment's docker/resources/lib directory, replace the old Attribute Connector JAR file(s) with the new ones.

   # ADS file structure - attribute connectors jar files #
   ├─ lib
      ├─ <driver-1>.jar
      ├─ <attribute-connector>.jar

4. From the docker folder, use Docker CLI to build and optionally tag your ADS image. For example:

   docker build -t <your_custom_registry>/ads:2.2.0-0 .

5. Push the image to your registry.

   docker push <your_custom_registry>/ads:2.2.0-0

6. Upgrade your Helm chart and make sure the latest image is pulled. For more details, read the Update configuration during runtime section.

More information

Refer to the documentation for Axiomatics Services ManagerOpens in a new tab for more information on how to configure and manage Attribute Connectors.