OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml-comment message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [xacml-comment] A002

Thanks for the detailed explanation Anne. This is much clearer to me now.
I'll try to describe below why I was unable to glean this meaning from the

Anne Anderson - Sun Microsystems wrote:

>In our model, the Context Handler is the functional component that handles
>any translation between the PEP's request format and an internal representation
>consistent with a Request Context, fetches attributes from the Request Context
>(or from an internal representation consistent with a Request Context)
>and from repositories, and handles any translation of the Response into the
>PEP's expected format.
This was clear to me. Figure 1 and its description show this well.

>The "signature" of the interface between the PDP and the Context Handler
>module has two inputs: an AttributeDescriptor or AttributeSelector, 
This was not clear to me. Firstly, figure 1, which I admit is 
non-normative, does not
show this. It shows the request context going in (arrow 8) and the 
response context
coming out (arrow 9). It does not show a bunch of calls from the PDP to 
the CH
requesting attributes.

Reading 7.9.2 again I see that it is actually saying this, I just didn't 
get it:

"The PDP SHALL request the values of attributes in the request context 
from the
context handler."

I took 'request context' to mean the thing that is passed from the CH to 
the PDP...
in other words the Request element. Perhaps 'request context' should be 
defined in the document to be all attributes within the system, whether 
within or
outside the Request? 'context handler' could also be capitalized.

eg. "The PDP SHALL request attribute values from the Context Handler."

The following assertion in 7.9.2 also caused me problems...

"The PDP SHALL reference the attributes as if they were in a physical 
context document, but the context handler is responsible for obtaining and
supplying the requested values."

What does that mean? The phrase 'the attributes' should probably be 
and the 'but' clause is a repeat of the previous assertion, so we're 
left with...

"The PDP SHALL reference attributes as if they were in a physical request
context document."

I don't get it. Why 'as if''? Does 'reference' mean request? So the PDP will
request all attribute values in the same way, and not have different ways of
requesting different attributes?

>As the XACML PDP evaluates a policy, it will encounter various AttributeDescriptors
>and AttributeSelectors.  Each time the PDP encounters one, it passes the information in that 
>descriptor or selector to the Context Handler.  The Context Handler searches for
>a match among the attribute objects it has parsed out of the Request Context
>received from the PEP.  If the requested attribute is not there, then the Context
>Handler queries its configured attribute sources (LDAP directory, SAML attribute assertion
>repository, file of attributes, on-line AA, etc.) for a matching attribute, passing the
>AttributeId, Issuer, etc., and the values of any corresponding subject-id, resource-id, or action-id
>attributes (as appropriate to the type of descriptor).  If there is no attribute 
>available from the configured attribute sources, then the Context Handler returns 
>either an empty bag or "Indeterminate" to the XACML PDP, depending on the value
>of the "MustBePresent" input.  If the "MustBePresent" value is true, then the Context 
>Handler returns "Indeterminate".  If the "MustBePresent" attribute is false, then the 
>Context Handler returns an empty bag.
>In the context of a Condition, the XACML PDP passes the returned value to the enclosing
>function.  Most, if not all, standard XACML functions return "Indeterminate" if one of 
>the inputs is "Indeterminate", but extension functions might not.  It is up to the definition
>of the function.  Similarly, if the resulting function does not take a bag as its input,
>but a bag is passed to it, then standard functions return "Indeterminate", but extension
>functions might not.
>In the context of a Target, the XACML PDP either passes the "Indeterminate" result to the
>enclosing function, or else passes one element at a time from the
>bag result to the enclosing function.  Again, the result depends on the definition
>of the enclosing MatchId function.
Yeah, I'm fine with all this, thanks for walking through the processing, 
I just didn't see
that the PDP was supposed to ask the CH for the value of attributes that 
were referenced
in a policy, but didn't exist with the request document.

>I expect that A002 and the two E tests (which require fetching policies and
>policy sets from external sources) will probably be the most difficult to
I didn't actually have any problem with policy references... 5.18 and 
5.19 are clear enough.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC