OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: AW: [xacml-comment] A suggestion for better handling of multi-valued attributes in conditions


Hi Steven,
During my work with XACML I had similar issues and I believe that future
versions of xacml 3 should address the iterating through bags of values. If
I remember right there was some discussion in a mail thread about a
for-construct while working on the new xacml3 version. I think the issue was
deferred. Maybe we should (re)start thinking about more complex control
structures. 

In my use case I need to generate multiple ADRs to get context nodes that
can be used in <xacml3:contentselectors>. This works but is far from optinal
as the context handler needs to generate multiple adrs according the current
state of the policy. to avoid the generation of multiple adrs a
for-construct would be a very helpful things.

I thought about the following construct:
...
<Apply FunctionId=”&for-each-Bag-element;”>
  <Apply FunctionId=”&map;”>
    <Function FunctionId=”&getXPathIdentifikator;”/>
    <AttributeSelector Category=”&message;” DataType=”&element-node;”
Path=”FeatureCollection/FeatureMember/Buidling” />
  </Apply>
  <LoopVariable AttributeId=”&myLoopVar:i;” DataType=”&xpath;” />
...
  <!-- example how to use the loop variable -->
  <AttributeSelector Category=”&message;” DataType=”&string;”
ContextSelectorId=”&myLoopVar:i“ Path=”anyNode/.../text()” />
</Apply>
...

The first argument of the &for-each-Bag-element function is a Bag. In the
example this Bag includes elements of datatype xpath. 

The Bag is constructed by the &map; function. The parameters of the map
function are the &getXPathIdentifikator;  function and a bag with elements
of type &element-node;. by applying the &getXPathIdentifikator; function on
each element of the &element-node; bag a bag of type &xpath; is condtructed.

Back to the for construct: 
the second argument of the &for-each-Bag-element; function is the definition
of the loop variable(it creates a special xacml attribute with attributeId
"&myLoopVar:I;". The value of this &myLoopVar:I; attribute will be
dynamically assigned in each iteration of the loop. in the example
&myLoopVar:I will be instantiated with different xpath values.

the question is how far should we go? should xacml become a proper
programming language?

best regards
jan


--
Jan Herrmann
Dipl.-Inform., Dipl.-Geogr.
Scientific Assistant
Chair for Applied Informatics / Cooperative Systems
Technische Universität München
Boltzmannstr. 3
85748 Garching
Germany
T: +49 89 289 18692
F: +49 89 289 18657
W: www11.in.tum.de

