[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: New Topic: Policy Provisioning
Prateek asked: Our strategy involves a PDP per device/application/cluster. There may be 100s of PDPs. Is there a framework for PDP provisioning from a central policy repository? PDP provisioning presents significant challenges Download only relevant policy to PDP Bulk upload is also needed Some PDPs may operate in disconnected mode Network outage Disconnected device With large policy set, prefer to propagate only updates SAML 2.0 Profile of XACML 2.0 <XacmlPolicyQuery>, <XacmlPolicyStatement> allows PDP to query Policy Repository and obtain policies Partial solution is available Should we look outside XACML for missing pieces? ---- The issue of policy provisioning has been discussed in the TC. The issue was first raised in the form of improving the Policy Query to make it more usable for bulk provisioning. Specifically it was proposed that the protocol be enhanced to allow multi-message policy transfers. I resisted this change, because as Prateek notes, this protocol was intended for on the fly retrieval of potentially applicable policies in support of a single decision, not policy provisioning. At the time I suggested that we build a profile on top of SPML 2.0. To my knowledge there has been no further work done in this area. The most pressing requirement is a good set of usecases from which we can derive requirements. It is not clear to me how simple or complex the solution needs to be to satisfy most needs. Is a push model from PAP to PDP sufficient? Is a single hop protocol sufficient? Is it reasonable to assume the PAP has all the knowledge of what policies are needed by a given PDP or does the PDP have to participate in some way? I have taken a further look at SPML and suggest the following might be a reasonable approach. Base the implementation on the SPML v2 - XSD Profile. Use Policy ID as the PSO Identifier. Using SPML defined operations the PAP can inquire of a PDP what policies it currently has. Using SPML the PAP can add, modify and delete policies as required. Using the SPML Batch capability, the PAP can insure that a set of updates is applied as a unit, thus avoiding the problem of the PDP making decisions on some inconsistent, interim set of policies. SPML also provides other potentially useful features such as error codes, asynchronous operations and capability queries. The main thing that this proposal requires is people who are willing to contribute to the work and edit the document. Hal
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]