OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: Re: [xacml] A single tree?


Polar Humenn wrote:
> In 7.2 Base Policy the last paragraph states:
> 
> In the case of a PDP that retrieves policies according to the decision
> request that it is processing, the base policy SHALL contain a <Policy>
> Element containing a <Target> element that matches every possible
> decision request and a PolicyCOmbiningAlgId attribute with the value of
> "Only-one-applicable". In other words, the PDP SHALL return an error if it
> retrieves policies that do not form a single tree.
> 
> I'm pretty sure what I this is trying to say is that this PDP thingy, of
> which we have no management interfaces for, no configurational
> specification of, is supposed to operate in such a way that it is forced
> store its policies in such a way that the PDP forced to retrieve only a
> single <Policy> or <PolicySet> per any decision request it may come
> across.

I don't have the latest spec in front of me, but I think you're probably 
on the right track. I think the text is trying to say that for a given a 
Request, it's an error if more than one "top-level" (or, in this case 
"base") policy is retrieved and is applicable...though I think this text 
is pretty confusing (yes, I'm planning on sending in comments on the 
spec, I've just been swamped lately...sorry).

> I may or may not choose to implement a PDP in such a fashion. Since PDP
> doesn't have to store or "retrieve" its policies in XML. I may configure
> it differently, say it follows a majority strategy for retrieving several
> applicable policies to the decision request.

I think it should be fine to "retrieve" any number of policies, as long 
as the "base" policy you use for evaluation is exactly one policy (in 
other words, what you've expressed here). I think this is what the text 
is trying to say. At any rate, I support this.

> However, above, in the text, what I think needs to be corrected is that
> this "base"  policy should contain a <PolicySet> (not a <Policy>) as the
> PDP is retrieving "policies", which I assume are either <Policy> or
> <PolicySet> items. I assume it's not retrieving rules.

Actually, I think we're really talking about an abstract policy element 
that the PDP uses as the "base" policy in an evaluation. This causes 
problems with the language about a specific combining algorithm. A PDP 
has to behave as if it's using the only-one-applicable alg, but it could 
enforce that through custom logic, careful retrieval algorithms, or by 
actually using a PolicySet with the combining alg...actually, a 
meta-question: is this new text for section 7.2? It doesn't sound 
familiar to me...

> The last statement I don't understand. What is a "single tree"?

I think this means we evaluate against only one policy tree, regardless 
of how that policy tree was constructed.

> I think this statement would be better and more clearly stated as,
> 
> "In other words, the PDP SHALL return an error if it retrieves more than
> one policy for any decision request."

Again, I don't have the spec in front of me, but I think the whole 
paragraph can be clarified. I actually think it's fine for a PDP to 
"retrieve" more than one policy for a given request, as long as a) only 
one policy applies or b) they're combined under a single PolicySet (as 
in the original text). By "retrieve" I mean the act of fetching a 
potentially applicable policy for a given request, not evaluating the 
request against the policy.


seth



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]