[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Does the XACML 2.0 and 3.0 Subject have some inconsistenciesin Core and Multi Profile?
Hi Rich,
I think your analysis is correct.
Regarding grouping different subject categories so you don't get
multiple answers, I think this could be covered by the boxcarring which
Hal proposed earlier. We decided to put boxcarring into the multiple
resource profile, but I don't recall anymore who has an action to make a
schema proposal. It might be me.
Best regards,
Erik
Rich.Levinson wrote:
> Hi Erik,
>
> I think I understand this a little better now:
> There does appear to be semantic break with the Subject concept going
> from 2.0 to 3.0 in the multi-resource profile that is now expanded to
> include all categories, however, it may not be as problematic as it
> first appeared to me. The reason that there is a semantic break is the
> following:
>
> * In XACML 2.0 (and 3.0 for that matter), if there are multiple
> Subjects in a Request belonging to different
> Subject@SubjectCategories (or Attributes@Categories in 3.0), they
> are effectively treated as a Subject group, where each member of
> the group is checked accordingly in the Policies. I think this is
> fairly clearly stated in 2.0 section 6.1, lines 2884-2891
> augmented by the requirement in section 2.4 lines 433-438:
> o "...Therefore, XACML recognizes that there may be more than
> one subject relevant to a decision request. An attribute
> called “subject-category” is used to differentiate between
> subjects acting in different capacities."
> * Because the 3.0 multi-profile effectively iterates over each
> Attributes element in a given Category and creates an effective
> "Individual Resource Request" for each possible combination of
> Attributes elements where a combination may only contain on
> Attributes element from each Category.
> * Bottom line is that if multiple "grouped" subjects are put in a
> single request, then the members of the one grouped subject will
> get mixed up with members of other grouped subjects if their
> groups have members with common categories. By breaking up and
> mixing the subject groups, the profile "breaks" the semantics.
>
> All that being said, I think the net effect in these "extreme" cases
> is that you end up with more answers than you want, but at least you
> do get the answers that you do want and would need to distinguish
> between them and the ones that you don't want (the ones where the
> subject groups were mixed).
>
> I think that because most applications are going to only be dealing
> with single category subjects, that the benefit of making that kind of
> request easy for the multiple profile outweighs the possible
> inconvenience of getting extraneous information back for the
> presumably rare case where someone would batch a bunch of
> multi-category subjects in this profile.
>
> Another point in this subject area has to do with the 2.0 "merging"
> (or "collapsing") of multiple subjects within a given SubjectCategory
> to a single Subject element for that one SubjectCategory. (see 2.0
> spec: section 5.38 lines 2633-2634 and section 6.2 lines 2921-2923.)
> This effectively guaranteed in 2.0 that there was at most one Subject
> element within a given SubjectCategory. Therefore, despite all the
> mentions of "multiple subjects" in 2.0, there never was a concept of
> multiple subjects within a given SubjectCategory (although presumably
> one could have multi-valued subject-id attributes within a single
> SubjectCategory element).
>
> Therefore, I think that 3.0 represents a change in this arena since I
> don't believe that there is any notion of "collapsing" multiple
> Attributes elements within a given Category in 3.0.
>
> From that perspective, 3.0 is really adding a new "dimension" to
> Subjects by allowing the multi-profile to process multiple Attributes
> elements within a given subject-category, which was not even
> conceptually possible in 2.0 because of the subject collapsing within
> a SubjectCategory.
>
> Bottom line: I would recommend that it be noted in 3.0 core spec,
> possibly in the appendix for subject categories or maybe preferably in
> the 3.0 multi-profile that:
>
> * the ability to have multiple subject elements in a single subject
> category is new to 3.0.
> * care be recommended when attempting to use the multi-profile for
> multiple multi-category ("grouped") subjects for single decisions,
> because the profile will break up and mix the groups to have
> combinations in addition to the original grouped combination.
>
> Final recommendation for future consideration:
>
> * if grouped subjects (or any other "grouping") is important to be
> cleanly supported in the multi-profile, that we probably need a
> means to give the members of the group an "id", for example an
> Attributes@GroupId attribute and that the multi-profile would be
> directed not to break up the "groups" with a common "GroupId".
