[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Policy administration topics
We now have multiple work items that seem very related: 29. Policy Authority Delegation 31. Attribute Issuer as Subject 38. Policies for the Administration of XACML Policies Do we really have one work item here: How does the PDP know if issuer I is trusted to issue policies about a particular combination of subjects, resources, and actions? Use Model: I believe everyone agrees on the use model: The PDP's policy-retriever component tests whether to trust a given candidate policy by sending an XACML request describing the candidate policy to a Policy Administration PDP that is configured with policies describing which candidate policies to trust. Proposal S: (Simon) I believe Simon's proposal is a pull model, where the PDP pulls policies as required from repositories or issuers: When the PDP's policy-retriever component tests whether to trust a given candidate policy, it constructs a Request that includes o Subject: the Issuer of the candidate policy (take the Issuer from the signature on the SAML Assertion encapsulating the candidate policy), o Resource: the actual <Target> element of the candidate policy as the value of a new Resource Attribute "policy-target", o Action: "issue policy" Define a new FunctionId that does an exact byte-for-byte match between normalized values for <Target> elements, and use this in writing policies describing which issuer Subjects can "issue policy" for given Targets. Issue: the model for how the set of applicable policies used by a PDP is constructed is not entirely clear. Some possible models: 1. The PDP is configured with a base PolicySet, and is just validating the components of its subtree as it retrieves them while doing evaluations. 2. The PDP at any one time has a bag of candidate policies. It periodically evaluates which ones to trust using the procedure above. Out of the trusted policies, it then constructs the PolicySet and its subtree by matching up PolicyId#'s and PolicySetId#'s (these are assumed to fit together in some consistent way). 3. The PDP at any one time has a bag of candidate policies. It periodically evaluates which ones to trust as in #2. The PDP is configured with a base PolicySet that has a specified combining algorithm. Prior to evaluating Requests, all validated Policies and PolicySets are plugged into the base PolicySet as top-level components. Proposal A: (Anne) This is a push model: Policy issuers push policies to a new Policy Administration API in the PDP, along with the Id of the Policy or PolicySet that the new pushed policy affects. Each PDP is configured with an initial Access Control PolicySet and an initial Policy Administration PolicySet. The PDP validates each pushed policy by sending it in an XACML Request that is evaluated according to the current Policy Administration PolicySet. If the pushed policy is validated, then the policy-administration component of the PDP makes the appropriate changes to the indicated Access Control PolicySet or Policy Administration PolicySet and their sub-policies. Its two trusted trees of policies are stored in a secure cache. When validating a pushed policy, the Request from the policy-administration component includes: o Subject: the Issuer of the pushed policy (take the issuer from the signature on the SAML Assertion encapsulating the pushed policy). o Resource: - resource-id Attribute contains the PolicyId or PolicySetId of the Policy or PolicySet affected by this request - ResourceContent contains the pushed policy [not needed with delete-policy action] o Action: Possible actions are: - create-sub-policy under PolicyId x [in slot# y] - delete-policy id=x - replace-policy id=x - replace-policy-target id=x - replace-policy-combining-alg id=x Policies can express conditions on candidate policies by using XPath expressions to extract components of the candidate policy from the ResourceContent and place conditions on them using standard XACML functions. A simple form of Condition could use the target-match function defined in Simon's proposal, so the degenerate form of this proposal is quite similar to Proposal S. Sample policy used by Policy Administration PDP: "issuers A and B can create sub-policies under PolicyId 3 so long as the sub-policy Target Resource is "abc". <PolicySet PolicySetId="1" CombiningAlgId="deny-overrides"> <Target>any</Target> <Policy PolicyId="2" CombiningAlgId="deny-overrides"> <Rule> <Target> <Subject>issuer A</Subject> <Subject>issuer B</Subject> <Resource>PolicyId 3</Resource> <Action>create-sub-policy</Action> </Target> <Condition> Resource/ResourceContent/Policy/Target/Resource/resource-id = "abc" </Condition> </Rule> ... Proposal F: (Frank) I believe Frank proposes including the Issuer of a policy as a new classification, alongside the existing Subject, Resource, and Action. When a PDP is trying to decide whether to trust a given policy, it will evaluate the policies that are applicable to that "Issuer". If I understand Frank's proposal correctly, I think it is the same as Proposal S or Proposal A. Proposal P: (Polar) I did not actually see Polar work out his proposal, so I don't know how it differs from S, A, or F. Anne -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]