OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [xacml] Added Issue 41: "evaluate all policies"

I can understand the motivations for this "Request for Enhancement", but 
I think it would be a mistake to try to add such an option.  There are 
other, clean ways to achieve the desired goals.

Here are my objections:

1) Fundamental

What if a policy writer really, explicitly wants evaluation to terminate 
as soon as it is possible to determine the result, and writes a 
combining algorithm to that effect?  Would this "must evaluate all 
children" option have to be supported for that combining algorithm too?

A combining algorithm specifies how a decision is to be reached, 
including the order in which policies are evaluated (if that is 
important), and when evaluation may be terminated.  A policy writer 
chooses a combining algorithm based on how the policy writer wants the 
policy to be evaluated.  If you tell the PDP to do something different 
from what the combining algorithm itself says, then it is not using that 
combining algorithm and it is not doing what the policy writer intended.

We defined new "ordered-*" versions of the standard combining algorithms 
for use where someone really wants to specify the order; we did not add 
a new option to existing combining algorithms.  Likewise, if you want to 
have a consistent set of policies evaluated for every request, then 
define and enforce use in your system of new combining algorithms that 
explicitly require evaluation of all children.

2) Implementation

Every single existing combining algorithm would have to be re-written to 
support this option, and the value for the option would have to be 
conveyed to each invocation of each combining algorithm.  Every new 
combining algorithm would also have to be designed to support it.

3) "What if" case reporting the policies used to make the decision

This doesn't answer any question other than "What if I said all 
applicable policies and rules must be evaluated?".  If the "What if" 
Request Context were actually submitted to the PDP normally, a different 
set of policies might be executed based on the actual semantics of the 
combining algorithms and based on the implementation's use of 
implementation options explicitly allowed by that combining algorithm.

If, for analysis purposes, you want to know all the policies that 
potentially apply to a given Request Context, then perhaps a new option 
for the SAML XACMLPolicyQuery could be designed that says, return not 
just the top-level policies that are applicable to the input 
RequestContext, but also prune their descendants to contain only the 
policies and rules that are applicable.  This then becomes a new 
operation on the policy repository, not an operation performed by the PDP.

4) Consistent set of Obligations

Again, if this is important, write a new combining algorithm that 
requires execution of every applicable descendant.  The existing set of 
combining algorithms were written with specific semantics designed to 
allow performance optimization, and if a policy writer specifies them, 
that is what the policy writer intends.  If, in a particular system, 
different semantics are desired, then define and use different combining 
algorithms in that system.


Hal Lockhart wrote:

> I proposed this back on June 22, but it never made it to the issues
> list.
> Hal
> ----
> In the course of thinking about Issue 13, it occurred to me that it
> might be useful to define some sort of flag which would force the PDP to
> forgo optimization and evaluate every applicable policy and rule, even
> if it can determine the outcome by skipping some of them.
> This would have two primary purposes. To be used in conjunction with a
> "what if" which reported the policies used to make the decision and
> where a consistent set of Obligations is desired for a given set of
> policies, independent of PDP implementation.
> The flag could appear in the Request Context or somewhere else.
> Anne and Seth commented that this would change the semantics of the
> language, but I do not think this is true. With respect the Effect, the
> result should be the same. Policies should only be skipped when the
> result is certain without evaluating them. With respect to Obligations,
> this might cause more Obligations to be returned, but they would always
> be the set of Obligations returned by all possible evaluation strategies
> and might in fact be returned by other PDPs using different optimization
> strategies. The difficulty of implementation is a different matter.
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  You may a link to this group and all your TCs in OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php

Anne H. Anderson               Anne.Anderson@sun.com
Sun Microsystems Labs          1-781-442-0928
Burlington, MA USA

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]