OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: New Topic: Policy Provisioning

Prateek asked:

Our strategy involves a PDP per device/application/cluster. There may be
100s of PDPs. Is there a framework for PDP provisioning from a central
policy repository?

PDP provisioning presents significant challenges

Download only relevant policy to PDP

Bulk upload is also needed

Some PDPs may operate in disconnected mode 

Network outage

Disconnected device 

With large policy set, prefer to propagate only updates

SAML 2.0 Profile of XACML 2.0 <XacmlPolicyQuery>, <XacmlPolicyStatement>
allows PDP to query Policy Repository and obtain policies

Partial solution is available

Should we look outside XACML for missing pieces?
----

The issue of policy provisioning has been discussed in the TC. The issue
was first raised in the form of improving the Policy Query to make it
more usable for bulk provisioning. Specifically it was proposed that the
protocol be enhanced to allow multi-message policy transfers.

I resisted this change, because as Prateek notes, this protocol was
intended for on the fly retrieval of potentially applicable policies in
support of a single decision, not policy provisioning. At the time I
suggested that we build a profile on top of SPML 2.0. To my knowledge
there has been no further work done in this area.

The most pressing requirement is a good set of usecases from which we
can derive requirements. It is not clear to me how simple or complex the
solution needs to be to satisfy most needs. Is a push model from PAP to
PDP sufficient? Is a single hop protocol sufficient? Is it reasonable to
assume the PAP has all the knowledge of what policies are needed by a
given PDP or does the PDP have to participate in some way?

I have taken a further look at SPML and suggest the following might be a
reasonable approach. Base the implementation on the SPML v2 - XSD
Profile. Use Policy ID as the PSO Identifier. Using SPML defined
operations the PAP can inquire of a PDP what policies it currently has.
Using SPML the PAP can add, modify and delete policies as required.
Using the SPML Batch capability, the PAP can insure that a set of
updates is applied as a unit, thus avoiding the problem of the PDP
making decisions on some inconsistent, interim set of policies. SPML
also provides other potentially useful features such as error codes,
asynchronous operations and capability queries.

The main thing that this proposal requires is people who are willing to
contribute to the work and edit the document.

Hal

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]