[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: AW: [xacml-comment] A suggestion for better handling of multi-valuedattributes in conditions
Hi Jan,
On 27/01/2011 8:03 AM, Jan Herrmann wrote:
> Hi Steven,
> During my work with XACML I had similar issues and I believe that future
> versions of xacml 3 should address the iterating through bags of values. If
> I remember right there was some discussion in a mail thread about a
> for-construct while working on the new xacml3 version. I think the issue was
> deferred. Maybe we should (re)start thinking about more complex control
> structures.
>
> In my use case I need to generate multiple ADRs to get context nodes that
> can be used in<xacml3:contentselectors>. This works but is far from optinal
> as the context handler needs to generate multiple adrs according the current
> state of the policy. to avoid the generation of multiple adrs a
> for-construct would be a very helpful things.
>
> I thought about the following construct:
> ...
> <Apply FunctionId=”&for-each-Bag-element;”>
> <Apply FunctionId=”↦”>
> <Function FunctionId=”&getXPathIdentifikator;”/>
> <AttributeSelector Category=”&message;” DataType=”&element-node;”
> Path=”FeatureCollection/FeatureMember/Buidling” />
> </Apply>
> <LoopVariable AttributeId=”&myLoopVar:i;” DataType=”&xpath;” />
> ...
> <!-- example how to use the loop variable -->
> <AttributeSelector Category=”&message;” DataType=”&string;”
> ContextSelectorId=”&myLoopVar:i“ Path=”anyNode/.../text()” />
> </Apply>
> ...
>
> The first argument of the&for-each-Bag-element function is a Bag. In the
> example this Bag includes elements of datatype xpath.
>
> The Bag is constructed by the↦ function. The parameters of the map
> function are the&getXPathIdentifikator; function and a bag with elements
> of type&element-node;. by applying the&getXPathIdentifikator; function on
> each element of the&element-node; bag a bag of type&xpath; is condtructed.
>
> Back to the for construct:
> the second argument of the&for-each-Bag-element; function is the definition
> of the loop variable(it creates a special xacml attribute with attributeId
> "&myLoopVar:I;". The value of this&myLoopVar:I; attribute will be
> dynamically assigned in each iteration of the loop. in the example
> &myLoopVar:I will be instantiated with different xpath values.
Rather than creating special attributes on-the-fly and allowing the variable
to be referenced from the values of XML attributes, I think it would be
simpler to define an alternative to AttributeSelector where the Path and
ContextSelectorId were contained expressions instead of XML attributes.
Let me call this alternative DynamicAttributeSelector.
<xs:element name="DynamicAttributeSelector"
type="xacml:DynamicAttributeSelectorType"
substitutionGroup="xacml:Expression"/>
<xs:complexType name="DynamicAttributeSelectorType">
<xs:complexContent>
<xs:extension base="xacml:ExpressionType">
<xs:sequence>
<xs:element name="ContextSelectorId" minOccurs="0">
<xs:complexType>
<xs:sequence>
<xs:element ref="xacml:Expression"/>
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element ref="xacml:Expression"/> <!-- the path -->
</xs:sequence>
<xs:attribute name="Category" type="xs:anyURI" use="required"/>
<xs:attribute name="DataType" type="xs:anyURI" use="required"/>
<xs:attribute name="MustBePresent" type="xs:boolean" use="required"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
Each nested expression must be an expression that evaluates to a value
of the xpathExpression data-type. I would then cast your example into the
following expression:
<ForAny VariableId="context">
<Apply FunctionId=”↦”>
<Function FunctionId=”&getXPathIdentifikator;”/>
<AttributeSelector Category=”&message;” DataType=”&element-node;”
Path=”FeatureCollection/FeatureMember/Building”
MustBePresent="false"/>
</Apply>
<ForAny VariableId="node">
<DynamicAttributeSelector Category=”&message;” DataType=”&string;”
MustBePresent="false">
<ContextSelectorId>
<VariableReference VariableId="context"/>
</ContextSelectorId>
<AttributeValue DataType="&xpathExpression;"
>anyNode/.../text()</AttributeValue>
</Apply>
</DynamicAttributeSelector>
... an expression that does something interesting with a node
</ForAny>
</ForAny>
I can't tell what you intend the result of the &for-each-Bag-element; function
to be. I've assumed that whatever processing you want to do on the result can
just be brought inside the ForAny loops (which could be ForAll instead if that
is appropriate).