> (this would mean that when someone submitted a
> multi-grouped-subject request that each "group" of subjects be
> given its own GroupId when added to list.
>
> Thanks,
> Rich
>
>
> Erik Rissanen wrote:
>> Hi Rich,
>>
>> The other categories may be user defined categories (not really
>> recommended, but possible if users insist), the traditional XACML 2.0
>> subject categories (which translate directly into attribute categories
>> in 3.0) or the categories associated with delegation.
>>
>> For a regular XACML request only one element with a given attribute is
>> allowed, anything else is an error. Multiple elements with identical
>> categories are used in the multiple resource profile.
>>
>> Best regards,
>> erik
>>
>> Rich.Levinson wrote:
>>
>>> Hi Erik,
>>>
>>> I see, at least at a high level, the points that were made:
>>> http://lists.oasis-open.org/archives/xacml/200807/msg00002.html
>>>
>>> A couple quick questions that may be related:
>>>
>>> * Does it say anywhere in XACML 3.0 that only one Attributes
>>> element with a specific Category should be allowed in a Request
>>> element?
>>> o I believe this is necessary, because otherwise one could
>>> include 2 Attributes elements w same Category, while at
>>> the same time providing different Content in each, which I
>>> do not think would be workable.
>>> * I am still concerned about the wording of the definition of
>>> Category in 3.0:
>>> o
>>>
>>> Category [Required]
>>>
>>> This attribute indicates which attribute category the
>>> contained attributes belong to. The Category attribute is
>>> used to differentiate between attributes of subject,
>>> resource, action, environment *or other categories*.
>>> * In particular, my concern is the phrase "or other categories".
>>> While I understand that there can be other "sub-categories",
>>> such as we have with variations on subject, I do not believe
>>> that there are any conceptual semantics for defining a category
>>> outside of the 4 main categories: subject, resource, action,
>>> environment. My recommendation is that we introduce the notion
>>> of sub-category, and possibly even require that any new
>>> "categories" that are introduced be prefixed by one of the 4
>>> main categories, i.e. "subject-", "resource-", "action-",
>>> "environment-".
>>> * I also recommend that if you agree with my point about only one
>>> Attributes element with a given category and that there are four
>>> main categories of which new categories must effectively be
>>> sub-categories, that we may want to characterize a Request
>>> element as containing a set of Attributes elements, which each
>>> have a unique Category, which is a sub-category of one of the
>>> four main categories.
>>>
>>> Hopefully, the above points are fairly clear. If there is disagreement
>>> as to whether my conjecture that we restrict categories to falling
>>> within one of the four main categories, then I would appreciate some
>>> explanation as to what kind of "category" outside of the four main
>>> categories that might be a reason that such a restriction would be
>>> undesirable.
>>>
>>> Thanks, Rich
>>>
>>>
>>> Erik Rissanen wrote:
>>>
>>>> Hi Rich,
>>>>
>>>> See responses inline.
>>>>
>>>> Rich.Levinson wrote:
>>>>
>>>>> Hi Erik and TC,
>>>>>
>>>>> Been looking at how the Subject evolved in 2.0 to 3.0 plus a possible
>>>>> problem in 2.0 that may or may not carry over to 3.0.
>>>>>
>>>>> First the possible problem:
>>>>>
>>>>> * XACML 2.0 section 2.4 describes the "intent" of "multiple
>>>>> subjects", which I think can be summed up as saying multiple
>>>>> identified Subject entities can be involved in a single access
>>>>> decision request. If there are multiple Subject elements in a
>>>>> Request then they are all potentially relevant to a single
>>>>> authorization decision and have a subject-category attribute
>>>>> that identifies what their "role" might be in the overall
>>>>> decision context.
>>>>> * Appendix B.2 enumerates 5 possible values of this
>>>>> subject-category attribute, and there may be additional ones
>>>>> defined by "users" (section 2.4).
