I was perusing thru section A.3.12 today, looking at some of the
details
of the higher order bag functions, and it appears to me that there
have
been some changes made in 3.0 that do not look right.
For example, let's compare the 2.0 and 3.0 definitions of "any-of".
Some of the
diffs are subtle, so I have bolded, italicized the points I want to
call attention to.
Note: I have tried to line up the paragraphs line by line of the 2
defns. Do not
pay too much attention to the line numbers as they are sometimes off
by 1
from the original because of quirks in copy and paste.
Here are the points about the 2.0 vs 3.0 definitions:
- Both 2.0 and 3.0 have the same name: xacml:1.0:function:any-of,
therefore, one would expect the functions to be
identical. I think
we will find that the are not only not identical, but have some
very strange differences.
- There is a difference in the hi-level defn of the fcns, where
2.0 uses
the singular (compares 1 value to bag of values), and 3.0 uses
the plural
(compares multiple values to one bag of values).
It appears that the change to plural is intentional, as will be
evidenced
in the points below, however, at this stage, it would appear
that at
the very minimum that the "name" of the 3.0 fcn should be
different
than the name of the 2.0 fcn.
- The most important change is that the 2nd argument of 2.0, has
become
"n-1" arguments in 3.0. i.e. the "signature" of "any-of" has
changed from
3 arguments to "n+1" arguments, because of the expansion of the
2nd
argument. Aside from this change in quantity of arguments, I
believe
the semantics have also changed, and maybe not in a good way.
- In 2.0, the function was effectively:
"Does the 2nd argument appear in the bag in the 3rd
argument?"
In 3.0, this function appears to have become:
"Does the 2nd argument appear in the bag in the last
argument?
Does the 3rd argument appear in the bag in the last
argument?
...
Does the nth argument appear in the bag in the last
argument?
If any of the above answers are "yes" then return true, ow
false."
We do not know on a true return which of the 2nd thru nth args
matched something in the bag. Maybe all of them matched
something, maybe only one, or maybe some number in between.
- Based on prev bullet 4, this new variation on the "any-of" fcn
begins to look suspiciously like the "any-of-any" fcn that
compares
2 bags looking for anything in bag 1 that matches anything in
bag 2.
Therefore, it appears to me that the 3.0 defn of "any-of"
actually
"implements" "any-of-any", which seems pointless.
I think there may be other similar issues in this section, but this
one
is the only I have had time to look at in detail.
As usual, I am aware I may be missing something, in which case,
in advance, "Never mind" :).
The text of 2.0 and 3.0 follows:
Thanks,
Rich
First, here is 2.0:
4558 • urn:oasis:names:tc:xacml:1.0:function:any-of
4559 This function applies a Boolean function between a
specific primitive value and a bag of
4560 values, and SHALL return "True" if and only if the predicate
is "True" for at least one
4561 element of the bag.
4562 This function SHALL take three arguments.
The first argument SHALL be an <xacml:Function>
element that names a Boolean function
that takes two arguments of primitive
types.
The second argument SHALL be a value of a
primitive data-type.
The third argument SHALL be a bag of a primitive
data-type.
The _expression_ SHALL be evaluated as if the function
named in the <xacml:Function> argument
were applied to the second argument and each element of
the third argument (the bag)
and the results are combined with
“urn:oasis:names:tc:xacml:1.0:function:or”.
Now, here is 3.0:
4680 urn:oasis:names:tc:xacml:1.0:function:any-of
4681 This function applies a Boolean function between specific
primitive values and a bag of
4682 values, and SHALL return "True" if and only if the predicate
is "True" for at least one
4683 element of the bag.
This function SHALL take n+1 arguments, where n is one
or greater.
The first argument SHALL be an <Function> element
that names a Boolean function
that takes n arguments of primitive
types.
Under the remaining n arguments, n-1 parameters
SHALL be values of primitive data-types and
one SHALL be a bag of a primitive data-type.
The _expression_ SHALL be evaluated as if the function
named in the <Function> argument
were applied to the n-1 non-bag arguments and each
element of the bag argument
and the results are combined with
“urn:oasis:names:tc:xacml:1.0:function:or”.
|