The ContextSelectorId implies some processing that seems like it could be
done explicitly in the expression for the path. If, for example, there was an
xpathExpression-concatenate function, then a ContextSelectorId wouldn't be
needed in a DynamicAttributeSelector, and your example would look like this
instead:
<ForAny VariableId="context">
<Apply FunctionId=”↦”>
<Function FunctionId=”&getXPathIdentifikator;”/>
<AttributeSelector Category=”&message;” DataType=”&element-node;”
Path=”FeatureCollection/FeatureMember/Building”
MustBePresent="false"/>
</Apply>
<ForAny VariableId="node">
<DynamicAttributeSelector Category=”&message;” DataType=”&string;”
MustBePresent="false">
<Apply FunctionId="&xpathExpression-concatenate;">
<VariableReference VariableId="context"/>
<AttributeValue DataType="&xpathExpression;"
>anyNode/.../text()</AttributeValue>
</Apply>
</DynamicAttributeSelector>
... an expression that does something interesting with a node
</ForAny>
</ForAny>
>
> the question is how far should we go?
It's a balancing act. The ForAny, ForAll, Map and DynamicAttributeSelector
expressions don't add much in the way of implementation complexity (they're
repackaging what's already there after all), but they allow much more
expressive power. I think that's a good way to go.
> should xacml become a proper
> programming language?
I wouldn't want to see that.
Regards,
Steven
>
> best regards
> jan
>
>
> --
> Jan Herrmann
> Dipl.-Inform., Dipl.-Geogr.
> Scientific Assistant
> Chair for Applied Informatics / Cooperative Systems
> Technische Universität München
> Boltzmannstr. 3
> 85748 Garching
> Germany
> T: +49 89 289 18692
> F: +49 89 289 18657
> W: www11.in.tum.de
>
>> -----Ursprüngliche Nachricht-----
>> Von: Steven Legg [mailto:steven.legg@enitiatives.com.au]
>> Gesendet: Dienstag, 25. Januar 2011 03:27
>> An: xacml-comment@lists.oasis-open.org
>> Betreff: [xacml-comment] A suggestion for better handling of multi-valued
>> attributes in conditions
>>
>>
>> XACML allows attributes to be multi-valued but is rather poor at handling
>> non-trivial comparisons of multi-valued attributes.
>>
>> Suppose I have resources with a multi-valued integer "code" attribute and
>> I
>> want to write an expression that is true if and only if at least one of
>> the
>> code values is in the range 100 to 200. A naive solution would look like
>> this:
>>
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
>> <Function
>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-
>> equal"/>
>> <AttributeDesignator
>> Category="urn:oasis:names:tc:xacml:3.0:attribute-
>> category:resource"
>> AttributeId="http://example.com/code";
>> DataType="http://www.w3.org/2001/XMLSchema#integer";
>> MustBePresent="false"/>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#integer";
>> >100</AttributeValue>
>> </Apply>
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
>> <Function
>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-
>> equal"/>
>> <AttributeDesignator
>> Category="urn:oasis:names:tc:xacml:3.0:attribute-
>> category:resource"
>> AttributeId="http://example.com/code";
>> DataType="http://www.w3.org/2001/XMLSchema#integer";
>> MustBePresent="false"/>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#integer";
>> >200</AttributeValue>
>> </Apply>
>> </Apply>
>>
>> However, this doesn't work as desired. Suppose that a particular resource
>> has
>> the code values 50 and 250. The expression would evaluate to true for this
>> resource, though it doesn't have a code value between 100 and 200, because
>> there is no correlation between the value that satisfies the first part of
>> the
>> "and" and the value that satisfies the second part of the "and". In this
>> case,
>> both parts are satisfied, but by different values. Unfortunately, XACML
>> doesn't
>> provide a way to enforce such a correlation, which is why it is poor at
>> handling comparisons of multi-valued attributes.
>>
>> When iterating through an attribute's values (with something like the any-
>> of
>> function) it is only possible to apply a function to each value, but what
>> is
>> needed for a case like the example above is the capability to apply an
>> arbitrary expression to each value in turn. This suggests binding the
>> values
>> to a variable that can be referenced throughout the desired expression.
