[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Issue#39:number of policies to return is too large
Well, if you bring that up, it begs the question, "What if the client of
the PAP (it is the PAP, not the PDP, right?) cannot handle all the
policies that may be returned?
How are you going to maintain state between the consecutive requests?
"Implementation dependent"? Is that fair? Then why have a standard?
For functionality, you are probably better off with a separate
Request/Reply structure that handles the whole problem.
In CORBA systems, a pattern has developed for such things. We call them
"iterators". (Java people should be familiar with these as well). However,
we have the luxury of a request/reply protocol with object references to
maintain state. Without explaining IDL, most people can get the idea.
interface PAP
{
PolicyIterator getPolicies(PolicyCriteria crt);
};
interface PolicyIterator
{
long how_many();
XACMLPolicyList get_next_n(long n)
raises (NoneLeft,TooMany);
void destroy();
};
You are probably better off doing something along those lines in the XML
to cover all the bases coherently.
But then again, this problem, since it came up, still begs another
question, "What is the acceptable unit of capacity?"
For instance, I know I can generate one single PolicySet consisting of
30,000 Policies containing 50GB of XML ASCII characters. :^)
Just my 29,334.85 Turkish Lira,
-Polar
On Wed, 6 Sep 2006, Anne Anderson - Sun Microsystems wrote:
> Problem: What if an XACMLPolicyQuery matches more policies than the PDP is
> able to return in a single XACMLPolicyStatement?
>
> Proposal:
>
> Define a new optional, implementation-dependent element that MAY be included
> in an XACMLPolicyQueryType or an XACMLPolicyStatementType.
>
> <element name="PolicyQueryContinuation"
> type="xacml-saml:PolicyQueryContinuationType" />
> <complexType name="PolicyQueryContinuationType">
> <xs:sequence>
> <xs:any namespace="##any" processContents="lax" minOccurs="0"
> maxOccurs="unbounded"/>
> </xs:sequence>
> </complexType>
>
> An instance of this element MAY be returned in an "XACMLPolicyStatementType",
> along with Policy and/or PolicySet instances. If present, it indicates that
> the XACMLPolicyStatement does not contain all policies that match the query,
> and that the PDP supports a continuation of the response.
>
> The request MAY then send another XACMLPolicyQuery containing the instance of
> the PolicyQueryContinuation element to obtain more policies that match the
> original query.
>
> The content and interpretation of the PolicyQueryContinuation element is
> completely implementation-dependent. Support for it is optional.
>
> Regards,
> Anne
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]