[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [xacml] Request and Response Context Schemas - Take 2
I would really like to get rid of this "multiple" principals concept, and go with a structured principal. That way the security software can construct the proper principal. As for having multiple resources, I disagree. We have to limit the "request" to something specific, so we aren't doing too much guessing at the policy end, i.e. at most 1 (structured) principal, 1 resource, 1 action. -Polar On Wed, 5 Jun 2002, Michiharu Kudoh wrote: > > Hi, Anne > > I am not clear on your sentence "If we ever expect to have multiple > resources, we need to know which actions go with which resource, and this > makes that association." Does this mean that PEP can ask PDP with more than > two or more pairs of resource and action (e.g. read a.xml and update b.xml) > per one access request? > > As far as I understand, each <Principal> consists of optional <PrincipalID> > and any number of <Attribute> that consists of optional <Holder> and one > <AttributeValue> that can contain anything in it. Is that correct? I am > wondering whether <PrincipalID> differs from <Holder> or not. Since > <ContextPrincipals> allows multiple <Principal>s, I thought that each > <Principal> has different <PrincipalID> specified by <NameIdentifier> that > is equal to <Holder> (that also consists of <NameIdentifier>) of the > <Attribute>. I would like to see XACML Context example based on your > schema. > > Best > Michiharu > > > IBM Tokyo Research Laboratory, Internet Technology > Tel. +81 (46) 215-4642 Fax +81 (46) 273-7428 > > > > > > Anne Anderson > <Anne.Anderson To: XACML TC <xacml@lists.oasis-open.org> > @Sun.com> cc: > Subject: [xacml] Request and Response Context Schemas - Take 2 > 2002/06/05 > 01:46 > Please respond > to > Anne.Anderson > > > > > > I have modified Simon's proposed schemas according to my proposed > ContextPrincipals definition. I have also made the following > further changes based on comments from my group here and from the > concalls. This has NOT been run through a validator. > > - SimplePrincipal is now just Principal. > - ContextResource has been expanded to ContextResources, > comparable to the expansion of Principal/ContextPrincipal to > ContextPrincipals. I think Michiharu suggested that we may > want to allow for multiple resources, and I think it is also a > good idea. > - I added a saml:IDType attribute to the RequestContext and the > ResponseContext. This is so that a response decision can be > matched against a specific request. > - ContextActions is now an element under a Resource. If we ever > expect to have multiple resources, we need to know which > actions go with which resource, and this makes that > association. > - AttributeFamily is eliminated, and AttributeName is > type="xs:anyURI". > - Issuer, IssueInstant attributes are made optional. > - AbstractPrincipal is eliminated. In its place, a PrincipalID > element is defined to hold the ways of identifying a given > principal, either in a Principal or in an Attribute. > - HolderType is eliminated. It is now PrincipalID. > > Polar, I don't think we are ready to define ComplexPrincipalType. > I left a place-holder for it, but I think it needs a lot more > discussion. The sequence of role-identified Principals is an > attempt to deal with what we know now. > > Anne > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 > > <!-- Title: Proposed Request and Response Context Schemas --> > <!-- Version: 1.1, 02/06/04 (yy/mm/dd) --> > <!-- Author: Anne Anderson --> > <!-- Source: /home/aa74233/docs/XACML/SCCS/s.ReqRespContextSchema.txt --> > <?xml version="1.0" encoding="UTF-8"?> > <xs:schema targetNamespace=" > http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd"; > xmlns:xs="http://www.w3.org/2001/XMLSchema"; xmlns:ds=" > http://www.w3.org/2000/09/xmldsig#"; xmlns:xacml=" > http://www.oasis-open.org/committees/xacml/docs/draft-xacml-context.xsd"; > elementFormDefault="qualified" attributeFormDefault="unqualified"> > <!-- --> > <xs:element name="RequestContext" type > ="xacml:RequestContextType"/> > <xs:complexType name="RequestContextType"> > <xs:sequence> > <xs:element ref="xacml:ContextPrincipals"/> > <xs:element ref="xacml:ContextResources"/> > <xs:element ref="xacml:ContextOther"/> > </xs:sequence> > <!-- IDType must be unique identifier --> > <xs:attribute name="RequestID" type="saml:IDType" use="required"/> > </xs:complexType> > <!-- --> > <xs:element name="ResponseContext" type > ="xacml:ResponseContextType"/> > <xs:complexType name="ResponseContextType"> > <xs:choice> > <xs:element ref="xacml:Permit"/> > <xs:element ref="xacml:Deny"/> > <xs:element ref="xacml:Indeterminate"/> > </xs:choice> > <!-- RequestID must be copied from the request context > for which this is the response. --> > <xs:attribute name="RequestID" type="saml:IDType" use="required"/> > </xs:complexType> > <!-- --> > <xs:element name="ContextPrincipals" type > ="xacml:ContextPrincipalsType"/> > <xs:complexType name="ContextPrincipalsType"> > <xs:choice> > <!--xs:element ref="xacml:ComplexPrincipal" minOcurs="1" > maxOccurs="1"/--> > <xs:element ref="xacml:Principal" minOccurs="1" maxOccurs > ="unbounded"/> > </xs:choice> > </xs:complexType> > <!-- --> > <xs:element name="Principal" type="xacml:PrincipalType"/> > <xs:complexType name="PrincipalType"> > <xs:sequence> > <xs:element ref="xacml:PrincipalID" > minOccurs="0" maxOccurs="1"/> > <xs:element ref="xacml:Attribute" minOccurs > ="0" maxOccurs="unbounded"/> > </xs:sequence> > <!-- PrincipalType examples: j2se:CodeSource xacml:RequestingUser > --> > <xs:attribute name="PrincipalType" type="xs:anyURI" use > ="required"/> > </xs:complexType> > <!-- --> > <!--xs:element name="ComplexPrincipal" type > ="xacml:ComplexPrincipalType"/--> > <!--xs:complexType name="ComplexPrincipalType"--> > <!-- Not yet defined: a relational tree structure of Principal --> > <!--/xs:complexType--> > <!-- --> > <xs:element name="PrincipalID" type="xacml:PrincipalIDType"/> > </xs:complexType name="PrincipalIDType"> > <xs:choice> > <xs:element ref="xacml:NameIdentifier"/> > <!-- did we agree on the 'ds:key' here? --> > <!--xs:element ref="ds:KeyInfo"/--> > </xs:choice> > </xs:complexType> > <!-- --> > <xs:element name="NameIdentifier" type > ="xacml:NameIdentifierType"/> > <xs:complexType name="NameIdentifierType"> > <xs:simpleContent> > <xs:extension base="xs:string"> > <xs:attribute name="Format" type > ="xs:anyURI" use="required"/> > <xs:attribute name > ="NameQualifier" type="xs:string" use="optional"/> > </xs:extension> > </xs:simpleContent> > </xs:complexType> > <!-- --> > <xs:element name="AnyURI" type="xs:anyURI"/> > <!-- --> > <xs:element name="AttributeDesignator" type > ="xacml:AttributeDesignatorType"/> > <xs:complexType name="AttributeDesignatorType"> > <xs:sequence> > <!-- Holder is the PrincipalID element value when > Attribute is used in a Principal --> > <xs:element ref="xacml:Holder" minOccurs > ="0"/> > </xs:sequence> > <xs:attribute name="AttributeName" type="xs:anyURI" > use="required"/> > <xs:attribute name="Issuer" type="xs:anyURI" use > ="optional"/> > <xs:attribute name="IssueInstant" type="xs:dateTime" > use="optional"/> > <xs:attribute name="AttributeLocator" type="xs:string" > use="optional"/> > </xs:complexType> > <!-- --> > <xs:element name="Holder" type="xacml:PrincipalIDType"/> > <!-- --> > <xs:element name="Attribute" type="xacml:AttributeType"/> > <xs:complexType name="AttributeType"> > <xs:complexContent> > <xs:extension base > ="xacml:AttributeDesignatorType"> > <xs:sequence> > <xs:element ref > ="xacml:AttributeValue"/> > </xs:sequence> > </xs:extension> > </xs:complexContent> > </xs:complexType> > <!-- --> > <xs:element name="AttributeValue" type > ="xacml:AttributeValueType"/> > <xs:complexType name="AttributeValueType"> > <xs:sequence> > <xs:any maxOccurs="unbounded"/> > </xs:sequence> > </xs:complexType> > <!-- --> > <xs:element name="ContextResources" type > ="xacml:ContextResourcesType"/> > <xs:complexType name="ContextResourcesType"> > <xs:choice> > <!--xs:element ref="xacml:ComplexResource" minOcurs="1" > maxOccurs="1"/--> > <xs:element ref="xacml:Resource" minOccurs="1" maxOccurs > ="unbounded"/> > </xs:choice> > </xs:complexType> > <!-- --> > <xs:element name="Resource" type="xacml:ResourceType"/> > <xs:complexType name="ResourceType"> > <xs:sequence> > <xs:element ref="xacml:ResourceSpecifier" > maxOccurs="1"/> > <xs:element ref="xacml:Attribute" minOccurs > ="0" maxOccurs="unbounded"/> > <xs:element ref="xacml:Action" minOccurs="0" maxOccurs > ="unbounded"/> > <xs: > </xs:sequence> > </xs:complexType> > <!-- --> > <!--xs:element name="ComplexResource" type > ="xacml:ComplexResourceType"/--> > <!--xs:complexType name="ComplexResourceType"--> > <!-- Not yet defined: a relational tree structure of Resource --> > <!--/xs:complexType--> > <!-- --> > <xs:element name="ResourceSpecifier" type > ="xacml:ResourceSpecifierType"/> > <xs:complexType name="ResourceSpecifierType"> > <xs:sequence> > <xs:element ref="xacml:ResourceContent" > minOccurs="0"/> > </xs:sequence> > <xs:attribute name="ResourceURI" type="xs:anyURI" use > ="optional"/> > </xs:complexType> > <!-- --> > <xs:element name="ResourceContent" type > ="xacml:ResourceContentType"/> > <xs:complexType name="ResourceContentType"> > <xs:sequence> > <xs:any maxOccurs="unbounded"/> > </xs:sequence> > </xs:complexType> > <!-- --> > <xs:element name="Action" type="xs:string"/> > <!-- --> > <xs:element name="ContextOther" type="xacml:ContextOtherType"/> > <xs:complexType name="ContextOtherType"> > <xs:sequence> > <xs:element ref="xacml:Attribute" minOccurs > ="0" maxOccurs="unbounded"/> > </xs:sequence> > </xs:complexType> > <!-- --> > <xs:complexType name="DecisionType"> > <xs:attribute name="ResourceName" type="xs:anyURI"/> > <xs:attribute name="Action" type="xs:anyURI"/> > </xs:complexType> > <!-- --> > <xs:element name="Permit" type="xacml:EffectDecisionType"/> > <xs:element name="Deny" type="xacml:EffectDecisionType"/> > <xs:complexType name="EffectDecisionType"> > <xs:complexContent> > <xs:extension base="xacml:DecisionType"> > <xs:sequence> > <xs:element ref > ="xacml:Obligation" minOccurs="0" maxOccurs="unbounded"/> > </xs:sequence> > </xs:extension> > </xs:complexContent> > </xs:complexType> > <!-- --> > <xs:element name="Obligation" type="xacml:ObligationType"/> > <xs:complexType name="ObligationType"> > <xs:sequence> > <xs:any minOccurs="0" maxOccurs > ="unbounded"/> > </xs:sequence> > <xs:attribute name="ObligationName" type="xs:anyURI"/> > </xs:complexType> > <!-- --> > <xs:element name="Indeterminate" type > ="xacml:IndeterminateType"/> > <xs:complexType name="IndeterminateType"> > <xs:complexContent> > <xs:extension base="xacml:DecisionType"> > <xs:sequence> > <xs:element ref > ="xacml:Advice" minOccurs="0" maxOccurs="unbounded"/> > </xs:sequence> > </xs:extension> > </xs:complexContent> > </xs:complexType> > <!-- --> > <xs:element name="Advice" type="xacml:AdviceType"/> > <xs:complexType name="AdviceType"> > <xs:sequence> > <xs:any minOccurs="0" maxOccurs > ="unbounded"/> > </xs:sequence> > <xs:attribute name="AdviceName" type="xs:anyURI"/> > </xs:complexType> > </xs:schema> > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> > > > > > > ---------------------------------------------------------------- > To subscribe or unsubscribe from this elist use the subscription > manager: <http://lists.oasis-open.org/ob/adm.pl> >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC