Attribute Connectors
Attribute Connectors act as Policy Information Points (PIP) that link to external data sources holding the required attribute values required by a Policy Decision Point (PDP) to evaluate policies. Axiomatics provides several standard Attribute Connectors such as LDAP, SQL, Table, HTTP, and Parsers (JWT, JSON, XML), while custom Attribute Connectors can be created to fetch attributes that are not supported by the default ones.
It is possible to have a setup where a policy decision cannot be reached solely on the information provided in the request. Access Decision Service can use Attribute Connectors to connect to external sources, where the information required may be found. For example, certain attributes of a policy may need to get their values from a database or an LDAP directory.
An Attribute Connector configuration contains information about the type of attribute source (for example, LDAP, SQL), the XACML attributes it provides, and how to obtain them.
The Attribute Connector configuration is part of the authorization domain configuration. If an Attribute Connector configuration exists in the authorization domain configuration, that Attribute Connector must be available to ADS at start-up. The Attribute Connector itself is then used at runtime during policy evaluation.
Standard Attribute Connectors
There are no default Attribute Connectors included with ADS. Instead, Attribute Connectors for connection to SQL and LDAP data sources must be downloaded and installed separately. Axiomatics currently provides the following standard Attribute Connectors:
- LDAP Attribute Connector
- SQL Attribute Connector
- Table Attribute Connector
- HTTP Attribute Connector
- Parser Attribute Connectors
LDAP Attribute Connector
The LDAP Attribute Connector is used for connection to LDAP data sources.
SQL and Table Attribute Connectors
The SQL Attribute Connector and the Table Attribute Connector are both used for connections to SQL data sources.
HTTP Attribute Connector The HTTP Attribute Connector is used to connect to a web service and retrieve its payload which it then returns to the PDP.
Parser Attribute Connectors Parser Attribute Connectors can take a string in a structured format and extract nested values from it in order to evaluate authorization policies. The Parser Attribute Connectors consist of the following:
- JSON Parser
- XML Parser
- JWT Parser
The standard Attribute Connectors are managed in slightly different ways, depending on whether ADS is run in a Docker container or from the command line.
Contact Axiomatics Customer SupportOpens in a new tab for information on latest versions and available downloads.
The standard attribute connectors are developed, maintained, and released independently of releases of ADS. New and updated versions may be released and made available for download at any time.
Custom Attribute Connectors
It is possible to create custom Attribute Connectors, which may be used to fetch attributes that are not supported by the standard Attribute Connectors.
Custom Attribute Connectors, or Attribute Finders, are built for the Java ServiceLoader.
When a custom Attribute Finder has been set up in ADS, the same Attribute Finder package must be made available to ASM as an Attribute Connector so that it shows up in the list of available Attribute Connector types that can be chosen in the ASM GUI.
Download Attribute Connector(s)
If an Attribute Connector configuration exists in the authorization domain configuration, ADS must be started with the jar file for that Attribute Connector in the classpath. The Attribute Connector itself is then used at runtime during policy evaluation.
There are no default Attribute Connectors included with the ADS jar file download. Instead, standard Attribute Connectors (see above) must be downloaded and installed separately.
Contact Axiomatics Customer SupportOpens in a new tab for information on latest versions and available downloads.
For specific information on how to download each Attribute Connector, follow the respective links below:
- Table Attribute Connector
- LDAP Attribute Connector
- SQL Attribute Connector
- HTTP Attribute Connector
- Parser Attribute Connectors
Make sure to include slf4j-api 2.x
jar or the ADS .jar
file at the beginning of your classpath to prevent compatibility issues. For more information refer to the Compatibility for slf4j-api versions section.
Add Attribute Connector(s)
ADS needs to know how to locate the Attribute Connector(s) and all their dependencies, which is done by adding this information to the classpath. The process is the same for both adding and updating Attribute Connectors, standard or custom.
ADS can work with different Attribute Connectors for different sources concurrently. Jar files on the classpath are separated with a semi-colon (';') on Windows, and with a colon (':') on other platforms.
- Windows
- Linux
java -cp access-decision-service-<version>.jar;<path_to_file>/sql-attribute-connector-<version>.jar;<path_to_file>/Dependency1.jar;<path_to_file>/Dependency2.jar com.axiomatics.ads.App server <path_to_file>/deployment.yaml
java -cp access-decision-service-<version>.jar:<path_to_file>\sql-attribute-connector-<version>.jar:<path_to_file>\Dependency1.jar:<path_to_file>\Dependency2.jar com.axiomatics.ads.App server <path_to_file>\deployment.yaml
Update Attribute Connector(s) for Kubernetes deployment
Extract the contents of the downloaded Attribute Connector distribution file(s) in the file system and locate the Attribute Connector
jar
file(s). (See the included documentation for more information.)Copy the new Attribute Connector
.jar
file(s) for the updated version to thedocker/resources/lib
folder to replace the oldjar
file(s) as shown in the structure tree below:├─ docker/resources/lib/
├─ <attribute-connector-1-update>.jar
├─ <attribute-connector-2-update>.jarRebuild and push the Docker image at the corresponding registry:
- Remote registry
- Local registry
Run the following command to build ADS.
docker build --build-arg AWS_BUCKET=axiomatics-customer-artifacts --build-arg AWS_REPO=releases --build-arg ADS_VERSION=1.17.0 . -f Dockerfile -t <aws_account_id>.dkr.ecr.<region>.amazonaws.com/axiomatics/ads:1.17.0
Run the following command to push the image to your registry.
docker push <aws_account_id>.dkr.ecr.<region>.amazonaws.com/axiomatics/ads:1.17.0
Run the following command to build ADS.
docker build --build-arg AWS_BUCKET=axiomatics-customer-artifacts --build-arg AWS_REPO=releases --build-arg ADS_VERSION=1.17.0 . -f Dockerfile -t localhost:5000/ads:1.17.0
Run the following command to push the image to your registry.
docker push localhost:5000/ads:1.17.0
Re-create the ADS pod(s) with the new Docker image as described below.
Navigate to the
kubernetes
directory and update ADS using Helm:helm upgrade -n axiomatics-ads ads -f adscharts/values.yaml adscharts --set imageRegistry=<your_image_registry> --set adsHostname=<your_hostname> --set asmHostname=<your_asm_hostname> --set admDomainName=<your_adm_domain_name> --set asmProjectName=<your_asm_project_name> --set ads.metrics.enabled=true --set ads.pullPolicy=Always
Restart the ADS deployment by running the following command:
kubectl rollout restart deployment/ads -n axiomatics-ads
More information
Refer to the documentation for Axiomatics Services ManagerOpens in a new tab for more information on how to configure and manage Attribute Connectors.