XACML policy - HOW to set a policy as the root policy?

Question

I am trying to evaluate some requests against the following policy using Authzforce PDP engine (Web API).

<PolicySet xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" PolicySetId="root" Version="2.0" PolicyCombiningAlgId="identifier:policy-combining-algorithm:deny-overrides">
 <Target/>
  <Policy xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17 http://docs.oasis-open.org/xacml/3.0/xacml-core-v3-schema-wd-17.xsd" PolicyId="urn:oasis:names:tc:xacml:3.0:example:MyPolicy" Version="1.0" RuleCombiningAlgId="identifier:rule-combining-algorithm:deny-overrides">
   <Target/>
   <Rule RuleId="urn:oasis:names:tc:xacml:3.0:example:MyRule" Effect="Permit">
     <Target>
      <AnyOf>
       <AllOf>
         <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Medical record</AttributeValue> 
            <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
         </Match>
         <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Doctor</AttributeValue>
            <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id-qualifier" DataType="http://www.w3.org/2001/XMLSchema#string"/>
         </Match>
        </AllOf>
       </AnyOf>
     </Target>
     <Condition>
       <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
         <AttributeDesignator MustBePresent="false" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </Apply>
       <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
      </Apply>
     </Condition>
    </Rule>
   </Policy>
</PolicySet>

However, when I want to set this policy as the root policy (to activate this policy), I get the following error.

HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Date: Wed, 07 Feb 2018 12:40:19 GMT
Content-Type: application/xml
Content-Length: 361
Connection: close

* Closing connection 0
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<error xmlns:ns2="http://authzforce.github.io/core/xmlns/pdp/6.0">
    <message>Failed to find a root PolicySet with id = 'root', Version=Optional.empty,EarliestVersion=Optional.empty,LatestVersion=Optional.empty: Matched PolicySet 'root' (version 2.0) is invalid or its content is unavailable</message>
</error>

I think maybe something is wrong with my policy. Would you please let me know what is the problem?

Answer 1

Your PolicySet is not valid XML, as David mentioned, because xsi namespace is undefined. To fix it, remove the xsi:schemaLocation attribute altogether (unnecessary for AuthzForce).

In general, whenever you work with a XACML document (PolicySet, Request, Response, etc.), make sure it is valid XML and especially that it is valid against XACML schema. For quick validation, you can use a XML validator online (they are many, the link is just an example), or a command-line XML tool like xmllint. For more thorough validation including XACML-specific semantics (e.g. also make sure you are using correct XACML identifiers, and XACML functions with correct arguments, etc) and XACML request validation/testing, you can use AuthzForce CLI.

Ultimately, if AuthzForce Server is still rejecting the policy, you can check AuthzForce server logs for more details in /var/log/tomcat8/authzforce-ce/error.log.