>> There
>> are a number of ways XACML could be extended to provide such a capability,
>> but
>> the neatest I've found is to extend ExpressionType like so:
>>
>> <xs:element name="ForAny" type="xacml:IterativeExpressionType"
>> substitutionGroup="xacml:Expression"/>
>>
>> <xs:element name="ForAll" type="xacml:IterativeExpressionType"
>> substitutionGroup="xacml:Expression"/>
>>
>> <xs:complexType name="IterativeExpressionType">
>> <xs:complexContent>
>> <xs:extension base="xacml:ExpressionType">
>> <xs:sequence>
>> <xs:element ref="xacml:Expression"/> <!-- Must be a bag. -->
>> <xs:element ref="xacml:Expression"/>
>> </xs:sequence>
>> <xs:attribute name="VariableId" type="xs:string"
>> use="required"/>
>> </xs:extension>
>> </xs:complexContent>
>> </xs:complexType>
>>
>> The IterativeExpressionType contains two expressions. The first expression
>> must
>> evaluate to a bag. The VariableId XML attribute names the variable that
>> will
>> iterate over the values of this bag. The variable's data-type is the same
>> as
>> the primitive data-type of the members of the bag.
>>
>> The second expression is an arbitrary expression that evaluates to a
>> Boolean
>> value. The second expression would normally contain one or more references
>> to
>> the named variable.
>>
>> A ForAny expression is evaluated by repeatedly evaluating the second
>> expression
>> with the variable bound to each value of the bag in turn. The overall
>> Boolean
>> result of the ForAny expression is obtained by combining the results of
>> evaluating the second expression according to the "or" function. The
>> ForAll
>> expression is evaluated in the same way except that the results of
>> evaluating
>> the second expression are combined according to the "and" function.
>>
>> Using the ForAny expression it is now possible to write an expression that
>> evaluates to true if and only if the code attribute has at least one value
>> in
>> the range 100 to 200:
>>
>> <ForAny VariableId="code">
>> <AttributeDesignator
>> Category="urn:oasis:names:tc:xacml:3.0:attribute-
>> category:resource"
>> AttributeId="http://example.com/code";
>> DataType="http://www.w3.org/2001/XMLSchema#integer";
>> MustBePresent="false"/>
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-
>> greater-than-or-equal">
>> <VariableReference VariableId="code"/>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#integer";
>> >100</AttributeValue>
>> </Apply>
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-
>> less-than-or-equal">
>> <VariableReference VariableId="code"/>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#integer";
>> >200</AttributeValue>
>> </Apply>
>> </Apply>
>> </ForAny>
>>
>> Now, some value of the code attribute has to satisfy both parts of the
>> "and"
>> for the overall expression to evaluate to true.
>>
>> Although I was only trying to find a way to sensibly handle multi-valued
>> attributes, I have hit upon a generalization for the bag handling
>> functions.
>> For example, this expression using the any-of-any function:
>>
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
>> <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
>> equal"/>
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
>> bag">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >Ringo</AttributeValue>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >Mary</AttributeValue>
>> </Apply>
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
>> bag">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >John</AttributeValue>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >Paul</AttributeValue>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >George</AttributeValue>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >Ringo</AttributeValue>
>> </Apply>
>> </Apply>
>>
>> can also be expressed with ForAny:
>>
>> <ForAny VariableId="somebody">
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
>> bag">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >Ringo</AttributeValue>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >Mary</AttributeValue>
>> </Apply>
>> <ForAny VariableId="beatle">
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
>> bag">
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >John</AttributeValue>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >Paul</AttributeValue>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >George</AttributeValue>
>> <AttributeValue
>> DataType="http://www.w3.org/2001/XMLSchema#string";
>> >Ringo</AttributeValue>
>> </Apply>
>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
>> equal">
>> <VariableReference VariableId="somebody"/>
>> <VariableReference VariableId="beatle"/>
>> </Apply>
>> </ForAny>
>> </ForAny>
>>
>> In fact, all of these functions have an equivalent representation using
>> ForAny
>> and/or ForAll:
>>
>> time-in-range
>> type-is-in
>> type-at-least-one-member-of
>> type-subset
>> type-set-equals
>> any-of
>> all-of
>> any-of-any
>> all-of-any
>> any-of-all
>> all-of-all
>>
>> The advantage of the ForAny and ForAll expressions is that they can also
>> apply an arbitrarily complex expression to the members of a bag whereas
>> the
>> higher-order bag functions can only apply a function.
