OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: RE: [xacml] proposal for #27


All - There is sufficient information here for me to incorporate the change
into an upcoming draft of v2.0.  However, I will wait until the committee
has approved Seth's proposal.  All the best.  Tim.

-----Original Message-----
From: Seth Proctor [mailto:Seth.Proctor@Sun.COM] 
Sent: Monday, December 22, 2003 3:56 PM
To: xacml@lists.oasis-open.org
Subject: [xacml] proposal for #27



Work Item 27 proposes a version string for policies, such that revised
policies can be recognized in a standard way. This will also allow policy
references to specify version constraints, which is especially important if
the referenced policy may change in ways that the referencing policy can't
handle. In brief, the new features are:

  1. Define a new type that describes a dotted version string (eg 1.2.3),
     and a couple of very simple regular expression characters to match
     these version strings: * for a single value, and + for any trailing
     values. For example, both 2.*.4 and 2.+ match 2.3.4. I think that
     using a full-blown regexp syntax is overkill and will make this less
     useful, but since there is already a requirement in XACML to support
     pattern matching, I'm willing to discuss this issue.

  2. Include a new XML attribute in Policy and PolicySet that uses the
     new version type to optionally declare the policy's version. If not
     included, then the version is defined to be "1.0".

  3. Include three new (optional) XML attributes in PolicyIdReference and
     PolicySetIdReference. One attribute defines a single version string
     (or regular expression) that matches a required version or set of
     versions. The other two attributes decribe the earliest and latest
     acceptable versions (or regular expressions). Any combination of
     these attributes may be used. If none of the three is included, then
     any version is acceptable (this is like using "+" in all three
     attributes). In all cases, the most recent version available should 

     be used.

If none of the attributes from items 2 and 3 is used, then policies and
references look and act exactly as they do in 1.0/1.1. I think that this is
the right way to go.

The schema changes might look something like this (note that I haven't run
these through a schema checker, but I think they're about right):

   <xs:element name="PolicySetIdReference" type="xacml:IdReferenceType"/>
   <xs:element name="PolicyIdReference" type="xacml:IdReferenceType"/>
   <xs:complexType name="IdReferenceType">
     <xs:simpleContent>
       <xs:extension base="xs:anyURI">
         <xs:attribute name="Version" type="VersionMatchType"
                       use="optional"/>
         <xs:attribute name="EarliestVersion" type="VersionMatchType"
                       use="optional"/>
         <xs:attribute name="LatestVersion" type="VersionMatchType"
                       use="optional"/>
       </xs:extension>
     </xs:simpleContent>
   </xs:complexType>


   <xs:complexType name="PolicyType">
   ...
     <xs:attribute name="Version" type="VersionType" use="optional"
                   default="1.0"/>
   ...


   <xs:complexType name="PolicySetType">
   ...
     <xs:attribute name="Version" type="VersionType" use="optional"
                   default="1.0"/>
   ...


   <xs:simpleType name="VersionType">
     <xs:restriction base="xs:string">
       <xs:pattern value="(\d+\.)*\d+"/>
     </xs:restriction>
   </xs:simpleType>

   <xs:simpleType name="VersionMatchType">
     <xs:restriction base="xs:string">
       <xs:pattern value="((\d+|\*)\.)*(\d+|\*|\+)"/>
     </xs:restriction>
   </xs:simpleType>


Given this, there is a very simple system for defining the revision number
of a policy, and for ensuring that you're referencing an acceptable version
(if needed). This is also very useful for policy writers and management
tools. Comparison is done using simple equality and greater-than/less-than,
and the regular expressions are fairly trivial to use. Thoughts?

Note that this intentionally doesn't say anything about how policies are 
retrieved. As with the current mechanisms, the version tags can be used 
as hints in indexing policies or in deciding which policies to fetch, 
but only one policy may be presented for evaluation. Also, while it's 
probably best to present the most recent version of a policy, a custom 
retriever may decide to use some other heuristic (eg, the oldest one) 
that makes sense in a given environment.


seth


ps  I'll be (mostly) on vacation until the new year, though I'll try to 
keep up with my email for the next week. Happy holidays all!


To unsubscribe from this mailing list (and be removed from the roster of the
OASIS TC), go to
http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.p
hp.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]