>>>>> * Of the 5 values in section B.2, 2 of them,
>>>>> "intermediary-subject" and "codebase" have the statement "There
>>>>> may be more than one." in their defn, which I take to mean that
>>>>> a single Request element could have multiple Subject elements
>>>>> that contain one of these two categories.
>>>>> * The "problem" that I see is that section 6.2 lines 2921-2923
>>>>> say
>>>>> that if there is more than one Subject element with the same
>>>>> SubjectCategory, they will be treated as if they were in the
>>>>> same Subject element
>>>>> o This appears to be a problem because, for example, if
>>>>> there are more than one "intermediary-subjects", then the
>>>>> attributes describing each will be mixed up together and
>>>>> one will not be able to tell which attribute in the
>>>>> Subject element pertains to which intermediary.
>>>>>
>>>>>
>>>> This has already been discussed on the list and there is an issue
>>>> number
>>>> for it on the issues list. The issue was closed with no action since
>>>> "fixing" it introduces a huge amount of complexity since everything
>>>> retrieved from the request context then would become bags of bags of
>>>> attributes. You can find the discussion on the list. (Try to look for
>>>> emails around the date when the issue was closed.)
>>>>
>>>>
>>>>> The above "problem" may or may not go away in 3.0. It appears that
>>>>> the
>>>>> semantics of section 6.2 from 2.0 are "lost" in 3.0, because all the
>>>>> "categories are now Attributes and the designators for Subject,
>>>>> Resource, Action, Environment no longer exist, except as they are
>>>>> buried in identifiers, and as 3.0 refers to them as "RECOMMENDED" in
>>>>> XACML 3.0 section B.2.
>>>>>
>>>>> Assuming that is ok (although I am becoming increasingly uneasy the
>>>>> generalizing "Subject, Resource, Action, Environment" to
>>>>> "Attributes",
>>>>> and allowing "Attributes" to go beyond those four conceptual
>>>>> entities,
>>>>> may cause us to lose a lot of implicit semantics carried by the XACML
>>>>> 2.0 designations of these four entities), I noticed what might be
>>>>> considered to be "creeping functionality" in the XACML 3.0 Multiple
>>>>> Resource Profile. In particular:
>>>>>
>>>>> * The following sentence was removed from the 2.0 Multi-Profile
>>>>> from section 2.3.3 lines 232-234:
>>>>> o "Note that the semantics for multiple <Resource> elements
>>>>> are very different from the semantics for multiple
>>>>> <Subject> elements in a request context as described in
>>>>> the XACML core specification [XACML]."
>>>>> * In addition, the following sentence introducing section 2.3 in
>>>>> the 2.0 Profile:
>>>>> o "This Section describes use of multiple <Resource>
>>>>> elements in a request context to specify a request for
>>>>> access to multiple resources."
>>>>> * has been changed in the 3.0 Multi Profile to be:
>>>>> o "This Section describes use of multiple <Attributes>
>>>>> elements with the same category in a request context to
>>>>> specify a request for access to multiple resources *or
>>>>> requests for access by multiple subjects*."
>>>>>
>>>>>
>>>>> The bottom line is that I don't think the access by multiple subjects
>>>>> will work in the 3.0 profile, at least because there will now be no
>>>>> way to determine which members of one subject-category are associated
>>>>> with the members of the other subject-categories.
>>>>>
>>>> This was a decision made by the TC some time ago, to generalize the
>>>> multiple resource profile so it works the same way with other
>>>> attribute
>>>> categories than the resource.
>>>>
>>>>
>>>>> My recommendation is that at the very least, we pull back the
>>>>> multiple
>>>>> subject notion from the multi-resource profile for now.
>>>>>
>>>> I think we can keep it. It's perhaps not as useful as the multiple
>>>> resource case, but we won't be able to do the "distinct subjects"
>>>> functionality anyway.
>>>>
>>>>
>>>>> Also, I suggest that we put an errata in for 2.0 removing the lines
>>>>> 2921-2923 as they seem to contradict the intentions specified
>>>>> elsewhere in the 2.0 document, which have also been carried
>>>>> forward to
>>>>> 3.0.
>>>>>
>>>>> Thanks,
>>>>> Rich
>>>>>
>>>>>
>>>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]