OASIS eXtensible Access Control Markup Language (XACML) TC

Re: [xacml] AttributeSelector example

  • 1.  Re: [xacml] AttributeSelector example

    Posted 08-24-2002 22:49
     MHonArc v2.5.2 -->
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    

    xacml message

    [Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]


    Subject: Re: [xacml] AttributeSelector example


    
    Simon
    
    >Current schema allows to match attribute-selector with attribute-value.
    >Do you think this is something we have to change?
    
    I think so.
    
    >I'm not sure why you need attribute-selector with request-context-id
    >attribute.
    >Attribute-designator should be used for that.
    
    If you specify an Attribute-designator under ResourceMatch element, it just
    means that "retrieve attribute value from context". It means nothing about
    "to apply the retrieved value against the context and return objects". In
    my definition, the node-match function is not stiring-based matching
    function but XPath-based node-identity-based matching function (this is
    needed because a user may submit a request to /a//b that never be resolved
    using string-based matching). I described the function definition in
    http://lists.oasis-open.org/archives/xacml/200208/msg00142.html. Then I
    thought just specifying <ResourceAttributeDesignator> under <ResourceMatch>
    is something different I need. In other words, my intention is something
    like:
    
    <ResourceMatch MatchId="function:node-match">
      <AttributeSelector RequestContextPath='<ResourceAttributeDesignator
    AttributeId="urn:...:resource:xpath"/>'/>
      <AttributeSelector RequestContextPath=" ... ">
    </ResourceMatch>
    
    The above intention became:
    
    <ResourceMatch MatchId="function:node-match">
      <AttributeSelector RequestContextId="urn:...:resource:xpath"/>
      <AttributeSelector RequestContextPath=" ... "/>
    </ResourceMatch>
    
    In my definition, <AttributeSelector> is a XPath function that returns
    object from XPath expression. The node-match function receives two object
    arguments and returns boolean Therefore, I thought we need to specify two
    <AttributeSelector> instead of pair of <ResourceAttributeDesignator> and
    <AttributeSelector>. Does it make sense?
    
    >Even if you have attribute-selector with request-context-id attribute it
    is
    >not clear
    >which attribute you are referring to. It just so happens that attribute
    >identifier has 'resource'
    >in it, but it is not the general rule.
    
    Is it not clear? Since the attribute id
    "urn:oasis:names:toc:xacml:resource:xpath" is clearly specified, it seems
    no ambiguity in referring the value, that is
    "xmlns(md=http:www.medico.com/schemas/record.xsd)xpointer(/md:record/md:patient/md:patientDoB"
    
    from the context. An argument would be that no syntax of the xpath
    attribute is specified in the rule. So we may need to specify:
    
    <ResourceMatch MatchId="function:node-match">
      <AttributeSelector RequestContextId="urn:...:resource:xpath" DataType
    ="XPointer"/>
      <AttributeSelector RequestContextPath=" ... "/>
    </ResourceMatch>
    
    Then PDP definitely comes to know what conversion is necessary (from
    XPointer to XPath with Namespace element). Moreover, 'XPointer' should be
    'urn:oasis:names:tc:xacml:resource:syntax:xpointer', although I proposed
    'XPointer' in the previous mail.
    
    >I think what you call node-match function used to be called node-equal
    >function before.
    >In section 3 example node-match is not explained, but I had following in
    
    I changed the name from node-equal because node-equal is defined in XPath
    2.0 that compares two nodes, not compares two node-set with existential
    semantics. Another name would be general-node-equal. Which one do you
    prefer?
    
    Michiharu
    
    IBM Tokyo Research Laboratory, Internet Technology
    Tel. +81 (46) 215-4642   Fax +81 (46) 273-7428
    
    
    
    
                                                                                                                                                        
                          Simon Godik                                                                                                                   
                          <simon@godik.com>        To:       XACML TC <xacml@lists.oasis-open.org>                                                      
                                                   cc:                                                                                                  
                          2002/08/25 09:16         Subject:  Re: [xacml] AttributeSelector example                                                      
                                                                                                                                                        
                                                                                                                                                        
                                                                                                                                                        
    
    
    
    Michiharu,
    I'm a little confused by this example.
    
    Expression (A) has 2 attribute-selector children of the <resource-match>
    element.
    Current schema allows to match attribute-selector with attribute-value.
    Do you think this is something we have to change?
    
    I'm not sure why you need attribute-selector with request-context-id
    attribute.
    Attribute-designator should be used for that.
    
    Even if you have attribute-selector with request-context-id attribute it is
    not clear
    which attribute you are refering to. It just so happens that attribute
    identifier has 'resource'
    in it, but it is not the general rule.
    
    I think what you call node-match function used to be called node-equal
    function before.
    In section 3 example node-match is not explained, but I had following in
    mind:
    node-match(xpath-req, xpath-rule), meaning that if xpath-req node is in
    xpath-rule node-set than there is a match.
    
    Simon