[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xacml] Comments on xacml-profile-hierarchical-resources draft
Thank you very much for the comments. We are in general agreement, and I think it would be good for the Hierarchical Resources Profile to be more clear on specifying how to identify the scheme being used. I do have some questions and comments, however. They are inserted in-line below. On 14 July, Michiharu Kudoh writes: [xacml] Comments on xacml-profile-hierarchical-resources draft > The following is my comment on the draft document of hierarchical resource > profile. > > 1) Separation of scheme from actual target resource > > The hierarchical resource profile basically consists of two parts, policy > for XML nodes and policy for for non-XML nodes. I think more explanation > would be needed to clarify the problem domain of hierarchical resources. > > XACML v2 is aiming to provide two ways of writing a policy for hierarchical > resource but it does not necessarily mean that the target resource should > be XML document or non-XML document. I think that a policy writer can write > a policy for non-XML hierarchical resource (e.g. directory access) using > access-to-XML-node scheme (case A). It is also true that s/he can write a > policy for XML resource (like medical record formatted in XML) using > access-to-non-XML-node scheme case B). > > In case A, the target directory hierarchy is converted into XML data which > is inserted into <ResrouceContent>, and the access request is converted > into XPath expression. In case B, access to XML document is represented as > a simple path like /record/patient and the policy would be described using > regular expression (or URI-match function) if the requested resource-id > matches against the policy. > > So what I want to say here is that the two schemes XACML hierarchical > profile provides can be used regardless of the type of the ACTUAL target > resource. The following figure represents my intention. > > Actual target Actual target > resource is XML resource is not XML > (eg XML med rec) (eg directory) > | \ / | > | \ / | > | / \ | > | / \ | > XACML XML XACML non-XML > based scheme based scheme > > XACML 1.0 scheme corresponds to the vertical line on the left. XACML 2.0 > now provides four ways as the above figure dipicts. How to map the actual > target into request context and how to write a policy is outside of the > scope of XACML. I think this means that XACML provides a flexible way to > use XACML but two kinds of the semantics are defined. > I think there are actually six cases for hierarchical resources to consider ("anyUri-match" is whatever we end up defining for matching URIs): 1. An XML document treated as a set of nodes, where each node is a resource, Request: - The <ResourceContent> MUST contain the entire XML document. - The "resource-id" Attribute is an XPath expression that selects all desired nodes out of <ResourceContent>. Results are identical to those obtained if a separate Request for each desired node was submitted. - The "document-id" Attribute is a URI/URL that names the document contained in <ResourceContent> - May use "scope" Attribute. Policy: - Uses xpath-node-match to express policy based on which nodes are requested - Uses anyUri-match/equal to target policy to correct set of XML document(s) - May use an <AttributeSelector> with an XPath expression pointing into <ResourceContent> to express policy based on values of nodes in the XML document as a whole. - May use ":resource-ancestor" and ":resource-parent" Attributes to target policy to correct set of nodes. Note: we do not currently define a way to express policy based on the value of the requested node. I have not seen a use case that requires this, so have not defined it. 2. An XML document treated as a single resource, but where constraints MAY depend on the values of specific nodes in the resource, Request: - The <ResourceContent> MAY contain the entire XML document. - The "resource-id" Attribute is a URI that names the document requested. If <ResourceContent> is present, then it MUST contain this document. The "resource-id" Attribute in this case contains exactly what the "document-id" Attribute contains in case#1. Policy: - Uses anyUri-match/equal to target the policy to correct set of XML document(s). - May use an <AttributeSelector> with an XPath expression pointing into <ResourceContent> to express policy based on values of nodes in the XML document as a whole. If <ResourceContent> is not present, then this will cause the policy to be "Not Applicable" or "Indeterminate", depending on where the <AttributeSelector> is used. The current Hierachical Resources Profile does not support this case. If we do support it, then every policy that protects and XML document will need to express two sets of contraints on the document, one to cover requests for the document as a whole and the other to cover requests for individual nodes in the document. Policy Authorities and PEPs would have to agree on how a given XML document is to be treated. 