OASIS eXtensible Access Control Markup Language (XACML) TC

 View Only

Re: [xacml] Context attribute clarification

  • 1.  Re: [xacml] Context attribute clarification

    Posted 03-02-2004 16:58
     MHonArc v2.5.0b2 -->

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

    Subject: Re: [xacml] Context attribute clarification

    Judging from the examples you provide, I guess I haven't been reading
    these changes to the spec carefully enough. Here's what I think should
    be happening...
    > In the first case, we have a multi-valued attribute of primitive type.  This
    > is relatively straightforward.  The data-type is defined in the <Attribute>
    > element.  In this case, the <AttributeValue> element SHOULD NOT have any xml
    > attributes.
    > <xacml-context:Attribute AttributeId="urn:com:food:favouriteVegetables"
    > DataType="http://www.w3.org/2001/XMLSchema#string";>
    >  <xacml-context:AttributeValue>Brocolli</xacml-context:AttributeValue>
    >  <xacml-context:AttributeValue>Parsnip</xacml-context:AttributeValue>
    > </xacml-context:Attribute>
    > A matching <SubjectAttributeDesignator> or <AttributeSelector> would return
    > a bag containing two strings.
    Agreed. There are two values, both of type string, both with the same
    identifier. This is the whole point of Rebekah's proposal: a simple
    mechanism so that we don't have to use the Attribute element twice.
    > In the second case, we have a multi-valued attribute of complex type.
    > <xacml-context:Attribute xmlns:Food="urn:com:food"
    > AttributeId="Food:favouriteMeals" DataType="Food:Dish">
    >  <xacml-context:AttributeValue>
    >   <Food:Dish BestSeason="Fall">
    >    <Food:Main>Potato pie</Food:Main>
    >    <Food:Veg>Brocolli</Food:Veg>
    >   </Food:Dish>
    >   <Food:Dish BestSeason="Fall">
    >    <Food:Dessert>Apple pie</Food:Dessert>
    >    <Food:Topping>Double Devon cream</Food:Topping>
    >   </Food:Dish>
    >  </xacml-context:AttributeValue>
    >  <xacml-context:AttributeValue>
    >   <Food:Dish BestSeason="Spring">
    >    <Food:Main>Asparagus quiche</Food:Main>
    >    <Food:Salad>Spinach</Food:Salad>
    >   </Food:Dish>
    >   <Food:Dish BestSeason="Spring">
    >    <Food:Dessert>Crème brulée</Food:Dessert>
    >   </Food:Dish>
    >  </xacml-context:AttributeValue>
    > </xacml-context:Attribute>
    > A matching <SubjectAttributeDesignator> or <AttributeSelector> would return
    > a bag containing four <Food:Dish> elements.
    Here I don't agree. The example you give only has two AttributeValues. A
    designator or selector should therefore return a bag with two values in
    it. How exactly am I supposed to see 4 values here? More to the point,
    how is the processing code supposed to see 4 values? If this example
    really yields 4 values instead of 2, then this proposal is not just
    providing a convenient shorthand syntax, it is re-defining how we
    process attribute values.
    > In this case, the <Attribute> element DataType attribute contains the QName
    > of the attribute element.  Additionally, the namespace has to be declared.
    No. The Attribute element specifies the identifier for the datatype
    used. If this is a custom type, and the processing code knows how to
    deal with the identifier as a QName and resolve a namespace, that's ok,
    but that's unknown to the specification.
    > Conclusion: the DataType attribute of the <Attribute> element should be
    > required.  If the <AttributeValue> is of primitive type, the DataType
    > attribute MUST contain the type identifier of the attribute as a URI.  Also,
    > in this case, the xml attribute in the <AttributeValue> element MUST be
    > omitted.
    The DataType attribute is required now, and is always a URI. Has the
    proposal in question changed this? It should not. Also, I don't think I
    understand the last sentence here...there is no standard XML attribute
    for xacml-context:AttributeValue.
    Some of the confusion here, I think, is that the example is incorrect.
    The DataType in the Attribute should not be Food:Dish, it should be
    something like Food:Dishes. Either that or there should be 4
    AttributeValue elements in the Attribute. Actually, I think that the
    correct way, given the current specification, is:
    <Attribute AttributeId="Food:favouriteMeals" DataType="Food:Dish">
     <AttributeValue BestSeason="Fall">
      <Food:Main>Potato pie</Food:Main>
     <AttributeValue BestSeason="Fall">
      <Food:Dessert>Apple pie</Food:Dessert>
      <Food:Topping>Double Devon cream</Food:Topping>
    > If the <AttributeValue> element has complex contents, then the namespace
    > MUST also be declared and it is RECOMMENDED that it be declared in the
    > <Attribute> element.  Also, in this case, the DataType attribute of the
    > <Attribute> element MUST contain the QName of the attribute element.  The
    > <AttributeValue> element may contain xml attributes.
    Gah. Is this really what we're proposing? Why the addition of QNames?
    The DataType attribute has clear meaning right now. It's an identifier
    that specifies the datatype of the value(s). 
    As an aside, I am seriously worried about this proposal. It was
    originally supposed to provide a simple syntactic shorthand for
    describing a collection of values that happen to have the same datatype
    and identifier. This should have been trivial to add. That it's taking
    this long, and that we're talking about how to handle QNames,
    namespaces, and complex content suggests to me that this proposal has
    become something much more complex. Could someone please post a complete
    list of changes for this proposal so we can understand exactly what has
    > Is this consistent with everyone's thinking?  All the best.  Tim.
    Apparently not. Sorry :(
    Also, it's spelled "Broccoli" ... at least in this country :)

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]