[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml-comment] A002
"John Merrells" <merrells@jiffysoftware.com> wrote: >The test special instructions state that it is the PDP that is >responsible for fetching >the attribute, but your comments above suggests that it is the >responsibiliy of the >context handler to fetch the attribute and supply it to the PDP. I should be more precise in my test special instructions. I was using the term "PDP" for the entire "PDP side" of the access control system, including the Context Handler. In 7.9.2, the PDP is the XACML Evaluation Engine. The "PDP side" of an access control system will necessarily have other functional components: o for receiving, possibly translating, and parsing requests from the PEP, o for fetching policies from repositories, o for fetching attributes from the Request Context and from repositories, o for constructing and possibly translating a Response into the PEP's format, o for transmitting the Response back to the PEP o for logging actions o ... We have not named the functional component that retrieves policies from external repositories or on-line PAPs, but such a component is implied by the semantics of the PolicyIdReference and PolicySetIdReference elements. In our model, the Context Handler is the functional component that handles any translation between the PEP's request format and an internal representation consistent with a Request Context, fetches attributes from the Request Context (or from an internal representation consistent with a Request Context) and from repositories, and handles any translation of the Response into the PEP's expected format. The "signature" of the interface between the PDP and the Context Handler module has two inputs: an AttributeDescriptor or AttributeSelector, and a Boolean "MustBePresent" value. The output from the Context Handler to the PDP is either a bag of values or "Indeterminate" (in the case where an empty bag resulted, but "MustBePresent" is true). "Indeterminate" would also be returned if there were a network error in attempting to contact a configured repository, or some other system error. As the XACML PDP evaluates a policy, it will encounter various AttributeDescriptors and AttributeSelectors. Each time the PDP encounters one, it passes the information in that descriptor or selector to the Context Handler. The Context Handler searches for a match among the attribute objects it has parsed out of the Request Context received from the PEP. If the requested attribute is not there, then the Context Handler queries its configured attribute sources (LDAP directory, SAML attribute assertion repository, file of attributes, on-line AA, etc.) for a matching attribute, passing the AttributeId, Issuer, etc., and the values of any corresponding subject-id, resource-id, or action-id attributes (as appropriate to the type of descriptor). If there is no attribute available from the configured attribute sources, then the Context Handler returns either an empty bag or "Indeterminate" to the XACML PDP, depending on the value of the "MustBePresent" input. If the "MustBePresent" value is true, then the Context Handler returns "Indeterminate". If the "MustBePresent" attribute is false, then the Context Handler returns an empty bag. In the context of a Condition, the XACML PDP passes the returned value to the enclosing function. Most, if not all, standard XACML functions return "Indeterminate" if one of the inputs is "Indeterminate", but extension functions might not. It is up to the definition of the function. Similarly, if the resulting function does not take a bag as its input, but a bag is passed to it, then standard functions return "Indeterminate", but extension functions might not. In the context of a Target, the XACML PDP either passes the "Indeterminate" result to the enclosing function, or else passes one element at a time from the bag result to the enclosing function. Again, the result depends on the definition of the enclosing MatchId function. >But, how does a context handler know which attributes are going to be needed >by the PDP... it'd have to either send everything it has access to in >the PIP... or >do what the PDP would do in order to find out what the PDP is going to need. The XACML PDP queries the Context Handler for an attribute each time it needs one in the process of evaluating a policy. >So, therefore only the PDP knows which attributes are not available to >it within >the request context, so it must issue the request for the attribute, but >the spec >(7.9.2) specifically says that in this case the PDP returns Indeterminate. It does not say this. It says the value of the "MustBePresent" attribute determines whether the result of not finding a requested attribute is an empty bag of "Indeterminate". The default is to return an empty bag. >Does anyone have a PDP that passes A002? I expect that A002 and the two E tests (which require fetching policies and policy sets from external sources) will probably be the most difficult to implement, but the functionality is very important to achieving the goals of XACML. We wanted Policy writers to be able to write policies without worrying about who supplies which attributes, when, and from where. Some attributes may be supplied by the PEP, but others may need to be retrieved from external sources by the PDP side of the access control system. In some systems, attributes will be stored as X.509 Attribute Certificates; in other systems, attributes will be stored as SAML attribute assertions. In some systems, attributes will be stored in an LDAP directory; in other systems, attributes may be stored in a database. In some systems, a PEP is capable of retrieving attributes, but in others the PEP is a relatively dumb beast. A given policy should work with all these types of systems, assuming the Context Handler has been configured appropriately. Anne ------ Anne Anderson Anne.Anderson@Sun.COM Sun Microsystems Laboratories Burlington, MA 781-442-0928
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC