[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AW: [xacml-comment] A suggestion for better handling of multi-valued attributes in conditions
Hi Steven, During my work with XACML I had similar issues and I believe that future versions of xacml 3 should address the iterating through bags of values. If I remember right there was some discussion in a mail thread about a for-construct while working on the new xacml3 version. I think the issue was deferred. Maybe we should (re)start thinking about more complex control structures. In my use case I need to generate multiple ADRs to get context nodes that can be used in <xacml3:contentselectors>. This works but is far from optinal as the context handler needs to generate multiple adrs according the current state of the policy. to avoid the generation of multiple adrs a for-construct would be a very helpful things. I thought about the following construct: ... <Apply FunctionId=”&for-each-Bag-element;”> <Apply FunctionId=”↦”> <Function FunctionId=”&getXPathIdentifikator;”/> <AttributeSelector Category=”&message;” DataType=”&element-node;” Path=”FeatureCollection/FeatureMember/Buidling” /> </Apply> <LoopVariable AttributeId=”&myLoopVar:i;” DataType=”&xpath;” /> ... <!-- example how to use the loop variable --> <AttributeSelector Category=”&message;” DataType=”&string;” ContextSelectorId=”&myLoopVar:i“ Path=”anyNode/.../text()” /> </Apply> ... The first argument of the &for-each-Bag-element function is a Bag. In the example this Bag includes elements of datatype xpath. The Bag is constructed by the ↦ function. The parameters of the map function are the &getXPathIdentifikator; function and a bag with elements of type &element-node;. by applying the &getXPathIdentifikator; function on each element of the &element-node; bag a bag of type &xpath; is condtructed. Back to the for construct: the second argument of the &for-each-Bag-element; function is the definition of the loop variable(it creates a special xacml attribute with attributeId "&myLoopVar:I;". The value of this &myLoopVar:I; attribute will be dynamically assigned in each iteration of the loop. in the example &myLoopVar:I will be instantiated with different xpath values. the question is how far should we go? should xacml become a proper programming language? best regards jan -- Jan Herrmann Dipl.-Inform., Dipl.-Geogr. Scientific Assistant Chair for Applied Informatics / Cooperative Systems Technische Universität München Boltzmannstr. 3 85748 Garching Germany T: +49 89 289 18692 F: +49 89 289 18657 W: www11.in.tum.de > -----Ursprüngliche Nachricht----- > Von: Steven Legg [mailto:steven.legg@enitiatives.com.au] > Gesendet: Dienstag, 25. Januar 2011 03:27 > An: xacml-comment@lists.oasis-open.org > Betreff: [xacml-comment] A suggestion for better handling of multi-valued > attributes in conditions > > > XACML allows attributes to be multi-valued but is rather poor at handling > non-trivial comparisons of multi-valued attributes. > > Suppose I have resources with a multi-valued integer "code" attribute and > I > want to write an expression that is true if and only if at least one of > the > code values is in the range 100 to 200. A naive solution would look like > this: > > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> > <Function > FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-greater-than-or- > equal"/> > <AttributeDesignator > Category="urn:oasis:names:tc:xacml:3.0:attribute- > category:resource" > AttributeId="http://example.com/code" > DataType="http://www.w3.org/2001/XMLSchema#integer" > MustBePresent="false"/> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#integer" > >100</AttributeValue> > </Apply> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of"> > <Function > FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-less-than-or- > equal"/> > <AttributeDesignator > Category="urn:oasis:names:tc:xacml:3.0:attribute- > category:resource" > AttributeId="http://example.com/code" > DataType="http://www.w3.org/2001/XMLSchema#integer" > MustBePresent="false"/> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#integer" > >200</AttributeValue> > </Apply> > </Apply> > > However, this doesn't work as desired. Suppose that a particular resource > has > the code values 50 and 250. The expression would evaluate to true for this > resource, though it doesn't have a code value between 100 and 200, because > there is no correlation between the value that satisfies the first part of > the > "and" and the value that satisfies the second part of the "and". In this > case, > both parts are satisfied, but by different values. Unfortunately, XACML > doesn't > provide a way to enforce such a correlation, which is why it is poor at > handling comparisons of multi-valued attributes. > > When iterating through an attribute's values (with something like the any- > of > function) it is only possible to apply a function to each value, but what > is > needed for a case like the example above is the capability to apply an > arbitrary expression to each value in turn. This suggests binding the > values > to a variable that can be referenced throughout the desired expression. > There > are a number of ways XACML could be extended to provide such a capability, > but > the neatest I've found is to extend ExpressionType like so: > > <xs:element name="ForAny" type="xacml:IterativeExpressionType" > substitutionGroup="xacml:Expression"/> > > <xs:element name="ForAll" type="xacml:IterativeExpressionType" > substitutionGroup="xacml:Expression"/> > > <xs:complexType name="IterativeExpressionType"> > <xs:complexContent> > <xs:extension base="xacml:ExpressionType"> > <xs:sequence> > <xs:element ref="xacml:Expression"/> <!-- Must be a bag. --> > <xs:element ref="xacml:Expression"/> > </xs:sequence> > <xs:attribute name="VariableId" type="xs:string" > use="required"/> > </xs:extension> > </xs:complexContent> > </xs:complexType> > > The IterativeExpressionType contains two expressions. The first expression > must > evaluate to a bag. The VariableId XML attribute names the variable that > will > iterate over the values of this bag. The variable's data-type is the same > as > the primitive data-type of the members of the bag. > > The second expression is an arbitrary expression that evaluates to a > Boolean > value. The second expression would normally contain one or more references > to > the named variable. > > A ForAny expression is evaluated by repeatedly evaluating the second > expression > with the variable bound to each value of the bag in turn. The overall > Boolean > result of the ForAny expression is obtained by combining the results of > evaluating the second expression according to the "or" function. The > ForAll > expression is evaluated in the same way except that the results of > evaluating > the second expression are combined according to the "and" function. > > Using the ForAny expression it is now possible to write an expression that > evaluates to true if and only if the code attribute has at least one value > in > the range 100 to 200: > > <ForAny VariableId="code"> > <AttributeDesignator > Category="urn:oasis:names:tc:xacml:3.0:attribute- > category:resource" > AttributeId="http://example.com/code" > DataType="http://www.w3.org/2001/XMLSchema#integer" > MustBePresent="false"/> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer- > greater-than-or-equal"> > <VariableReference VariableId="code"/> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#integer" > >100</AttributeValue> > </Apply> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer- > less-than-or-equal"> > <VariableReference VariableId="code"/> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#integer" > >200</AttributeValue> > </Apply> > </Apply> > </ForAny> > > Now, some value of the code attribute has to satisfy both parts of the > "and" > for the overall expression to evaluate to true. > > Although I was only trying to find a way to sensibly handle multi-valued > attributes, I have hit upon a generalization for the bag handling > functions. > For example, this expression using the any-of-any function: > > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of-any"> > <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string- > equal"/> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string- > bag"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >Ringo</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >Mary</AttributeValue> > </Apply> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string- > bag"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >John</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >Paul</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >George</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >Ringo</AttributeValue> > </Apply> > </Apply> > > can also be expressed with ForAny: > > <ForAny VariableId="somebody"> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string- > bag"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >Ringo</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >Mary</AttributeValue> > </Apply> > <ForAny VariableId="beatle"> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string- > bag"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >John</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >Paul</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >George</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string" > >Ringo</AttributeValue> > </Apply> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string- > equal"> > <VariableReference VariableId="somebody"/> > <VariableReference VariableId="beatle"/> > </Apply> > </ForAny> > </ForAny> > > In fact, all of these functions have an equivalent representation using > ForAny > and/or ForAll: > > time-in-range > type-is-in > type-at-least-one-member-of > type-subset > type-set-equals > any-of > all-of > any-of-any > all-of-any > any-of-all > all-of-all > > The advantage of the ForAny and ForAll expressions is that they can also > apply an arbitrarily complex expression to the members of a bag whereas > the > higher-order bag functions can only apply a function. > > In a previous email I indicated four reasonable combinations of any-of and > all-of for a higher-order bag function of two bag arguments, though only > two > such functions have been defined: > > (1) x_of_x f [] ys = True > x_of_x f (x:xs) ys = (any_of f x ys) && (x_of_x f xs ys) > > (2) x_of_x f xs [] = False > x_of_x f xs (y:ys) = (all_of f xs y) || (x_of_x f xs ys) > > (3) x_of_x f xs [] = True > x_of_x f xs (y:ys) = (any_of f xs y) && (x_of_x f xs ys) > > (4) x_of_x f [] ys = False > x_of_x f (x:xs) ys = (all_of f x ys) || (x_of_x f xs ys) > > Each of these combinations can be expressed using ForAny and ForAll, which > would remove any need to define the two missing functions. > > (1) <ForAll VariableId="x"> > ... an expression evaluating to a bag of the primitive data-type > of the first argument of function "f" > <ForAny VariableId="y"> > ... an expression evaluating to a bag of the primitive data-type > of the second argument of function "f" > <Apply FunctionId="f"> > <VariableReference VariableId="x"/> > <VariableReference VariableId="y"/> > </Apply> > </ForAny> > </ForAll> > > (2) <ForAny VariableId="y"> > ... an expression evaluating to a bag of the primitive data-type > of the second argument of function "f" > <ForAll VariableId="x"> > ... an expression evaluating to a bag of the primitive data-type > of the first argument of function "f" > <Apply FunctionId="f"> > <VariableReference VariableId="x"/> > <VariableReference VariableId="y"/> > </Apply> > </ForAll> > </ForAny> > > (3) <ForAll VariableId="y"> > ... an expression evaluating to a bag of the primitive data-type > of the second argument of function "f" > <ForAny VariableId="x"> > ... an expression evaluating to a bag of the primitive data-type > of the first argument of function "f" > <Apply FunctionId="f"> > <VariableReference VariableId="x"/> > <VariableReference VariableId="y"/> > </Apply> > </ForAny> > </ForAll> > > (4) <ForAny VariableId="x"> > ... an expression evaluating to a bag of the primitive data-type > of the first argument of function "f" > <ForAll VariableId="y"> > ... an expression evaluating to a bag of the primitive data-type > of the second argument of function "f" > <Apply FunctionId="f"> > <VariableReference VariableId="x"/> > <VariableReference VariableId="y"/> > </Apply> > </ForAll> > </ForAny> > > The map function could also be generalized to allow an arbitrary > expression to > transform a bag of values, instead of just a function: > > <xs:element name="Map" type="xacml:IterativeExpressionType" > substitutionGroup="xacml:Expression"/> > > In this case the second contained expression is an arbitrary expression > that > evaluates to some primitive data-type. A Map expression is evaluated by > repeatedly evaluating the second expression with the variable bound to > each > value of the bag from the first contained expression. The overall result > of the > Map expression is a bag containing the results of evaluating the second > expression. > > There you have it - a suggestion for extending and generalizing XACML to > properly handle non-trivial comparisons of multi-valued attributes. > > Regards, > Steven > > > -- > This publicly archived list offers a means to provide input to the > OASIS eXtensible Access Control Markup Language (XACML) TC. > > In order to verify user consent to the Feedback License terms and > to minimize spam in the list archive, subscription is required > before posting. > > Subscribe: xacml-comment-subscribe@lists.oasis-open.org > Unsubscribe: xacml-comment-unsubscribe@lists.oasis-open.org > List help: xacml-comment-help@lists.oasis-open.org > List archive: http://lists.oasis-open.org/archives/xacml-comment/ > Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf > List Guidelines: http://www.oasis-open.org/maillists/guidelines.php > Committee: http://www.oasis- > open.org/committees/tc_home.php?wg_abbrev=xacml
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]