[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Behavior of deny-overrides
All, Olav Bandmann has discovered that a couple of the 2.0 combining algorithms have "weird" effects sometimes. I am not sure if this was already known, or if anything should be done about it. This is a bit difficult to explain, but I will make an attempt. One can define a soundness criterion for policy combining algorithms: A combining algorithm is sound iff a constituent policy cannot cause a combined decision which the constituent policy would never evaluate to in isolation. By this definition, the deny-overrides algorithm is not sound. For instance: P1 has a singe rule with a Permit effect. This policy in isolation can never evaluate to a Deny. PS is a policy set with a number of policies: PS /| / | / | P2-Pn PS uses a deny-overrides policy combining algorithm. Assume that for a request R, PS, as it is, will evaluate to Permit. Now, insert P1 into PS: PS /|\ / | \ / | \ P2-Pn P1 Let’s evaluate R against PS again and let’s say that P1 evaluates to indeterminate. This will cause PS to be Deny. P1 made PS into a Deny, although P1 can never evaluate to Deny in isolation! There is a similar behavior in the only-one-applicable. So, why is this a problem? Because it makes harder to understand a complex policy. You cannot look at the parts in isolation. For instance, if several administrators are responsible for parts of a large policy set, then their policies could have effects that they did not intend or anticipate. One could argue that the algorithms have a well defined behavior, so they are not “wrong” and they behave as intended. That could be said about the only-one-applicable algorithm for instance, or if I for some reason want to define an algorithm which inverts everything, makes its decisions randomly, or whatever. However, in the case of deny-overrides, the algorithm could have been designed so it would have been sound in this respect. Olav suspects (and so do I) that the motivation for the current design was based on concerns about access being allowed in case of an error: If PS uses deny-overrides and P1 evaluates to indeterminate, then perhaps P1 could have evaluated to Deny if there was no error? So to be safe, we make the whole a Deny. However, it would have been better to make it indeterminate, and then have a Deny biased PEP instead, if denying access is important in case of uncertainty in policy evaluation. Is this already known? Is it a concern? To fix it, we could define a new combining algorithm which does not have this behavior and recommend people to use it instead of the old one. Regards, Erik
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]