>>
>> In a previous email I indicated four reasonable combinations of any-of and
>> all-of for a higher-order bag function of two bag arguments, though only
>> two
>> such functions have been defined:
>>
>> (1) x_of_x f [] ys = True
>> x_of_x f (x:xs) ys = (any_of f x ys)&& (x_of_x f xs ys)
>>
>> (2) x_of_x f xs [] = False
>> x_of_x f xs (y:ys) = (all_of f xs y) || (x_of_x f xs ys)
>>
>> (3) x_of_x f xs [] = True
>> x_of_x f xs (y:ys) = (any_of f xs y)&& (x_of_x f xs ys)
>>
>> (4) x_of_x f [] ys = False
>> x_of_x f (x:xs) ys = (all_of f x ys) || (x_of_x f xs ys)
>>
>> Each of these combinations can be expressed using ForAny and ForAll, which
>> would remove any need to define the two missing functions.
>>
>> (1)<ForAll VariableId="x">
>> ... an expression evaluating to a bag of the primitive data-type
>> of the first argument of function "f"
>> <ForAny VariableId="y">
>> ... an expression evaluating to a bag of the primitive data-type
>> of the second argument of function "f"
>> <Apply FunctionId="f">
>> <VariableReference VariableId="x"/>
>> <VariableReference VariableId="y"/>
>> </Apply>
>> </ForAny>
>> </ForAll>
>>
>> (2)<ForAny VariableId="y">
>> ... an expression evaluating to a bag of the primitive data-type
>> of the second argument of function "f"
>> <ForAll VariableId="x">
>> ... an expression evaluating to a bag of the primitive data-type
>> of the first argument of function "f"
>> <Apply FunctionId="f">
>> <VariableReference VariableId="x"/>
>> <VariableReference VariableId="y"/>
>> </Apply>
>> </ForAll>
>> </ForAny>
>>
>> (3)<ForAll VariableId="y">
>> ... an expression evaluating to a bag of the primitive data-type
>> of the second argument of function "f"
>> <ForAny VariableId="x">
>> ... an expression evaluating to a bag of the primitive data-type
>> of the first argument of function "f"
>> <Apply FunctionId="f">
>> <VariableReference VariableId="x"/>
>> <VariableReference VariableId="y"/>
>> </Apply>
>> </ForAny>
>> </ForAll>
>>
>> (4)<ForAny VariableId="x">
>> ... an expression evaluating to a bag of the primitive data-type
>> of the first argument of function "f"
>> <ForAll VariableId="y">
>> ... an expression evaluating to a bag of the primitive data-type
>> of the second argument of function "f"
>> <Apply FunctionId="f">
>> <VariableReference VariableId="x"/>
>> <VariableReference VariableId="y"/>
>> </Apply>
>> </ForAll>
>> </ForAny>
>>
>> The map function could also be generalized to allow an arbitrary
>> expression to
>> transform a bag of values, instead of just a function:
>>
>> <xs:element name="Map" type="xacml:IterativeExpressionType"
>> substitutionGroup="xacml:Expression"/>
>>
>> In this case the second contained expression is an arbitrary expression
>> that
>> evaluates to some primitive data-type. A Map expression is evaluated by
>> repeatedly evaluating the second expression with the variable bound to
>> each
>> value of the bag from the first contained expression. The overall result
>> of the
>> Map expression is a bag containing the results of evaluating the second
>> expression.
>>
>> There you have it - a suggestion for extending and generalizing XACML to
>> properly handle non-trivial comparisons of multi-valued attributes.
>>
>> Regards,
>> Steven
>>
>>
>> --
>> This publicly archived list offers a means to provide input to the
>> OASIS eXtensible Access Control Markup Language (XACML) TC.
>>
>> In order to verify user consent to the Feedback License terms and
>> to minimize spam in the list archive, subscription is required
>> before posting.
>>
>> Subscribe: xacml-comment-subscribe@lists.oasis-open.org
>> Unsubscribe: xacml-comment-unsubscribe@lists.oasis-open.org
>> List help: xacml-comment-help@lists.oasis-open.org
>> List archive: http://lists.oasis-open.org/archives/xacml-comment/
>> Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
>> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
>> Committee: http://www.oasis-
>> open.org/committees/tc_home.php?wg_abbrev=xacml
>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]