OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] Comments for discussion at TC meeting 12/05/02

  • 1.  [xacml] Comments for discussion at TC meeting 12/05/02

    Posted 12-04-2002 18:22
    The attached file contains only those comments that have not yet been resolved. It includes e-mail up through http://lists.oasis-open.org/archives/xacml-comment/200211/msg00153.html and http://lists.oasis-open.org/archives/xacml/200212/msg00043.html -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692 Title: Comments on XACML 1.0 Committee Specification Maintainer: Anne Anderson Version: 1.22, 02/12/04 (yy/mm/dd) Original Source: /net/labeast.east/files2/east/info/projects/isrg/xacml/docs/SCCS/s.Comments.txt This file contains a link to every UNRESOLVED comment received on the xacml-comment@lists.oasis-open.org mailing list reporting any kind of problem with the specification or schemas since the public review was announced on November 8, 2002. Each comment is broken down into specific sub-comments, and the response to each is described, along with any actions to be taken by the TC. This version of the file contains e-mail up through http://lists.oasis-open.org/archives/xacml-comment/200211/msg00153.html and http://lists.oasis-open.org/archives/xacml/200212/msg00043.html CATEGORIES ---------- Editorial: Formatting error or formatting inconsistency. Inconsistent: Specification says one thing in one place and another thing in another place. Incomplete: Specification omits information required for full specification of a feature. Incorrect: Specification describes functionality that will not work due to external or internal constraints. Unclear: Description of feature is not clear or is ambiguous. Undesirable: Feature is not desirable. Alternative: Proposed alternative to a feature ====================================================================== COMMENTS ====================================================================== 0032. http://lists.oasis-open.org/archives/xacml-comment/200211/msg00058.html Subject: Problems understanding XACML spec From: Graham Klyne <GK@NineByNine.org> Date: Wed, 20 Nov 2002 13:40:25 +0000 I'm having a really hard time understanding what you're trying to say in the XACML spec: http://www.oasis-open.org/committees/xacml/repository/draft-xacml-schema-policy-18d.doc ------------------------------------------------------------------------ 0032a. The description of a rule seems to be inadequately motivated. The description in section 2 (background) says "The <Rule> element contains a boolean expression that can be evaluated in isolation..." which doesn't do anything to prepare me for the description I find in section 3.3.1. I'm finding it particularly hard to see (a) what this Boolean expression is evaluated over (it seems to have something to do with the rule target), and (b) how the Boolean result relates to the evaluation of the rule. I can see that a Boolean true results in Permit or Deny depending on the value of the rule's effect field, but what happens if the Boolean value is false? As far as I can tell, understanding this is crucial to understanding all the other stuff about combining rules and policies. CATEGORY: Unclear. STATUS: Discussed 11/21/02. RESPONSE: Needs to be clarified. Proposed text attached to http://lists.oasis-open.org/archives/xacml-editors/200211/msg00000.html , Subject: FW:Draft OS v1.0 Dated 29th Nov 2002, From: Carlisle Adams, Date: Fri, 29 Nov 2002 TC members should read this. Unless there are objections, this will be used as the resolution to Comment 32a. ACTIONS: ========================================================================= 0044. http://lists.oasis-open.org/archives/xacml-comment/200211/msg00081.html Subject: There is no Section describing<SubjectAttributeDesignator> From: Satoshi Hada <SATOSHIH@jp.ibm.com> Date: Fri, 22 Nov 2002 15:48:16 +0900 There is no section describing <SubjectAttributeDesignator>. As a result, although the term "present" is defined for other attribute designators (action, resource, environment), there is no definition of "present" for subject attribute designator. Is this okay? CATEGORY: Incomplete. SEE ALSO: #22 STATUS: Discussed 11/25/02. RESPONSE: Rename 5.30 "Complex type SubjectAttributeDesignatorType" to "Element <SubjectAttributeDesignator>". Re-word this section so that it provides information in a format consistent with the descriptions of ResourceAttributeDesignator, ActionAttributeDesignator, and EnvironmentAttributeDesignator. ACTION ITEM: #44. [Simon Godik] compare 5.30 with 5.27-29 and propose consistent wording. 