[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Mon 29th concall - URGENT
I will not be able to join the confcall today because of the schedule conflicts. Since I had little time to update the current proposal, I just attach below the same document I sent the other day, and also attach the XACML Context schema and XACML Response Context schema without any modification from the discussion in F2F in Milan. Best regards, Michihairu Kudo IBM Tokyo Research Laboratory, Internet Technology Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 =============================================================== Proposal Draft for XACML Context April 23, 2002 Author: Michiharu Kudo This proposal introduces an XACML Context that defines input parameters to XACML policy evaluation engine. A primary purpose of the XACML Context is to facilitate the attribute expression that refers to input parameters of the XACML. 1. Issues When XACML policy evaluation processor tries to retrieve values specified in SAML Request, it potentially causes the following problems: - A policy writer needs to add a couple of information that may not be included in SAML Request, e.g. distinction between subject attribute and resource attribute. - XACML policy specification greatly depends on SAML Request syntax and the semantics that may be updated from time to time. - Since several assertion specification format/syntax/semantics have been proposed/deployed, SAML dependent XACML policy specification may reduce the applicability of XACML policy specification. 2. XACML Context We introduce the notion of XACML Context that functions as an intermediate assertion-neutral input data structure. XACML Context is represented by an XML document (logically it is not necessarily a physical XML instance but hypothetical XML document) that contains enough information for XACML processor such as subject attributes (e.g. role of the requesting principal), resource attributes (e.g. size of resource), and miscellaneous attributes (e.g. current time). While we assume that all the input to XACML Context is retrieved from the corresponding SAML Request, there is a case where the PDP supplies a set of attribute type-value pairs for subjects and resources. It depends on configuration of PDP. 2.1 Merits - XACML Policy specification becomes simpler with respects to attribute reference and its expression. - XPath computation is done only once when the transformation from original access request to XACML Context is performed. - XACML processor does not have to compute XPath expression on target XML resource that might cause performance bottleneck particularly when the target XML is huge. - When target resource is XML, XACML policy does not have to be aware the difference between remote XML instance (referred by URI) and local XML instance embedded in original access request. 2.2 Proposal 1. XACML policyStatement (and/or policySetStatement) specifies optional <transforms> element that defines the syntax and the semantics of the XACML Context. 2. <transforms> is described using XSLT syntax. 3. When <transforms> element is specified in <policyStatement>, PDP performs a set of transformations against the SAML Request (if access request is represented in SAML) and the requested XML target resource (if target is XML resource) 4. Once the transformation is performed, input to the XACML processor including access request and relevant information is specified as a potentially simple XML document which element name is easily referred by simple XPath expressions (e.g. /context/subject/NameIdentifier) in both <target> section and <condition> section. 5. Through the face-to-face discussion by TC members, we decided to define an XML schema for XACML Context. The following figure shows a data-flow of XACML Context-based Architecture. (refer to the pdf or word file) ============================================================ XACML Context Schema (temporary result from the F2F discussion, may not be valid) <?xml version="1.0" encoding="UTF-8"?> <schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault ="unqualified" attributeFormDefault="unqualified"> <complexType name="ContextType"> <sequence> <element ref="xacml:ContextPrincipal"/> <element ref="xacml:ContextResource"/> <element ref="xacml:ContextAction"> <element ref="xacml:ContextRequestParameters"/> <element ref="xacml:ContextOther"/> </sequence> </complexType> <element name="ContextPrincipal" type="xacml:ContextPrincipalType"/> <complexType name="ContextPrincipalType"> <sequence> <element ref="xacml:PrincipalSpecifier" minOccurs="1" maxOccurs ="unbounded"/> <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <complexType name="PrincipalSpecifierAbstractType" abstract="true"/> <element name="SimplePrincipalSpecifier" type ="xacml:SimplePrincipalSpecifierType"/> <complexType name="SimplePrincipalSpecifierType"> <complexContent> <extension base="xacml:PrincipalSpecifierAbstractType"> <choice> <sequence> <element ref="NameIdentifier"> <element ref="SubjectConfirmation" minOccurs="0"/> </sequence> <element ref="SubjectConfirmation"/> </choice> </extension> </complexContent> </complexType> <element