Re: [xacml-comment] A002

[Anne Anderson - Sun Microsystems <Anne.Anderson@Sun.COM>]

"John Merrells" <merrells@jiffysoftware.com> wrote:

>The test special instructions state that it is the PDP that is 
>responsible for fetching
>the attribute, but your comments above suggests that it is the 
>responsibiliy of the
>context handler to fetch the attribute and supply it to the PDP.

I should be more precise in my test special instructions.  I was using the
term "PDP" for the entire "PDP side" of the access control system, including
the Context Handler.

In 7.9.2, the PDP is the XACML Evaluation Engine.

The "PDP side" of an access control system will necessarily have other
functional components: 
 o for receiving, possibly translating, and parsing requests from the PEP,
 o for fetching policies from repositories, 
 o for fetching attributes from the Request Context and from repositories, 
 o for constructing and possibly translating a Response into the PEP's format,
 o for transmitting the Response back to the PEP
 o for logging actions
 o ...

We have not named the functional component that retrieves policies from
external repositories or on-line PAPs, but such a component is implied by
the semantics of the PolicyIdReference and PolicySetIdReference elements.

In our model, the Context Handler is the functional component that handles
any translation between the PEP's request format and an internal representation
consistent with a Request Context, fetches attributes from the Request Context
(or from an internal representation consistent with a Request Context)
and from repositories, and handles any translation of the Response into the
PEP's expected format.

The "signature" of the interface between the PDP and the Context Handler
module has two inputs: an AttributeDescriptor or AttributeSelector, and a Boolean
"MustBePresent" value.  The output from the Context Handler to the PDP is
either a bag of values or "Indeterminate" (in the case where an empty bag
resulted, but "MustBePresent" is true).  "Indeterminate" would also be returned if
there were a network error in attempting to contact a configured repository, or
some other system error.

As the XACML PDP evaluates a policy, it will encounter various AttributeDescriptors
and AttributeSelectors.  Each time the PDP encounters one, it passes the information in that 
descriptor or selector to the Context Handler.  The Context Handler searches for
a match among the attribute objects it has parsed out of the Request Context
received from the PEP.  If the requested attribute is not there, then the Context
Handler queries its configured attribute sources (LDAP directory, SAML attribute assertion
repository, file of attributes, on-line AA, etc.) for a matching attribute, passing the
AttributeId, Issuer, etc., and the values of any corresponding subject-id, resource-id, or action-id
attributes (as appropriate to the type of descriptor).  If there is no attribute 
available from the configured attribute sources, then the Context Handler returns 
either an empty bag or "Indeterminate" to the XACML PDP, depending on the value
of the "MustBePresent" input.  If the "MustBePresent" value is true, then the Context 
Handler returns "Indeterminate".  If the "MustBePresent" attribute is false, then the 
Context Handler returns an empty bag.

In the context of a Condition, the XACML PDP passes the returned value to the enclosing
function.  Most, if not all, standard XACML functions return "Indeterminate" if one of 
the inputs is "Indeterminate", but extension functions might not.  It is up to the definition
of the function.  Similarly, if the resulting function does not take a bag as its input,
but a bag is passed to it, then standard functions return "Indeterminate", but extension
functions might not.

In the context of a Target, the XACML PDP either passes the "Indeterminate" result to the
enclosing function, or else passes one element at a time from the
bag result to the enclosing function.  Again, the result depends on the definition
of the enclosing MatchId function.

>But, how does a context handler know which attributes are going to be needed
>by the PDP... it'd have to either send everything it has access to in 
>the PIP... or
>do what the PDP would do in order to find out what the PDP is going to need.

The XACML PDP queries the Context Handler for an attribute each
time it needs one in the process of evaluating a policy.

>So, therefore only the PDP knows which attributes are not available to 
>it within
>the request context, so it must issue the request for the attribute, but 
>the spec
>(7.9.2) specifically says that in this case the PDP returns Indeterminate.

It does not say this.  It says the value of the "MustBePresent" attribute
determines whether the result of not finding a requested attribute is
an empty bag of "Indeterminate".  The default is to return an empty bag.

>Does anyone have a PDP that passes A002?

I expect that A002 and the two E tests (which require fetching policies and
policy sets from external sources) will probably be the most difficult to
implement, but the functionality is very important to achieving the goals of
XACML.  We wanted Policy writers to be able to write policies without worrying
about who supplies which attributes, when, and from where.  Some attributes may
be supplied by the PEP, but others may need to be retrieved from external sources
by the PDP side of the access control system.  In some systems, attributes will be
stored as X.509 Attribute Certificates; in other systems, attributes will be
stored as SAML attribute assertions.  In some systems, attributes will be stored
in an LDAP directory; in other systems, attributes may be stored in a database.  
In some systems, a PEP is capable of retrieving attributes, but in others the PEP 
is a relatively dumb beast.  A given policy should work with all these types of
systems, assuming the Context Handler has been configured appropriately.

Anne
------
Anne Anderson          Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
Burlington, MA         781-442-0928