12/02/02 no progress, but will be done shortly ACTIONS: ========================================================================= 0052. http://lists.oasis-open.org/archives/xacml-comment/200211/msg00097.html Subject: 5.31 Element <AttributeSelector> From: John Merrells <merrells@jiffysoftware.com> Date: Sun, 24 Nov 2002 17:54:08 -0800 ------------------------------------------------------------------------ 0052a. "The AttributeSelector element's RequestContextPath XML attribute SHALL contain a legal XPath expression over the <xacml-context:Request> element." The phrase 'over the' made me think for a while. This could be made clearer by using the 'context node' term from the XPath specification. XPath evaluation occurs with respect to a context node, the context node for this XPath expression is the <xacml-context:Request> element. CATEGORY: Unclear. SEE ALSO: #59 STATUS: Discussed 11/25/02, 12/02/02 RESPONSE: ACTION ITEM: 52a. [Michiharu Kudo] Need Michiharu's opinion as an XPath expert. ACTIONS: DISCUSSION: [TC Comments Subcommittee Meeting 12/02/02] Reasonable to use "context node". Does XPath expression start with the <Subject>, <Resource>, <Action>, or <Environment> element, or with <Request>? XACML parser should not need to know semantics of the XPath expression, and it should be passed off to an external library. This requires that the expression start with the root of the document. But, if the implementation is to handle "notional" Request, the XACML implementation will HAVE to parse these. Request element is always implied. XPath expression in Target implies Subject, Resource, or Action. XPath expression in Condition implies only Request. Implementations can pre-pend Request/[Subject Resource Action] depending on whether the expression appears in a Target or in a Condition if they want to make use of an XPath library. But what if the XPath expression is an absolute expression? Or if it uses .. to back up and go down a different path? [Seth Proctor] > Does XPath expression start with the <Subject>, <Resource>, > <Action>, or <Environment> element, or with <Request>, or, in > the case of <Target> elements, with the path following > <Subject>, <Resource>, or <Action>? The XPath expression should be valid against the document, so it should always start with the root of the document, Request. You may want to specify that for attributes resolved outside the physical request document, it is legal to start with some other root (which may aid the attribute resolver), but otherwise you should require a valid XPath expression against the request document. > -Request element is always implied. XPath expression in Target > implies Subject, Resource, or Action. XPath expression in > Condition implies only Request. Implementations can pre-pend > Request/[Subject Resource Action] depending on whether the > expression appears in a Target or in a Condition if they want to > make use of an XPath library. > > -But what if the XPath expression is an absolute expression? Or > if it uses .. to back up and go down a different path? Making the implementation guess at some pre-pending string is a very bad idea. The second item above points out some of the reasons why. I can think of no reason why it's easier or cleaner to allow this. The spec says now that the expression must be valid against the request, and I think that's the right way to go. Specify only that the expression must be valid, and then it's always handled correctly. [Anne Anderson, responding to Seth Proctor] You don't have to "guess". If the AttributeSelector occurs in a Target Subject, then pre-pend "Request/Subject. If the AttributeSelector occurs in a Target Resource, then pre-pend Request/Resource, etc. If the AttributeSelector occurs in a Condition, then prepend Request/. Such pre-pending is just for an implementation that somehow is able to use an XPath library even though, as far as I know, no such library would be able to deal with the "notional" Request Context and be helpful in resolving attributes not supplied in the physical request. Since a conforming implementation must deal with such attributes, a conforming implementation will probably have to parse XPath expressions itself (possible with some help), and can validate the expression according to the XACML-specified root. By specifying the particular roots, we can ensure that the Attribute being selected is in the correct element (i.e. is of the correct type). Any implementation that prepends strings must check to be sure that the expression does not use .. to back up over the pre-pended string. >Hrm. I think the new language is more confusing than the old language, since >it's just defining an AD/AS, but it doesn't say that that's what it's doing. >Still, it makes it clearer that a PDP should be able to look outside the >physcial document for attribute values. One thing this still doesn't address >is the issue of when it has to look elsewhere: if values are found in the >physical document, does it still have to do a search? If a value is found at >one location, must the CH continue on, doing an exhaustive search? If this >is left undefined, then different implementations can produce different >results from the same request. We could clarify using language similar to that used in describing the environment attributes: current-time, etc. [Seth Proctor, responding to Anne Anderson] > You don't have to "guess". If the AttributeSelector occurs in > a Target Subject, then pre-pend "Request/Subject. If