> -----Ursprüngliche Nachricht-----
> Von: Steven Legg [mailto:steven.legg@enitiatives.com.au]
> Gesendet: Dienstag, 25. Januar 2011 03:27
> An: xacml-comment@lists.oasis-open.org
> Betreff: [xacml-comment] A suggestion for better handling of multi-valued
> attributes in conditions
> 
> 
> XACML allows attributes to be multi-valued but is rather poor at handling
> non-trivial comparisons of multi-valued attributes.
> 
> Suppose I have resources with a multi-valued integer "code" attribute and
> I
> want to write an expression that is true if and only if at least one of
> the
> code values is in the range 100 to 200. A naive solution would look like
> this:
> 
>      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
>          <Function
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or-
> equal"/>
>          <AttributeDesignator
>            Category="urn:oasis:names:tc:xacml:3.0:attribute-
> category:resource"
>            AttributeId="http://example.com/code";
>            DataType="http://www.w3.org/2001/XMLSchema#integer";
>            MustBePresent="false"/>
>          <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#integer";
>            >100</AttributeValue>
>        </Apply>
>        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
>          <Function
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or-
> equal"/>
>          <AttributeDesignator
>            Category="urn:oasis:names:tc:xacml:3.0:attribute-
> category:resource"
>            AttributeId="http://example.com/code";
>            DataType="http://www.w3.org/2001/XMLSchema#integer";
>            MustBePresent="false"/>
>          <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#integer";
>            >200</AttributeValue>
>        </Apply>
>      </Apply>
> 
> However, this doesn't work as desired. Suppose that a particular resource
> has
> the code values 50 and 250. The expression would evaluate to true for this
> resource, though it doesn't have a code value between 100 and 200, because
> there is no correlation between the value that satisfies the first part of
> the
> "and" and the value that satisfies the second part of the "and". In this
> case,
> both parts are satisfied, but by different values. Unfortunately, XACML
> doesn't
> provide a way to enforce such a correlation, which is why it is poor at
> handling comparisons of multi-valued attributes.
> 
> When iterating through an attribute's values (with something like the any-
> of
> function) it is only possible to apply a function to each value, but what
> is
> needed for a case like the example above is the capability to apply an
> arbitrary expression to each value in turn. This suggests binding the
> values
> to a variable that can be referenced throughout the desired expression.
> There
> are a number of ways XACML could be extended to provide such a capability,
> but
> the neatest I've found is to extend ExpressionType like so:
> 
>      <xs:element name="ForAny" type="xacml:IterativeExpressionType"
>                  substitutionGroup="xacml:Expression"/>
> 
>      <xs:element name="ForAll" type="xacml:IterativeExpressionType"
>                  substitutionGroup="xacml:Expression"/>
> 
>      <xs:complexType name="IterativeExpressionType">
>        <xs:complexContent>
>          <xs:extension base="xacml:ExpressionType">
>            <xs:sequence>
>              <xs:element ref="xacml:Expression"/>  <!-- Must be a bag. -->
>              <xs:element ref="xacml:Expression"/>
>            </xs:sequence>
>            <xs:attribute name="VariableId" type="xs:string"
> use="required"/>
>          </xs:extension>
>        </xs:complexContent>
>      </xs:complexType>
> 
> The IterativeExpressionType contains two expressions. The first expression
> must
> evaluate to a bag. The VariableId XML attribute names the variable that
> will
> iterate over the values of this bag. The variable's data-type is the same
> as
> the primitive data-type of the members of the bag.
> 
> The second expression is an arbitrary expression that evaluates to a
> Boolean
> value. The second expression would normally contain one or more references
> to
> the named variable.
> 
> A ForAny expression is evaluated by repeatedly evaluating the second
> expression
> with the variable bound to each value of the bag in turn. The overall
> Boolean
> result of the ForAny expression is obtained by combining the results of
> evaluating the second expression according to the "or" function. The
> ForAll
> expression is evaluated in the same way except that the results of
> evaluating
> the second expression are combined according to the "and" function.
> 
> Using the ForAny expression it is now possible to write an expression that
> evaluates to true if and only if the code attribute has at least one value
> in
> the range 100 to 200:
> 
>      <ForAny VariableId="code">
>        <AttributeDesignator
>          Category="urn:oasis:names:tc:xacml:3.0:attribute-
> category:resource"
>          AttributeId="http://example.com/code";
>          DataType="http://www.w3.org/2001/XMLSchema#integer";
>          MustBePresent="false"/>
>        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
>          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-
> greater-than-or-equal">
>            <VariableReference VariableId="code"/>
>            <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#integer";
>              >100</AttributeValue>
>          </Apply>
>          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-
> less-than-or-equal">
>            <VariableReference VariableId="code"/>
>            <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#integer";
>              >200</AttributeValue>
>          </Apply>
>        </Apply>
>      </ForAny>
> 
> Now, some value of the code attribute has to satisfy both parts of the
> "and"
> for the overall expression to evaluate to true.
> 
> Although I was only trying to find a way to sensibly handle multi-valued
> attributes, I have hit upon a generalization for the bag handling
> functions.
> For example, this expression using the any-of-any function:
> 
>      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any">
>        <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
> equal"/>
>        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
> bag">
>          <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>            >Ringo</AttributeValue>
>          <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>            >Mary</AttributeValue>
>        </Apply>
>        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
> bag">
>          <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>            >John</AttributeValue>
>          <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>            >Paul</AttributeValue>
>          <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>            >George</AttributeValue>
>          <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>            >Ringo</AttributeValue>
>        </Apply>
>      </Apply>
> 
> can also be expressed with ForAny:
> 
>      <ForAny VariableId="somebody">
>        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
> bag">
>          <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>            >Ringo</AttributeValue>
>          <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>            >Mary</AttributeValue>
>        </Apply>
>        <ForAny VariableId="beatle">
>          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
> bag">
>            <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>              >John</AttributeValue>
>            <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>              >Paul</AttributeValue>
>            <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>              >George</AttributeValue>
>            <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string";
>              >Ringo</AttributeValue>
>          </Apply>
>          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-
> equal">
>            <VariableReference VariableId="somebody"/>
>            <VariableReference VariableId="beatle"/>
>          </Apply>
>        </ForAny>
>      </ForAny>
> 
> In fact, all of these functions have an equivalent representation using
> ForAny
> and/or ForAll:
> 
>      time-in-range
>      type-is-in
>      type-at-least-one-member-of
>      type-subset
>      type-set-equals
>      any-of
>      all-of
>      any-of-any
>      all-of-any
>      any-of-all
>      all-of-all
> 
> The advantage of the ForAny and ForAll expressions is that they can also
> apply an arbitrarily complex expression to the members of a bag whereas
> the
> higher-order bag functions can only apply a function.
> 
> In a previous email I indicated four reasonable combinations of any-of and
> all-of for a higher-order bag function of two bag arguments, though only
> two
> such functions have been defined:
> 
> (1) x_of_x f [] ys = True
>      x_of_x f (x:xs) ys = (any_of f x ys) && (x_of_x f xs ys)
> 
> (2) x_of_x f xs [] = False
>      x_of_x f xs (y:ys) = (all_of f xs y) || (x_of_x f xs ys)
> 
> (3) x_of_x f xs [] = True
>      x_of_x f xs (y:ys) = (any_of f xs y) && (x_of_x f xs ys)
> 
> (4) x_of_x f [] ys = False
>      x_of_x f (x:xs) ys = (all_of f x ys) || (x_of_x f xs ys)
> 
> Each of these combinations can be expressed using ForAny and ForAll, which
> would remove any need to define the two missing functions.
> 
> (1) <ForAll VariableId="x">
>        ... an expression evaluating to a bag of the primitive data-type
>            of the first argument of function "f"
>        <ForAny VariableId="y">
>          ... an expression evaluating to a bag of the primitive data-type
>              of the second argument of function "f"
>          <Apply FunctionId="f">
>            <VariableReference VariableId="x"/>
>            <VariableReference VariableId="y"/>
>          </Apply>
>        </ForAny>
>      </ForAll>
> 
> (2) <ForAny VariableId="y">
>        ... an expression evaluating to a bag of the primitive data-type
>            of the second argument of function "f"
>        <ForAll VariableId="x">
>          ... an expression evaluating to a bag of the primitive data-type
>              of the first argument of function "f"
>          <Apply FunctionId="f">
>            <VariableReference VariableId="x"/>
>            <VariableReference VariableId="y"/>
>          </Apply>
>        </ForAll>
>      </ForAny>
> 
> (3) <ForAll VariableId="y">
>        ... an expression evaluating to a bag of the primitive data-type
>            of the second argument of function "f"
>        <ForAny VariableId="x">
>          ... an expression evaluating to a bag of the primitive data-type
>              of the first argument of function "f"
>          <Apply FunctionId="f">
>            <VariableReference VariableId="x"/>
>            <VariableReference VariableId="y"/>
>          </Apply>
>        </ForAny>
>      </ForAll>
> 
> (4) <ForAny VariableId="x">
>        ... an expression evaluating to a bag of the primitive data-type
>            of the first argument of function "f"
>        <ForAll VariableId="y">
>          ... an expression evaluating to a bag of the primitive data-type
>              of the second argument of function "f"
>          <Apply FunctionId="f">
>            <VariableReference VariableId="x"/>
>            <VariableReference VariableId="y"/>
>          </Apply>
>        </ForAll>
>      </ForAny>
> 
> The map function could also be generalized to allow an arbitrary
> expression to
> transform a bag of values, instead of just a function:
> 
>      <xs:element name="Map" type="xacml:IterativeExpressionType"
>                  substitutionGroup="xacml:Expression"/>
> 
> In this case the second contained expression is an arbitrary expression
> that
> evaluates to some primitive data-type. A Map expression is evaluated by
> repeatedly evaluating the second expression with the variable bound to
> each
> value of the bag from the first contained expression. The overall result
> of the
> Map expression is a bag containing the results of evaluating the second
> expression.
> 
> There you have it - a suggestion for extending and generalizing XACML to
> properly handle non-trivial comparisons of multi-valued attributes.
> 
> Regards,
> Steven
> 
> 
> --
> This publicly archived list offers a means to provide input to the
> OASIS eXtensible Access Control Markup Language (XACML) TC.
> 
> In order to verify user consent to the Feedback License terms and
> to minimize spam in the list archive, subscription is required
> before posting.
> 
> Subscribe: xacml-comment-subscribe@lists.oasis-open.org
> Unsubscribe: xacml-comment-unsubscribe@lists.oasis-open.org
> List help: xacml-comment-help@lists.oasis-open.org
> List archive: http://lists.oasis-open.org/archives/xacml-comment/
> Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
> List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
> Committee: http://www.oasis-
> open.org/committees/tc_home.php?wg_abbrev=xacml



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]