3. A node subtree of an XML document treated as a single resource, again where constraints may depend on the values of specific nodes in the resource, Example: <ResourceContent> <A> <B> ... </B> <B> ... </B> </A> </ResourceContent> where user wants access to all of the second <B> element as a single resource. We do not support this. Is this OK with you? If user wants any sub-tree in an XML document, the user must request each node in the sub-tree as a separate request as in Case 1. The Multiple Resources Profile defines three ways of making such requests without having to actually submit a separate Request from the PEP for each: - Multiple <Resource> elements in the Request, - A "resource-id" Attribute with DataType "xpath-expression" where the value is the single node at the root of the requested sub-tree and the "scope" Attribute describes the set of requested nodes, - A "resource-id" Attribute with DataType "xpath-expression" where the value is an XPath expression that selects all the desired nodes. A "scope" Attribute must not be present if the XPath expression in the "resource-id" Attribute selects more than one node. 4. A non-XML resource expressed as an XML document and treated as a set of nodes, where each node is a resource, This requires a resource-specific Profile or other out-of-band agreement between the Policy Authority and the PEPs on how the resource will be mapped into XML. It is handled in Requests and Policies exactly as in Case 1. 5. A non-XML resource with nodes identified using hierarchical URIs. Request: - <ResourceContent> is NOT present. - The "resource-id" Attribute is a URI that names the requested resource and that reflects its hierarchical structure. - May use "scope" attribute. Policy: - Uses anyUri-match/equal to target the policy to correct set of resource nodes. - May use ":resource-parent" or ":resource-ancestor" Attributes with "anyURI-is-in" function to target the policy to the correct set of resource nodes. Except for resources such as files, where a mapping of files and directories to URLs is already defined, this method requires a resource-specific Profile or other out-of-band agreement between Policy Authorities and PEPs on how the resource's nodes will be expressed as URIs. 6. A non-XML resource treated as a hierarchy using a structure the ContextHandler knows, and where ":resource-parent" or ":resource-ancestor" Attributes are used in the policy. Request: - <ResourceContent> is NOT present. - The "resource-id" Attribute is some value that names the requested resource. - May use "scope" Attribute. Policy: - Uses "*-is-in" or other match functions using "resource-id", "resource-ancestor", and "resource-parent" Attributes to target the policy to the correct set of resource nodes. > 2) Procedure to identify the scheme > > Since XACML supports two schemes (XML and non-XML), we need to give a > comprehensive procedure how to validate the request context. The following > is such a procedure. Please correct me if I am wrong. > > 1. If a request context includes the resource-id which data type is > xpath-expression, then the context must include at least one > <ResourceContent> per <Resource> which may or may not have the scope > attribute. It means that this request is XML-based hierarchical resource > access. In this case, policy is written using xpath-node-match function. Agreed. The current Multiple Resources profile says the Request MAY use "scope" in this case, so long as the resource-id XPath expression selects only a single node. Is this OK with you? The current Hierarchical Resources says the Request MAY use "resource-ancestor" and "resource-parent" Attributes in this case. Is this OK with you? > 2. If a request context includes the resource-id which data type is NOT > xpath-expression, then the request is non-XML-based hierarchical resource > access. It must not include <ResourceContent>. It may or may not have the > scope attribute. In this case, policy is written using regexp-string-match > function (or corresponding URI-match function) or string-equal on > resource-parent etc. This is what the current Hierarchical Resources Profile tries to say. Seth pointed out, however, that some users want to access XML documents as whole resources, and not as individual nodes. But the policy might still depend on the value of a node inside the document. For example, the policy might be: "Michiharu can read resource-id "http://www.example.com/patient-records/A" if "//Resource/ResourceContent/A/B/C/text()" == "Michiharu". This is case#2 above. In this case, even though the resource is not requested as a set of nodes in <ResourceContent>, <ResourceContent> must still be present so that <AttributeSelector> predicates can use the values of nodes in the resource. Do we want to support this case, or do we say that any XML document must always be requested as individual nodes? This avoids the need for any resource-specific agreement between Policy Authority and PEP, but it makes requesting entire documents expensive! Anne > Best > Michiharu > > > > > Anne.Anderson@Sun > .com To: xacml@lists.oasis-open.org > cc: > 2004/06/04 02:06 Subject: [xacml] Groups - xacml-profile-hierarchical-resources-1.0-draft-04.pdf > uploaded > > > > > > > The document xacml-profile-hierarchical-resources-1.0-draft-04.pdf has been > submitted by Anne Anderson (Anne.Anderson@Sun.com) to the OASIS eXtensible > Access Control Markup Language TC document repository. > > Document Description: > A profile for the handling of hierarchical resources using XACML. > > Download Document: > http://www.oasis-open.org/apps/org/workgroup/xacml/download.php/7050/xacml-profile-hierarchical-resources-1.0-draft-04.pdf > > > View Document Details: > http://www.oasis-open.org/apps/org/workgroup/xacml/document.php?document_id=7050 > > > > PLEASE NOTE: If the above links do not work for you, your email > application > may be breaking the link into two pieces. You may be able to copy and > paste > the entire link address into the address field of your web browser. > > > > To unsubscribe from this mailing list (and be removed from the roster of > the OASIS TC), go to > http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php > . > > > > > To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/xacml/members/leave_workgroup.php. > -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]