Re: [xacml-comment] PIP - comments/questions

[Steven Legg <steven.legg@viewds.com>]

Hi Benedict,

On 1/02/2018 5:30 AM, Benedict Benken wrote:
> Hi,
>
> I've a few comments/questions regarding to XACML. If this is the wrong mailing list, let me know.

This is an appropriate list for your questions.

>  1. The most XACML-Implementations, that I saw, integrated the PIP's into the PDP. I think that is no good solution, but the devs had not choice:
>     On the one hand the meaning of the context handler isn't really described as importent as I guess it is. On the other hand there is no XML/JSON-specification how to request a PIP. So when PDP and PEP/context handler are on two machines, then the PIP has to be on the the PDP machine and cannot be on a third machine (e.g. as microservice).

The only standardized method for a context handler to obtain attributes from a PIP
is the SAML AttributeQuery in the SAML 2.0 Profile of XACML. However, it seems this
method is not widely implemented or used. Implementations have mostly come up with
proprietary ways to get attributes from attribute stores such as SQL databases and
LDAP directories. These typical attribute stores already have standardized ways to
access them so there hasn't been an impetus to use the SAML profile or define a
JSON counterpart to the SAML AttributeQuery.

Whether the PIPs are integrated into the PDP is a matter of perspective. I think
of the SQL database or LDAP directory as being the PIP and the implementation-
specific connector that allows the context handler to fetch the attributes is
part of the context handler. The connectors are necessarily integrated, but the
attribute stores can be anywhere (subject to any limitations in the implementation
of the connector), and the protocols in use between the context handler and PIPs
are implementation defined.

>     Why is there no detailed PIP definition?

In general, the XACML specs avoid being too prescriptive on the architecture to
avoid unnecessarily restricting what implementations can do. AttributeQuery defines
an interface to a PIP, but you are not required to use it.

>  2. It's not really clear defined what's the recommended way to retreive missing attributes in XACML. PIP's or Response Status Detail?

There's no recommendation because either way might be the better choice depending
on the circumstances. For example, a context handler might always obtain subject
attributes from a PIP because all the users are fully described in a centralized
directory, but missing resource attributes might be reported back to the PEP
because the PEP is closer to the specific resource database and in a better
position to obtain the missing values.

If you are talking about the interaction between the PDP and context handler, then
it is just more efficient to obtain missing attributes on-the-fly from a PIP as
the PDP processes XACML expressions. The demarcation between the PDP and context
handler is rather arbitrary in this case.

>  3. I think it would be usefull, if an AttributeDesignator has an optional "expression" and "expressionType" attribute, so PIP's could use them for SQL-queries or Spring Expression Language etc.

That would require the policy writers to be aware of the nature of the PIP
implementation and would make the policies they write less portable and harder
to maintain. In my experience, it is sufficient to make such expressions part of
the implementation or configuration of the relevant connectors.

>  4. Why are VariableDefinitions only for policies and not policySets?

Apparently, variable definitions for policy sets just weren't considered at the
time variables were added to the spec. I for one would find the feature useful.

Regards,
Steven

> thank you and best regards
> Benedict