Rule Syntax in TurmericSOA

Posted: November 10, 2011 in Turmeric, XACML

Hi,

Turmeric‘s next release will provide two new rule patterns for Rate Limiting Policies, which allow to limit calls for any XACML Subject or Subject Group. With them,  grows the rules flexibility as well as its throwput.

Recalling those years developing a Motohealth protocol, I cleaned up the dust from my writing capabilities in EBNF  🙂 , then, this is how the Rule syntax looks:

rule = opt-ws expression opt-ws | opt-ws expression opt-ws '||' opt-ws expression opt-ws | opt-ws expression opt-ws '&&' opt-ws expression
expression = global_hits | subject_hits | count

global_hits = 'HITS' opt-ws comparator opt-ws number
subject_hits = subject ':hits' opt-ws comparator opt-ws number
count = service [':' operation  ['.SubjectGroup' ['.Subject'] ] ] '.count' opt-ws comparator opt-ws number

comparator =  '<'|'>'|'<='|'=<'|'>='|'=>'|'=='
number =  {digit}
digit = '0'|'1'|'2'|'3'|'4'|'5'|'6'|'7'|'8'|'9'
character = lowercase-char | uppercase-char | digit | special-char
lowercase-char = "a" | "b" | "..." | "z"
uppercase-char = "A" | "B" | "..." | "Z"
special-char = '_'|'-'

subject = ip | dev | user | app
ip = range '.' range '.' range '.' range
range = ['0'|'1'|'2'] [digit] digit
dev = word
user = word
app = word

word = lowercase-char  {character | digit} | uppercase-char  {character | digit}

service = word
operation = word
opt-ws = [{' '}]

With this syntax we assume following are valid rules:

128.10.10.4:hits>1000: Limit that IP after 1000 calls*
HITS>10000: Limit any call after 10000 calls, regardless what and who made them*
MyService:my_operation.count>150: Limit any call to my_operation after 150 calls, regardless who made them*
MyService.count>100: Limit any call to myService after 100 calls, regardless the caller and the operation*

new ones….
MyService:my_operation.SubjectGroup.count>500: Limit any call to my_operation after 500 calls, made by a Subject Group*
MyService:my_operation.SubjectGroup.Subject.count>500
: Limit any call to my_operation after 500 calls, made by each Subject member of a Subject Group*

(*) Limiting action acts based on on the specified Effect action field.

Don’t forget Subject and SubjectGroup must be targets on the RL Policy definition. (FMI refer the Turmeric 1.0.0 wiki)

c u  soon….

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s