1、 ETSI TR 118 516 V2.0.0 (2016-09) oneM2M; Study of Authorization Architecture for Supporting Heterogeneous Access Control Policies (oneM2M TR-0016 version 2.0.0) TECHNICAL REPORT ETSI ETSI TR 118 516 V2.0.0 (2016-09) 2oneM2M TR-0016 version 2.0.0Reference DTR/oneM2M-000016 Keywords authorization, Io
2、T, M2M ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded f
3、rom: http:/www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or pe
4、rceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to re
5、vision or change of status. Information on the current status of this and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/Com
6、miteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written
7、 authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM a
8、nd LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI TR 118 516 V2.0.0 (2016-09) 3oneM2M TR-0016 version 2.0.0Contents Intellectual Property Rights
9、 5g3Foreword . 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Conventions 7g35 Overview of authorization system 7g35.1 High level authorization architecture . 7g35.2 Generic au
10、thorization procedure 9g36 Detailed design of authorization architecture . 10g36.1 Self-contained authorization . 10g36.2 Distributed authorization 10g36.2.1 Distributed authorization use cases . 10g36.2.1.1 M2M gateway make access control decisions on behalf of m2m devices 10g36.2.2 Proposal 1: Usi
11、ng resource-based approach to implement distributed authorization . 11g36.2.2.1 Introduction . 11g36.2.2.2 Resources 11g36.2.2.2.1 Resource type authorization 11g36.2.2.2.2 Resource type policyDecisionPoint . 13g36.2.2.2.3 Resource type policyRetrievalPoint 13g36.2.2.2.4 Resource type policyInformat
12、ionPoint 13g36.2.2.3 Procedures . 13g36.2.2.3.1 Introduction . 13g36.2.2.3.2 Create 13g36.2.2.3.3 Retrieve . 14g36.2.2.3.4 Update . 14g36.2.2.3.5 Delete 15g36.2.2.3.6 Retrieve 15g36.2.2.3.7 Retrieve . 16g36.2.2.3.8 Retrieve . 17g36.3 Message between authorization components 18g36.3.1 Proposal 1: Ext
13、ending XACML and SAML for exchanging message between authorization components . 18g36.3.1.1 Messages between PEP and PDP 18g36.3.1.1.1 Introduction of XACML element and element . 18g36.3.1.1.2 Using XACML element 19g36.3.1.1.3 Using XACML element 21g36.3.1.2 Messages between PDP and PIP . 22g36.3.1.
14、2.1 Introduction of SAML . 22g36.3.1.2.2 Using SAML element 22g36.3.1.2.3 Using SAML element . 23g36.4 Implementing Role Based Access Control . 24g36.4.1 Introduction of Role Based Access Control 24g36.4.2 General procedure of user-role assignment and role use 25g36.4.3 Solutions of implementing Rol
15、e Based Access Control . 26g36.4.3.1 Proposal 1: Solution of supporting Role Based Access Control . 26g36.4.3.1.1 Role Based Access Control architecture 26g36.4.3.1.2 Role token structure . 27g36.4.3.1.3 Resource type role . 28g36.4.3.1.4 Role Based Access Control procedure without using role tokens
16、 . 30g3ETSI ETSI TR 118 516 V2.0.0 (2016-09) 4oneM2M TR-0016 version 2.0.06.4.3.1.5 Role Based Access Control procedure using role tokens 32g36.5 Implementing Attribute Based Access Control 34g36.5.1 Introduction of Attribute Based Access Control . 34g36.5.2 General procedure of Attribute Based Acce
17、ss Control . 35g36.5.3 Solutions of implementing Attribute Based Access Control 37g37 Supporting user specified access control policies 37g37.1 Issues 37g37.2 Solutions . 37g37.2.1 Proposal 1: Solution of supporting heterogeneous access control policies . 37g37.2.1.1 Introduction . 37g37.2.1.2 Redef
18、ined resource type accessControlPolicy 37g37.2.1.3 Generic procedure of evaluating heterogeneous access control policies 38g38 Investigating existing access control policy languages and proposals . 39g38.1 Proposal 1: Using XACML 39g38.1.1 Introduction. 39g38.1.2 Detailed descriptions. 40g38.1.3 Eva
19、luation . 42g38.2 Evaluation of oneM2M access control rule 43g38.2.1 Introduction. 43g38.2.2 Application scenario description . 43g38.2.3 Access control rules and evaluation 44g38.2.4 Conclusion 45g38.3 Proposal of new access control rule format 45g38.3.1 Introduction. 45g38.3.2 Rule format . 45g38.
