[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] URI-match function proposal
Tim Moses wrote: > Bill - Are you (furthermore) claiming that your proposal addresses my > use-case (i.e. locating and retrieving applicable policies from an SQL > database)? If so, I would like to understand how. All the best. Tim. well, my thinking is this: [...] <Resources> <Resource> * <ResourceMatch MatchId=”url-subtree-match”> * <AttributeValue>www.example.com</AttributeValue> <ResourceAttributeDesignator AttributeId=”resource-id”/> </ResourceMatch> * <ResourceMatch MatchId=”url-subtree-match”> * <AttributeValue>\/.*\.cgi</AttributeValue> <ResourceAttributeDesignator AttributeId=”resource-id”/> </ResourceMatch> </Resource> </Resources> [...] OR , if we wanted to express the matching of "cgi" files anywhere in the universe: [...] <Resources> <Resource> * <ResourceMatch MatchId=”url-subtree-match”> * <AttributeValue></AttributeValue> <ResourceAttributeDesignator AttributeId=”resource-id”/> </ResourceMatch> * <ResourceMatch MatchId=”url-subtree-match”> * <AttributeValue>\/.*\.cgi</AttributeValue> <ResourceAttributeDesignator AttributeId=”resource-id”/> </ResourceMatch> </Resource> </Resources> [...] in both cases the first resource attribute refers to the host (uri match) and the second to the host resources (regex match). this would also work for all other url matches without creating another function. seems straightforward to me (which usually means i am missing something ;o) does this make sense? b as an aside, i would access applicable policies using resource from an RDBMS using something like this: SELECT * from policies where REGEXP_LIKE (resource, '^[hH][tT][tT][pP]:\/\/[eE][xX][aA][mM][pP][lL][eE]\.[cC][oO][mM]\/.*\.cgi'); assuming you are using oracle. db/2 (with extensions) and mysql can be used similarly. sqlserver requires some creative programming (i think). anyway, my position is that anything we create with our policy definitions will require some form of mapping to the policy store retrieval language, so precision is highly desirable (all of the SQL LIKE variants i have seen haven't been much prettier than regex ;o) for 3 of the 4 DBMSs listed, the query string mapping is actually fairly trivial since they support POSIX derivatives of regex natively. now if the idea is to search for policies that themselves contain macro expressions for resources then the complexity of the description language argument becomes moot because this would almost have to be an (internal) mnemonic that is managed by the interface between the policy developer and the policy store (the UI in my twisted world). free form definition of macros--particularly if they are non-standard--will not work in my opinion (it is effectively "ANY" on steroids ;o) ok, i am way out in the weeds here. sorry about that.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]