OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

xacml message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xacml] wd-19 indeterminate policy target handling


From: rich levinson [mailto:rich.levinson@oracle.com] 
Sent: Saturday, May 21, 2011 12:06 AM
To: Sinnema, Remon
Cc: xacml@lists.oasis-open.org
Subject: Re: [xacml] wd-19 indeterminate policy target handling

>> That being said, maybe we can rephrase the issue as to what it
means when it says on line 5739:
"The following pseudo-code represents the normative
  specification of this combining algorithm."
The first line of the algorithm that follows appears to be some kind of
interface signature:
Decision denyOverridesCombiningAlgorithm(Decision[] decisions) <<

Yes, but remember this is *pseudo*-code, not actual code. IMHO, the implementation doesn't necessarily need to have the exact same interface, as long as it's conceptually equivalent, IOW, as long as it gives the same results. I think this is what Erik has been saying all along.

>> It sounds to me like what you are saying is that when a software
development organization sees that in the specification,
that said organization will be completely comfortable by implementing
the parameter, Decision[] decisions, by passing in an Iterator to a collection
of Decision objects that have not yet been resolved. <<

Yes, because arrays and iterators are conceptually equivalent in this case, since the random access part of an array (that an iterator doesn't have) isn't needed for implementing any of the combining algorithms.

>> In other words, if a development organization first implements
this algorithm by passing in a precalculated array as represented
by the normative interface signature, and then they complain
that it is too inefficient, that I can tell them to pass in an
Iterator to a collection of unprocessed nodes and just calculate
the Decision objects in the first line of the loop. For example,
I could suggest that the first line of the loop look something
    Decision denyOverridesCombiningAlgorithm(Iterator decisions)
    for ... {
        Decision decision = evaluate(decisions.next())
where Iterator.next() returns a PolicySet, Policy, or Rule, and "evaluate()"
produces the Decision. <<

Well, the iterator should return Decisions, not unprocessed nodes, because that's what the algorithm needs to work on. The implementation of the iterator should do the evaluation when it's next() method is called. The combining algorithms shouldn't need to know anything about evaluating PolicySets, Policies, or Rules.

>> If that is what you are suggesting and people agree, then I am ok with that,
as well, I think, assuming people really believe that this is an acceptable
view of the specification. <<

I'm interested to see if anybody has any objections to this view, since this is actually how I implemented it ;)


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]