[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Summary of the 3 proposed syntaxes for Policy Template
Jean-Paul, On 17/10/2012 7:52 PM, Jean-Paul Buu-Sao wrote:
Erik The core specification says that “The <AttributeDesignator> element retrieves a bag of values for a named attribute from the request context”. Hence the scope for the resolution of the named attributes cannot be limited to the scope of the container <Policy> element alone, but is the one of the whole request context. It follows that you cannot compose a <PolicySet> with multiple parameterized <Policy>, in the case of name conflicts, unless there is some kind of naming convention introduced. For example, the <PolicySet> below contains two <Policy> that are parameterized. There is a name-clash in the named parameters “Organizations”: <PolicySet PolicyId="urn:example:set1" … > <Policy PolicyId="urn:example:template1" … > ... <Condition> ... <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Organizations" MustBePresent="true"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID"; MustBePresent="true"/> </Apply> ... </Condition> ... </Policy> <Policy PolicyId="urn:example:template1" … > ... <Condition> ... <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="Organizations" MustBePresent="true"> <AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID"; MustBePresent="true"/> </Apply> ... </Condition> ... </Policy> </PolicySet> One must introduce a naming convention on the named parameters to establish the correct scope, such as:
Yes, if you are considering the case where there is only one policy template
data set for each policy template and normal PDP processing is being used
to evaluate the template. In this case we are not really talking about
templating at all. In the more general case where there can be any number of
policy template data sets for each policy template we have either a policy
template engine or dynamic template reduction (which is not normal PDP
processing). There is no conflict in this case because the policy template
data sets are bound to specific templates via the template's identifier.
The policy template engine uses the parameter values from the policy template
data sets bound to the template it is currently processing.
Also, globally unique names for parameters isn't enough to legitimize the use of
attribute designators for parameters. Consider this excerpt from section 7.3.5
of the latest core specification:
"Regardless of any dynamic modifications of the request context during
policy evaluation, the PDP SHALL behave as if each bag of attribute
values is fully populated in the context before it is first tested,
and is thereafter immutable during evaluation. (That is, every subsequent
test of that attribute shall use the same bag of values that was initially
tested.)"
If there is more than one policy template data set for the same policy template,
then this rule will be broken. That's not a showstopper because parameters are a
different beasty to attribute designators, even if the syntax is the same, but
it is ugly to be saying that there is a particular use of the syntax for a
new purpose that violates some of the rules of its original purpose.
If the parameter names are globally unique, then consider that a template may
contain a parameter that belongs to a policy template data set that is bound
to an entirely different policy template. That has some interesting implications,
which I can discuss if you want to go there. I can also imagine several different
ways to reduce your example with two embedded policy templates.
Regards,
Steven
<PolicySet PolicyId="urn:example:set1">
<Policy PolicyId="urn:example:template1">
...
<Condition>
...
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:example:template1:Organizations" MustBePresent="true">
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID"; MustBePresent="true"/>
</Apply>
...
</Condition>
...
</Policy>
<Policy PolicyId="urn:example:template2">
...
<Condition>
...
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="urn:example:template2:Organizations" MustBePresent="true">
<AttributeDesignator Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
AttributeId="http://schemas.tscp.org/2012-03/claims/OrganizationID"; MustBePresent="true"/>
</Apply>
...
</Condition>
...
</Policy>
</PolicySet>
Would you confirm this analysis?
Thanks,
Jean-Paul
*From:*xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] *On Behalf Of *Erik Rissanen
*Sent:* Friday, October 12, 2012 10:02
*To:* xacml@lists.oasis-open.org
*Subject:* Re: [xacml] Summary of the 3 proposed syntaxes for Policy Template
Jean-Paul,
Thanks for the summary. I might add that for the AttributeDesignator approach, I did not intend to do
substitution in target <Match> elements. My point is to stay within the current XACML 3.0 core schema, and
avoid any extra processin steps. Thus it would be a "con" to this approach that any targets need to be
rewritten into conditions using the on-permit-apply-second algorithm.
Best regards,
Erik
On 2012-10-11 15:39, Jean-Paul Buu-Sao wrote:
Greetings
There has been an intense and healthy discussion around the syntax for Policy Templates recently, thanks
to Danny Steven and Erik. I thought that I should summarize the various proposals on the Wiki:
https://wiki.oasis-open.org/xacml/Policy%20Template%20Syntactic%20Options
Danny, Steven, Erik, please apologize if I missed on of your points. I still have to double check that
OOI have not forgotten anything against the email thread (I fact I have, but will correct before today
close of business).
Thanks,
Jean-Paul
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]