[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] New issue: XACML 3.0 higher order bag functions may have significant problems
Rich, you’ve got it mostly right, except: In any-of, there is no constraint on where the bag appears. The parameters are given to FunctionName in the order they appear, with the variation occurring
at the position where the bag appears. In any-of-any, individual (non-bag) parameters are also allowed, which are simply used as constant values of FunctionName arguments (also positionally-determined). The TC recently decided to remove the Haskell definition because it isn’t generally understood and we thought these functions could be explained by text and
examples. Regards, --Paul From: rich levinson [mailto:rich.levinson@oracle.com]
Hi Paul, Jan, and Erik, Really, what we are interested in is applying varying sets of boolean b = anyOf("FunctionName", p1, ... pn-1, Bag(pn(1->m)) where anyOf is provided with:
anyOf will then evaluate "Function(p1, ..., pn-1, pnm)" m times, So, with this in mind, I am satisfied that the any-of text in 3.0 appears to be correct, This appears to me now to be a "simple" generalization of "any-of", boolean b = anyOfAny("FunctionName",
A final note of clarification is that there is no real restriction on the FunctionName(p1, p2, ... pn-1, pn) can have any primitive data types that it needs to do its job. Here’s an example showing what the 3.0 definition of any-of can do but the 2.0 couldn’t. To test whether any of a bag of time values is within a certain range, we can say: any-of(‘time-in-range’, {05:00,06:00, 07:00}, 06:30, 14:30) There are 4 arguments to ‘any-of’: The function name, ‘time-in-range’ A bag of time values A single time value marking the beginning of the time range. A single time value marking the end of the time range. This will be evaluated as 3 calls to ‘time-in-range’: time-in-range(05:00,06:30,14:30) time-in-range(06:00,06:30,14:30) time-in-range(07:00,06:30,14:30) The last of these will return ‘true’, so the any-of function will return true. Time-in-range is the only built-in Boolean function of more than 2 arguments, but Jan could probably supply more examples from GeoXACML. The extended functionality is not everything you would want if you were used to Lisp or some similar language, but I think it is a useful extension. However, the 3.0 function
needs to be re-identified so 1.0 processors can remain compliant. Regards, --Paul From:
xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org]
On Behalf Of rich levinson Hi Jan, "3257 There SHALL be no notion of a bag containing bags, Given this restriction, I do not see the value of providing a list of For example, if I have a bag of "apples", then it makes sense Is "apple-01" in this bag? It also makes sense to ask: Is at least one of "apple-01", "apple-02", "apple-03" in this bag? any-of(fcn-id, apple-id1, appleid2, appleid3, apple-bag) It sounds to me like the multi-data type suggestion would be like this: any-of(fcn-id, "apple-01", "orange-02", "lemon-03", apple-bag) This does not seem to make a lot of sense to me. Even though you can't I do think having a single apple vs an apple-bag is useful, because everyone
Hi Rich, see inline. Best regards Jan Hi Erik,I expected that there was background material that provided themotivation,however, looking at the result, it seems to me that the "any-of" fcn hasbeen expanded in an unnecessary way, since it appears to me that thechange of the 2nd parameter in 2.0 to be n-1 parameters in 3.0, reallyis providing individual elements in separate parameters that could justas well be provided in a bag as they already are in the "any-of-any" fcn. Aggregating the arguments of n-arry functions in a bag of datatype-xy only works if they all have the same datatype wich is in general not the case (e.g. is-within-distance(polygonA, polygonB, 500meters)). Also, the "any-of" is ref'd in some of the other fcns, presumably asbeing an "atomic" one element 2nd parameter fcn. That ref'ing I expectbecomes less meaningful as the 2nd parameter expands to effectivelybe a bag implemented as multiple parameters.It looks to me as if what might have seemed like a good idea at thetime may have emerged as being duplication of existing functionalityby effectively providing a less usable alternative to a bag as ann-1 list of individual parameters.I think in the email you ref'd when you said:"With this definition the any-of function actually becomesa special case of any-of-any, with one primitive type argumentand one bag argument."that you and I are possibly in technical agreement, although we may havedifferent perspectives on it.Unless there has been some real functionality added w this n-1 construct,my recommendation would be to fall back to the 2.0 impl and removethe n-1 parameter construct in 3.0. due to