XACML 3.0 multiple PEP and PDP instances

https://stackoverflow.com/questions/20968903

xacml
xacml3
xacml2

25-09-2022
|

题

I am using XACML 3.0 I just want to know which is the best practices for separating the PEP and PDP instances. I have three scenarios here which one is best as per the cloud way of implementation.

I have one instance of PEP which will communicate to multiple PDP instances.
I have multiple PEP and multiple PDP instances which will communicate to each other.
I have multiple PEP instances which will communicate to one PDP instance.

解决方案

The typical deployment I see is one or more enforcement points (PEP) talking to a load balancer that sits in front of multiple PDPs that are all equally configured.

That's true of any version of XACML.

PDPs rarely communicate together though you could imagine you'd have a PDP talking to another via a PIP connector.

--- EDIT --- Here's an architecture diagram

Load balancing the PDP

许可以下： CC-BY-SA 和归因

不隶属于 StackOverflow