Skip to main content
Version: 1.1

Attribute Connectors

Attribute Connectors act as Policy Information Points (PIP) that link to external data sources holding the required attribute values required by a Policy Decision Point (PDP) to evaluate policies. Axiomatics provides several standard Attribute Connectors such as LDAP, SQL, Table, HTTP, and Parsers (JWT, JSON, XML), while custom Attribute Connectors can be created to fetch attributes that are not supported by the default ones.

It is possible to have a setup where a policy decision cannot be reached solely on the information provided in the request. Contextual Authorization Query (CAQ) can use Attribute Connectors to connect to external sources, where the information required may be found. For example, certain attributes of a policy may need to get their values from a database or an LDAP directory.

An Attribute Connector configuration contains information about the type of attribute source (for example, LDAP, SQL), the attributes it provides, and how to obtain them.

The Attribute Connector configuration is part of the authorization domain configuration. If an Attribute Connector configuration exists in the authorization domain configuration, that Attribute Connector must be available to CAQ at start-up. The Attribute Connector itself is then used at runtime during policy evaluation.

Standard Attribute Connectors

There are no default Attribute Connectors included with CAQ. Instead, Attribute Connectors for connection to SQL and LDAP data sources must be downloaded and installed separately. Axiomatics currently provides the following standard Attribute Connectors:

  • LDAP Attribute Connector
  • SQL Attribute Connector
  • Table Attribute Connector
  • HTTP Attribute Connector
  • Parser Attribute Connectors

LDAP Attribute Connector

The LDAP Attribute Connector is used for connection to LDAP data sources.

SQL and Table Attribute Connectors

The SQL Attribute Connector and the Table Attribute Connector are both used for connections to SQL data sources.

HTTP Attribute Connector The HTTP Attribute Connector is used to connect to a web service and retrieve its payload which it then returns to the PDP.

Parser Attribute Connectors Parser Attribute Connectors can take a string in a structured format and extract nested values from it in order to evaluate authorization policies. The Parser Attribute Connectors consist of the following:

  • JSON Parser
  • XML Parser
  • JWT Parser

Contact Axiomatics Customer SupportOpens in a new tab for information on latest versions and available downloads.

note

The standard Attribute Connectors are developed, maintained, and released independently of releases of CAQ. New and updated versions may be released and made available for download at any time.

Custom Attribute Connectors

It is possible to create custom Attribute Connectors, which may be used to fetch attributes that are not supported by the standard Attribute Connectors.

Custom Attribute Connectors, or Attribute Finders, are built for the Java ServiceLoader.

note

When a custom Attribute Finder has been set up in CAQ, the same Attribute Finder package must be made available to ASM as an Attribute Connector so that it shows up in the list of available Attribute Connector types that can be chosen in the ASM GUI.

Download an Attribute Connector

The Attribute Connector is downloaded via AWS CLI. If you have not already done so, install AWS CLI according to the instructions hereOpens in a new tab.

For specific information on how to download each Attribute Connector, follow the respective links below:

Important

Ensure that the SLF4J 2.x JAR is included in the loader path when deploying CAQ with Attribute Connectors to avoid compatibility issues. The CAQ deployment can be executed using the following command:

java -Dloader.path=lib/slf4j.jar,lib -jar caq.jar

Add or update Attribute Connectors

If an Attribute Connector configuration exists in the authorization domain configuration, CAQ must be started with the jar file for that Attribute Connector under the sub-directory lib as described in the Deployment section. The Attribute Connector itself is then used at runtime during policy evaluation.

There are no default Attribute Connectors included with the CAQ jar file download. Instead, standard Attribute Connectors (see above) must be downloaded and installed separately.

Contact Axiomatics Customer SupportOpens in a new tab for information on latest versions and available downloads.

CAQ supports the use of different Attribute Connectors for different sources, at the same time.

To add an Attribute Connector download the respective jar file and place it under the lib folder as show in the structure tree below:

├─ contextual-authorization-query-1.1.0.jar
├─ deployment.yml
├─ lib/
├─ <attribute-connector-1>.jar
├─ <attribute-connector-2>.jar

You have to stop the service and restart it, in order to apply any changes.

JDBC drivers

Additional files, such as JDBC drivers (should they be necessary), must be added under the lib folder, in the same way as Attribute Connectors.

note

The JDBC URL must be used for all Attribute Connectors that use databases. JNDI is not supported.

More information

Refer to the documentation for Axiomatics Services ManagerOpens in a new tab for more information on how to configure and manage Attribute Connectors.

You can download the CVE analysis HTML report for each Attribute Connector.

Downloading the Attribute Connectors' CVE analysis

The following example displays the AWS CLI command to download the LDAP Attribute Connector's CVE report:

aws s3api get-object --bucket axiomatics-customer-artifacts --key releases/com/axiomatics/attribute-connectors/ldap/ldap-attribute-connector/version/ldap-attribute-connector-version-cve.html