RE: [xacml] XACML REST profile -- <content> vs <id>

[<remon.sinnema@emc.com>]

Danny, Craig,

I'll update the document along the lines suggested by Danny to make this clearer.


Thanks,
Ray


From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Danny Thorpe
Sent: Tuesday, May 22, 2012 8:54 PM
To: Danny Thorpe; Craig R Forster; xacml@lists.oasis-open.org
Subject: RE: [xacml] XACML REST profile -- <content> vs <id>

Upon reading the draft text more closely in light of Craig’s question/comment, I think I see the disconnect.

In the preface for section 2.4.2 Delete All Versions of a Policy, add:

Assume a policy admin user instructs the client application to delete all versions of the policy having policy ID <12345>.

<current steps to get entry point, get PAP list of policies>

The app searches the ATOM list for an entry whose <ID> matches the policy ID <12345> of the policy to be deleted.  The app issues a DELETE request for the content URI of that matching entry.



Danny Thorpe 
Product Architect | | Quest Software - Now including the people and products of BiTKOO | www.quest.com 

From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Danny Thorpe
Sent: Tuesday, May 22, 2012 10:44 AM
To: Craig R Forster; xacml@lists.oasis-open.org
Subject: RE: [xacml] XACML REST profile -- <content> vs <id>

I think how the XACML Policy Id value is mapped onto a REST URI corresponding to the policy document should be left up to the service implementer.

When submitting a DELETE operation, clients should use the content URI.  Clients should not be responsible for (and should be discouraged from) composing the policy ID into a URI, since that mapping is determined by the service implementer and may vary from vendor to vendor.

-Danny

Danny Thorpe 
Product Architect | | Quest Software - Now including the people and products of BiTKOO | www.quest.com 

From: xacml@lists.oasis-open.org [mailto:xacml@lists.oasis-open.org] On Behalf Of Craig R Forster
Sent: Tuesday, May 22, 2012 9:11 AM
To: xacml@lists.oasis-open.org
Subject: [xacml] XACML REST profile -- <content> vs <id>

Hi all,

In the latest working draft, the example around deleting a policy starts with this returned from GET /authorization/policies:
HTTP/1.0 200 OK
Content-Type: application/atom+xml
Content-Length: <nnnn>

<feed xmlns=”http://www.w3.org/2005/Atom”;>
  <author>example.com</author>
  <id>pap</id>
  <link rel="self" href="/authorization/policies"/>
  <title>Access Control Policies</title>
  <updated>Thu, 3 May 2012 21:36:24 GMT</updated>
  <entry>
    <id>urn:oasis:names:tc:xacml:3.0:example:SimplePolicy1</id>
    <title>Medi Corp access control policy</title>
    <link rel="alternate" href="/authorization/policies/1"/>
    <content type="application/xacml+xml" src="/authorization/policies/1"/>
    <summary>Medi Corp access control policy</summary>
  <entry>
  <!-- More entries -->
</feed>

Then the instructions "The client looks up the entry with the id that matches the policy’s PolicyId" followed by a DELETE request to /authorization/policies/1.

This doesn't appear to line up with the example. When constructing the URL, should implementers build a URL based on the <id> of the entrry, or should they follow the <content> link of the entry? In this example, it appears the DELETE request was based on the <content> link not by building a URI based on the <id>.

Regards,
Craig

-------
craig forster | technical lead, tivoli security policy manager
cforster@us.ibm.com
-------