name="ContextResource" type="xacml:ContextResourceType"/> <complexType name="ContextResourceType"> <sequence> <element ref="xacml:ResourceSpecifier"/> <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="ResourceSpecifier" type="xacml:ResourceSpecifierType"/> <complexType name="ResourceSpecifierType"> <sequence> <element ref="Content" minOccurs="0"/> </sequence> <attribute name="uri" type="anyURI" use="optional"/> </complexType> <element name="Content" type="anyType"/> <element name="ContextAction" type="xacml:ContextActionType"/> <complexType name="ContextActionType"> <element ref="xacml:ActionSpecifier"/> </complexType> <element name="ContextRequestParameters" type ="xacml:ContextRequestParametersType"/> <complexType name="ContextRequestParametersType"> <sequence> <element ref="xacml:Parameter" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="ContextOther" type="xacml:ContextOtherType"/> <complexType name="ContextOtherType"> <sequence> <element ref="xacml:Assertion" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="xacml:Assertion" type="xacml:AssertionType"/> <complexType name="AssertionType"> <sequence> <choice maxOccurs="unbounded"> <element ref="xacml:AuthenticationStatement"/> <element ref="xacml:AuthorizationDecisionStatement"/> <element ref="xacml:AttributeStatement"/> </choice> </sequence> <attribute name="Issuer" type="string" use="required"/> <attribute name="IssueInstant" type="dateTime" use="optional"/> </complexType> <complexType name="AbstractStatementType" type="abstract"> <sequence> <element ref="xacml:AssnSubject" minOccurs="0" maxOccurs="1"/> </sequence> </complexType> <element name="AssnSubject" type="xacml:AssnSubjectType"/> <complexType name="AssnSubjectType"> </complexType> <complexType name="AuthenticationStatementType"> <complexContent> </complexContent> </complexType> </schema> ============================================================ XACML Response Context Schema (temporary result from the F2F discussion, may not be valid!) <?xml version="1.0" encoding="UTF-8"?> <schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault ="unqualified" attributeFormDefault="unqualified"> <element name="ResponseContext" type="xacml:ResponseContextType"/> <complextType name="ResponseContextType"> <sequence> <element ref="xacml:Decision" minOccurs="1" maxOccurs="1"/> </sequence> </complexType <element name="Decision" type="xacml:DecisionType"/> <element name="Permit" type="xacml:EffectDecisionType"/> <element name="Deny" type="xacml:EffectDecisionType"/> <element name="Indeterminate" type="xacml:IndeterminateDecisionType"/> <complexType name="DecisionType" abstract="true"/> <complexType name="EffectDecisionType"> <extension base="DecisionType"> <sequence> <element ref="xacml:Oligations"> </sequence> </extension> </complexType> <complexType name="IndeterminateDecisionType"> <extension base="DecisionType"> <sequence> <element ref="xacml:Advice"> </sequence> </extension> </complexType> <element name="Obligations" type="xacml:ObligationsType"/> <complexType name="ObligationsType"> <sequence> <element ref="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="Obligation" type="xacml:ObligationType"/> <complexType name="ObligationType"> <attribute name="uri" type="anyURI"/> <sequence> <element ref="xacml:Parameter" minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType> <element name="Advice" type="xacml:AdviceType/> <complexType name="Advice" type="xacml:AdviceType"> ..... </complexType> </schema> ernesto damiani <edamiani@crema To: Anne.Anderson@Sun.com, XACML TC <xacml@lists.oasis-open.org> .unimi.it> cc: Subject: [xacml] Mon 29th concall - URGENT 2002/04/29 18:28 Please respond to ernesto damiani Dear all, I hope you all had a safe trip back and carry not-too-bad memories of your stay in Italy. As it was decided at the F2F the agenda for today concall will be 1. discussing and hopefully approving Michiharu's (and Simon) proposal for XACML context that was sent to the list a couple of days ago. Tim comments would be useful here. 2. As a possible second point, I would also like to remind you that we still do not have a description on our activity on the Web; Michiharu asked for one. Here is my proposal: "The Schema subcommittee is aimed at : 1. developing XACML access control model into an XML Schema (and its associated namespace)expressing normative XACML 1.0 syntax . 2. providing examples of policies written in XACML based on real-world use cases 3. providing general, non-normative guidelines for implementation and conformance tests." Anyway points two and three could be deleted if you believe we have already our hands full at the moment. IMPORTANT: I had a sudden health problem (nothing serious a terrible tootache and my face is half swollen). I am waiting for a call from my dentist telling me when I can go and if it is during concall hours I won't be able to attend. Sorry.. ---------------------------------------------------------------- To subscribe or unsubscribe from this elist use the subscription manager: <http://lists.oasis-open.org/ob/adm.pl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC