Re: [dipal-discuss] all policies are non-functional?

[Anne Anderson <Anne.Anderson@sun.com>]

Xinyu,

These thoughts are quite appropriate to post here.  Thank you for 
participating.

By "functional policy" I think you mean the process of policy 
verification against some object or action that falls within the scope 
of the policy.

You are right that we have done more discussion here of policy and 
Assertion intersection than of policy and Assertion verification.  The 
policy verification process, at least in the abstract, is fairly well 
understood from experience with XACML and other policy engines which use 
the IETF/DMTF model for policy.  I don't know if there are publicly 
available descriptions of how and where policy verification would 
actually be integrated into a web services implementation.  Perhaps 
other list participants can provide some references.

The "policy monitor" you describe seems to fit the definition used for a 
"policy enforcement point" (PEP) in IETF/DMTF model: the abstract entity 
that requests policy decisions when needed, and enforces them (allows 
the action, accepts the object, aborts, returns an error, etc.).  In a 
web services implementation, probably when a message is received (at 
least before it is acted on), the PEP needs to get involved to verify 
that the message conforms to the agreed-upon policy.  It does this by 
sending the message (or information abstracted from the message) along 
with a request for policy evaluation to another abstract entity called, 
as you suggest, a "policy decision point" (PDP) in the IETF/DMTF model. 
  The code for evaluation of a particular Assertion would be called by 
the PDP when that Assertion is encountered during evaluation of the policy.

PEPs for different parts of a web service policy might need to be 
implemented at different points in a web services implementation, 
depending on when the message component or object controlled by the 
policy is to be used.  For example, some parts of the policy might be 
verified at the point where a message is received or where the service 
connection binding is done, whereas other parts might be verified once 
the message has been sent or just prior to being sent to the code 
implementing the interface being invoked.  Other parts might be verified 
as the message is being handled by the interface implementation.  A 
service that forwards a message to another service, or that invokes 
another service on behalf of a user, might or might not be able to 
verify the policy (at least partially) prior to forwarding the message. 
  Being able to at least partially verify a policy that controls 
activities implemented in another service is one of the advantages of 
having a domain-independent policy assertion language.

Regards,
Anne

Xinyu Zhou wrote:

> Dear all:
> 
> Ever since I joined the list about 1 month ago, I have benefited a lot from
> the discussion here. Actually, I have spent much time on policy research
> prior to join the list.
> 
> What's interesting to me is the functional policy. In other words, the
> "Policy Engine" should have a "policy decision point" or a "policy monitor"
> to monitor the dynamically changing environment. 
> 
> So far, I have seen a lot of non-functional policies here. These policies
> are mainly used to establish the agreement before two (Web Service)
> endpoints begin to interoperate with each other. However, not too many
> discussions about the functional policies have been proposed here. One week
> ago, Anne Anderson mentioned the paper "WS-Policy for Service Monitoring",
> http://www.elet.polimi.it/upload/baresi/papers/TES2005.pdf
> 
> This paper is interesting because the authors claim that they can do both
> non-functional policy checking and functional policy checking. But, the
> authors did not show us a functional policy checking as an example.
> 
> In my opinion, the functional policy checking mainly relies on the
> capability of POLICY ENGINE. For example, I figure that the policy engine of
> WS-Policy framework can only do text-level operation, because the policy
> engine does not know about the semantic of the policy vocabulary. Maybe all
> policy engines of domain-independent policy languages are not powerful. That
> might be a trade-off. 
> 
> By the way, it would be highly appreciated if somebody can tell me where I
> can find some materials about implementing policies on globus toolkit. I
> have interests in this. I only see one project called gridshib
> http://gridshib.globus.org/
> 
> 
> Correct me if I wrong. I am not sure if it is appropriate to post my
> thoughts here.
> 
> Regards, xinyu.
> 
> -----Original Message-----
> From: Anne Anderson [mailto:Anne.Anderson@sun.com] 
> Sent: Monday, January 30, 2006 12:41 PM
> To: Frank McCabe
> Cc: dipal-discuss@lists.oasis-open.org
> Subject: Re: [dipal-discuss] How to move forward
> 
> Francis,
> 
> WS-PolicyConstraints 
> (http://research.sun.com/projects/xacml/ws-policy-constraints-current.pdf) 
> might be considered an XACML-based example of a "0.7" spec :-).  Its 
> scope is consistent with the proposed scope for the DIPAL TC that 
> started this group off:
> 
> "The scope envisioned for the proposed OASIS TC is the development of a
> domain-independent language for expressing policy assertions, along with
> semantics for verifying such assertions, comparing or intersecting
> assertions over the same policy item from two different policies, and
> selecting preferred values from a set of permitted values.  The language
> would provide a generic way of expressing conditions that particular
> domain-specific policy items must satisfy.
> 
> The language would be designed to express policy assertions for use with
> any Boolean web services policy framework.  That is, the language would
> express assertions over individual policy vocabulary items, but
> combining these assertions into a policy expressing acceptable
> combinations and alternatives would be relegated to a framework layer.
> The development of a policy framework for combining individual policy
> assertions into policies is not within the proposed scope."
> 
> Does Fujitsu have an interest in a different scope?
> 
> I would be happy to work with any group of "committed folk" to revise 
> WS-PolicyConstraints or any other base document in preparation for 
> submission to any appropriate standards TC or WG.  I think we need to 
> know where we plan to submit the document, however, in order to assess 
> the interest of the target group and to target the revisions appropriately.
> 
> Regards,
> Anne
> 
> 
> Frank McCabe wrote:
> 
>>It seems that one route to success is to initially develop a version
>>0.8 of a spec off-line before submitting it to any standards group.
>>That can be done by a group of committed folk who would not need
>>universal approval. Of course, that requires foresight etc on the
>>part of the sponsoring companies.
>>What do you think would be the scope of an independent DIPAL? The
>>answer to that question would be critical, for example, to Fujitsu's
>>interest in participation.
>>Frank
>>
>>On Jan 30, 2006, at 7:35 AM, Anne Anderson wrote:
>>
>>
>>>Colleagues,
>>>
>>>I would like to start a discussion of the practicalities of moving  
>>>forward with a standard for a "domain-independent policy assertion  
>>>language".  Here are some possibilities as I see them, with their  
>>>pluses and minuses.
>>>
>>>1. Start a new OASIS TC for DIPAL.
>>>
>>>PLUSES: The TC could focus on identifying or developing the best  
>>>language for the job.
>>>
>>>MINUSES: We have a chicken and egg problem: until one or more  domains 
>>>use DIPAL for expressing their policies, organizations  can't justify 
>>>spending resources to standardize it.  But until it  is standardized, 
>>>no domains are able to use it.  Most organizations  are already 
>>>strained for resources to cover the various web  services standards 
>>>being developed, so it is not clear that we  could get enough people 
>>>to staff a new OASIS TC even if many  organizations would like to see 
>>>such a standard developed.
>>>
>>>2. Move DIPAL forward in the OASIS XACML TC.
>>>
>>>PLUSES: if we use WS-PolicyConstraints, or something similar, it is  
>>>already XACML-based.  XACML needs a profile for expressing  
>>>authorization policies for web services, so the work could be  
>>>justified.  Applications to other domains could be done via white  
>>>papers, conference papers, etc.  XACML TC members already  understand 
>>>the constraint-based approach to policy expression.
>>>
>>>MINUSES: XACML's charter is limited to authorization and access  
>>>control.  Based on earlier votes objecting to the scope of WSPL, a  
>>>DIPAL spec in the XACML TC could use only authorization and access  
>>>control examples. This makes it look like a one-domain language and  
>>>makes it harder to "sell" for other domains.  Also, the XACML TC is  a 
>>>small group, and might not have enough bandwidth to take this on  
>>>without new members to champion the work.
>>>
>>>3. Include DIPAL as an option in WS-Policy standardization.
>>>
>>>PLUSES: This would make clear how DIPAL is used for multiple  domains, 
>>>and would allow close integration of DIPAL with WS-Policy  syntax.
>>>
>>>MINUSES: There has been no official interest in DIPAL from the WS- 
>>>Policy sponsors.  WS-Policy has still not been submitted to a  
>>>standards group, and this may reflect enough internal conflict  among 
>>>its sponsors that they are unlikely to agree on adding yet  another 
>>>component.
>>>
>>>4. Include DIPAL as an option in another standard.
>>>
>>>PLUSES: Could fit with WS-Agreement, or could be standardized along  
>>>with the policy schema for some particular domain.
>>>
>>>MINUSES: As with the XACML TC option, this risks making DIPAL look  
>>>like a one-domain language.  No other standards WG or TC has  
>>>indicated interest in taking on DIPAL.
>>>
>>>Thoughts?  Suggestions?
>>>
>>>Regards,
>>>Anne
>>>-- 
>>>Anne H. Anderson               Anne.Anderson@sun.com
>>>Sun Microsystems Labs          1-781-442-0928
>>>Burlington, MA USA
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: dipal-discuss-unsubscribe@lists.oasis-open.org
>>>For additional commands, e-mail: dipal-discuss-help@lists.oasis- open.org
>>>
>>
> 

-- 
Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA