[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] XACML 2.0 Work Items, V1.8
On 21 August, Frank Siebenlist writes: Re: [xacml] XACML 2.0 Work Items, V1.8
> I'm ok with all the items you added my name to, except #26:
>
> 26. Define policy reduction (partial evaluation) of a policy
>
> Define a process for reducing a policy based on known
> information, leaving only the unresolved predicates.
>
> STATUS: potential work item.
> PROPOSAL:
> CHAMPION: Frank Siebenlist?
>
> I'm not sure what it is about .... is this some sort of optimization or is this
> related to wspl's policy combination/reduction?
This is related to the Grid requirement for being able to return
a decision along with further conditions, where a PDP is unable
to fully evaluate the policy due to lack of information. The
"conditions" in this case would be the original policy, with all
resolved predicates factored out, leaving only a small policy
representing the predicates still to be resolved.
This will often be a use case when the initiator's system has
some of the information, and the resource's system has other
information. The two systems trust each other's policy
evaluations, but neither system is able to access all the
information needed to evaluate the policy.
Quick example: assume the Request contains the following:
subject-id="Frank"
resource-id="file:/net/bigsystem/"
action-id="write"
and the full policy contains:
<Rule Effect="Permit">
<Condition FunctionId="and">
subject-role == "ANL Staff"
resource-id == "file:/net/bigsystem/"
action-id="write"
timeOfDayRangeAtResource="9am-5pm"
</Condition>
The Requester's PDP might be able to determine that "Frank" has
role "ANL Staff", but does not know the time of day at the target
resource. So the Requester's PDP evaluates as much as it can,
and factors out the predicates that evaluate to "true".
The partially evaluated result is:
<Rule Effect="Permit">
<Condition FunctionId="and">
timeOfDayRangeAtResource="9am-5pm"
</Condition>
This "optimized" or "partial policy" would be passed in the
Conditions element of the response, and then forwarded to the
resource manager for "file:/net/bigsystem/", along with the
request. The resource manager does not know that "Frank" has
role "ANL Staff", so would not have been able to fully evaluate
the original policy, but the resource manager knows its own time
of day. So that resource manager sends the little policy above
as Conditions on a Request to its own PDP. Its own PDP evaluates
that Policy and returns "Permit".
[Note that we now have a case where "resource-id" is needed in a
request. I believe it should be made optional to handle this
case.]
Anne
--
Anne H. Anderson Email: Anne.Anderson@Sun.COM
Sun Microsystems Laboratories
1 Network Drive,UBUR02-311 Tel: 781/442-0928
Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]