the limitation mentioned above i disagree and would recommend to keep the more flexible definition as it is now. Thanks,RichOn 1/11/2012 11:49 PM, Erik Rissanen wrote:Hi Rich,Please see this post:http://lists.oasis-open.org/archives/xacml/200912/msg00087.html(And other discussion on this issue.)Best regards,ErikOn 2012-01-12 00:19, rich levinson wrote:I was perusing thru section A.3.12 today, looking at some of thedetailsof the higher order bag functions, and it appears to me that therehavebeen some changes made in 3.0 that do not look right.For example, let's compare the 2.0 and 3.0 definitions of "any-of".Some of thediffs are subtle, so I have bolded, italicized the points I want tocall attention to.Note: I have tried to line up the paragraphs line by line of the 2defns. Do notpay too much attention to the line numbers as they are sometimes off by1from the original because of quirks in copy and paste.Here are the points about the 2.0 vs 3.0 definitions:1. Both 2.0 and 3.0 have the same name: /*xacml:1.0:function:any-of,*/therefore, one would expect the functions to be identical. Ithinkwe will find that the are not only not identical, but have somevery strange differences.2. There is a difference in the hi-level defn of the fcns, where 2.0usesthe singular (compares 1 value to bag of values), and 3.0 usesthe plural(compares multiple values to one bag of values).It appears that the change to plural is intentional, as will beevidencedin the points below, however, at this stage, it would appear thatatthe very minimum that the "name" of the 3.0 fcn should bedifferentthan the name of the 2.0 fcn.3. The most important change is that the 2nd argument of 2.0, hasbecome"n-1" arguments in 3.0. i.e. the "signature" of "any-of" haschanged from3 arguments to "n+1" arguments, because of the expansion of the2ndargument. Aside from this change in quantity of arguments, Ibelievethe semantics have also changed, and maybe not in a good way.4. In 2.0, the function was effectively:"Does the 2nd argument appear in the bag in the 3rdargument?"In 3.0, this function appears to have become:"Does the 2nd argument appear in the bag in the lastargument?Does the 3rd argument appear in the bag in the lastargument?...Does the nth argument appear in the bag in the lastargument?If any of the above answers are "yes" then return true, owfalse."We do not know on a true return which of the 2nd thru nth argsmatched something in the bag. Maybe all of them matchedsomething, maybe only one, or maybe some number in between.5. Based on prev bullet 4, this new variation on the "any-of" fcnbegins to look suspiciously like the "any-of-any" fcn thatcompares2 bags looking for anything in bag 1 that matches anything in bag2.Therefore, it appears to me that the 3.0 defn of "any-of"actually"implements" "any-of-any", which seems pointless.I think there may be other similar issues in this section, but this oneis the only I have had time to look at in detail.As usual, I am aware I may be missing something, in which case,in advance, "Never mind" :).The text of 2.0 and 3.0 follows:Thanks,RichFirst, here is*2.0*:4558 • urn:oasis:names:tc:/*xacml:1.0:function:any-of*/4559 This function applies a Boolean function between /*a specificprimitive value*/ and a bag of4560 values, and SHALL return "True" if and only if the predicateis "True" for at least one4561 element of the bag.4562 This function SHALL take three arguments.The first argument SHALL be an <xacml:Function> elementthat names a Boolean functionthat takes/*two arguments*/ of primitive types./* The second argument SHALL be a value of a primitivedata-type.The third argument SHALL be a bag of a primitivedata-type. */The _expression_ SHALL be evaluated as if the functionnamed in the <xacml:Function> argumentwere applied to the second argument and each element ofthe third argument (the bag)and the results are combined with“urn:oasis:names:tc:xacml:1.0:function:or�.Now, here is*3.0*:4680 urn:oasis:names:tc:/*xacml:1.0:function:any-of*/4681 This function applies a Boolean function between /*specificprimitive values*/ and a bag of4682 values, and SHALL return "True" if and only if the predicateis "True" for at least one4683 element of the bag.This function SHALL take n+1 arguments, where n is one orgreater.The first argument SHALL be an <Function> element thatnames a Boolean functionthat takes/*n arguments*/ of primitive types./* Under the remaining n arguments, n-1 parameters SHALLbe values of primitive data-types andone SHALL be a bag of a primitive data-type.*/The _expression_ SHALL be evaluated as if the functionnamed in the <Function> argumentwere applied to the n-1 non-bag arguments and eachelement of the bag argumentand the results are combined with“urn:oasis:names:tc:xacml:1.0:function:or�. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]