20、3.2.1 Introduction . 45g38.3.2.2 accessControlResources . 45g38.3.2.3 permittedAttributes 46g38.3.2.4 permittedChildResources 46g38.3.3 Evaluation of the proposed oneM2M access control rule . 46g38.3.4 Conclusion 47g39 Privacy protection architecture using Privacy Policy Manager (PPM) 47g39.1 Introd
21、uction 47g39.2 Relationship between components of PPM and oneM2M 47g39.3 Privacy Policy Management in oneM2M architecture . 48g39.3.0 Introduction. 48g39.3.1 Actor . 48g39.3.2 Management flow in PPM architecture 49g39.3.2.1 Join to a M2M platform 49g39.3.2.2 Subscription to an ASPs service . 50g39.3
22、.2.3 Request for personal data to the M2M platform . 51g310 Conclusions 53g3Annex A: Bibliography 54g3History 55g3ETSI ETSI TR 118 516 V2.0.0 (2016-09) 5oneM2M TR-0016 version 2.0.0Intellectual Property Rights IPRs essential or potentially essential to the present document may have been declared to
23、ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: “Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is avai
24、lable from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR
25、000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Technical Report (TR) has been produced by ETSI Partnership Project oneM2M (oneM2M). ETSI ETSI TR 118 516 V2.0.0 (2016-09) 6oneM2M TR-0016 version 2.0.01 Scope The pr
26、esent document provides technical solutions for oneM2M authorization architecture, authorization procedures and access control policies. The present document also gives evaluations of these proposed technical solutions. ETSI TS 118 103 i.2 only defines a high level authorization architecture that de
27、scribes its major components and general authorization procedure. The objective of the present document is to provide candidate security solutions related to authorization architecture, authorization procedures and access control policies. The present document provides security solutions in the foll
28、owing three aspects: Detailed design of authorization architecture: This part investigates the interfaces among authorization components (e.g. procedures and parameters), how these components could be distributed in different oneM2M entities (i.e. different CSEs), and how to implement Role Based Acc
29、ess Control (RBAC) and token based access control. Supporting user specified access control policies: This part investigates how the oneM2M authorization system could be an extensible system that can support user-defined access control mechanisms and/or access control policy languages. Investigating
30、 existing access control policy languages: This part investigates if some standardized access control policy languages could become oneM2M recommended access control policy description languages. 2 References 2.1 Normative references References are either specific (identified by date of publication
31、and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the e
32、xpected location might be found at https:/docbox.etsi.org/Reference/. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document
33、. Not applicable. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document
34、 (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user wit
35、h regard to a particular subject area. i.1 ETSI TS 118 101: “oneM2M; Functional Architecture (oneM2M TS-0001)“. i.2 ETSI TS 118 103: “oneM2M; Security Solutions (oneM2M TS-0003)“. i.3 ANSI American national standard for information technology - role based access control. ANSI INCITS 359-2004, Februa
36、ry 2004. ETSI ETSI TR 118 516 V2.0.0 (2016-09) 7oneM2M TR-0016 version 2.0.0i.4 NIST Special Publication 800-162: “Guide to Attribute Based Access Control (ABAC) Definition and Considerations“. i.5 OASIS Standard: “eXtensible Access Control Markup Language (XACML)“, Version 3.0, 22 January 2013. i.6
37、 OASIS Standard: “Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML)“ V2.0. i.7 oneM2M Drafting Rules. NOTE: Available at http:/www.onem2m.org/images/files/oneM2M-Drafting-Rules.pdf. i.8 ETSI TS 118 111: “oneM2M; Common Terminology (oneM2M TS-0011)“. i.9 ETSI TR 118 501
38、: “oneM2M; Use Case collection (oneM2M TR-0001)“. 3 Definitions and abbreviations 3.1 Definitions For the purposes of the present document, the terms and definitions given in ETSI TS 118 111 i.8 apply. 3.2 Abbreviations For the purposes of the present document, the abbreviations given in ETSI TS 118
39、 111 i.8 apply. 4 Conventions The key words “Shall“, “Shall not“, “May“, “Need not“, “Should“, “Should not“ in the present document are to be interpreted as described in the oneM2M Drafting Rules i.7. 5 Overview of authorization system 5.1 High level authorization architecture Figure 5.1-1 provides
40、a high level overview of a generic authorization architecture. This architecture comprises four subcomponents that are described as follows: Policy Enforcement Point (PEP): - PEP intercepts resource access requests, makes access control decision requests, and enforces access control decisions. The P
41、EP coexists with the entity that needs authorization services. Policy Decision Point (PDP): - PDP interacts with the PRP and PIP to get applicable authorization polices and attributes needed to evaluate authorization policies respectively, and then evaluates access requests using authorization polic
42、ies to render an access control decision. The PDP is located in the Authorization service. Policy Retrieval Point (PRP): - PRP obtains applicable authorization policies according to an access control decision request. These applicable policies should be combined in order to get a finial access contr
43、ol decision. The PRP is located in the Authorization service. ETSI ETSI TR 118 516 V2.0.0 (2016-09) 8oneM2M TR-0016 version 2.0.0 Policy Information Point (PIP): - PIP provides attributes that are needed to evaluate authorization policies, for example the IP address of the requester, creation time o
44、f the resource, current time or location information of the requester. The PIP is located in the Authorization service. The Authorization service may comprise any of the subcomponents: PDP, PRP and/or PIP. This means that the subcomponents PEP, PRP, PDP and PIP could be distributed across different
45、nodes. For example the PEP is located in an ASN/MN and the PDP is located in the IN. The present release 1 does not support separation of PRP and PIP on different CSE from PDP. The generic procedure described below is provided for information and to support further extensions, while clause 7 provide
46、s the details of authorization mechanisms in the current release. Figure 5.1-1: Overview of the authorization architecture ETSI ETSI TR 118 516 V2.0.0 (2016-09) 9oneM2M TR-0016 version 2.0.05.2 Generic authorization procedure The generic authorization procedure is shown in figure 5.2-1. Figure 5.2-1
47、: Authorization Procedure Step 001: Mutual authentication (Pre-requisite). Step 002: Access Requester sends an Access Request to the PEP. Step 003: PEP makes an Access Control Decision Request according to the requesters Access Request, and sends the Access Control Decision Request to the PDP. Step
48、004: PDP sends an Access Control Policy Request that is generated based on the Access Control Decision Request to the PRP. Step 005: PRP finds all access control policies applicable to the access request and sends them back to the PDP. When multiple access control polices are involved, the PRP also
49、provides a policy combination algorithm to combine multiple evaluation results into one finial result. Step 006 PDP sends Attribute Request to the PIP, if any attributes are needed to evaluate these access control policies. Step 007: PIP gets requested attributes and sends them back to the PDP. Step 008: PDP evaluates Access Request using access control policies. When there are multiple applicable access control policies, the PEP needs to calculate a final Access Control Decision using the policy combination algorithm. Step 009: PD