the > AttributeSelector occurs in a Target Resource, then pre-pend > Request/Resource, etc. If the AttributeSelector occurs in a > Condition, then prepend Request/. Well, you do have to "guess" since, as the original comments pointed out, the expression may already have been absolute, or may contain back pointers or other XPath wierdness. You can parse the expression, figure out what it has, and then do some pre-pending, but that's slower, and means you can't as easily use existing libraries (see next comment). If you require a valid XPath expression from the start, you don't need to worry about this, though you should probably check that you're pointing into the right part of the request (which _can_ be done with most libraries). > Such pre-pending is just for an implementation that somehow is > able to use an XPath library even though, as far as I know, no > such library would be able to deal with the "notional" Request > Context and be helpful in resolving attributes not supplied in > the physical request. Since a conforming implementation must > deal with such attributes, a conforming implementation will > probably have to parse XPath expressions itself (possible with > some help), and can validate the expression according to the > XACML-specified root. Not true. A conforming implementation that uses AttributeSelectors must be able to look in the physical request document, and if nothing is found, it should pass the request on to the Context Handler. In this case, the first step can be done with an off-the-shelf XPath library, and if that fails, the expression can be passed to the Context Handler, which can choose what to do next. I'm not saying that this is the way it must be done, but it's certainly reasonable to expect that implementors will use existing libraries for this step (and probably use them in part for the next step). [Polar Humenn, responding to Seth Proctor] I knew this would come back to bite. The original intent for the AttributeSelector was to be able to look into the resource, should the resource or anything else exist as an XML document. Somehow, it got mucked into looking into the RequestContext, because the context is specified in XML, ho hum. As far as I'm concerned the "selector" shouldn't be able to look in the RequestContext at all, greatly simplifing matters. The RequestContext is kept "notional", but specified in XML for the lack of a using a good interface language. I think the AttributeSelector should only be used to look into XML based resources using XPATH, and not into the request context. That is why we have the *AttributeDesignator stuff. ------------------------------------------------------------------------ 0052b. "In the case where the XPath expression matches attributes in the request context by AttributeId, it must also match the attribute's data-type with the selector's DataType." Does the 'it' above mean the XPath expression? So, it's saying that if you write an xpath expression to select an attribute from the context, and the expression includes a predicate for matching with an AttributeID, then that expression MUST also include a predicate that matches the selectors data type with the data type of the selected attribute...? CATEGORY: Unclear. SEE ALSO: #59 STATUS: Discussed 11/25/02. RESPONSE: ACTION ITEM: 52b. [Michiharu Kudo] Need Michiharu's opinion as an XPath expert. ACTIONS: ------------------------------------------------------------------------ 0052c. "In the case of using XPath 1.0, the value of the XPath expression is either a node-set, string value, numeric value, or boolean value." This may seem a quibble, and it probably is, but even though the XPath specification says that the result of an expression can be a primitive... I do not believe there's any way to form an expression that actually returns one. In my experience all XPath 1.0 expressions return a node-set. (I'd be very interested to be corrected on this point. I just looked in the o'reilly xpath book and it has some examples that are plain literal values like, 2002, or "hello", but if you follow the grammar of the language they're just not valid expressions.) CATEGORY: Unclear. SEE ALSO: #59 STATUS: Discussed 11/25/02. RESPONSE: ACTION ITEM: 52c. [Michiharu Kudo] Need Michiharu's opinion as an XPath expert. ACTIONS: ------------------------------------------------------------------------ 0052d. "If the XPath 1.0 expression evaluates to a node-set, then each node may consist of a string, numeric or boolean value, or a child node (i.e. structured node). In this case, each node is logically converted to string data by applying the "string" function defined in the XPath 1.0 specification, resulting in a sequence of string data." This is correct in spirit, but not actually correct. In XPath 1.0 an expression evaluates to a node-set. There are seven kinds of node (root, element, text, attribute, namespace, processing instruction, and comment). The XPath specification describes a way of determining a <b>string-value</b> for each type of node. CATEGORY: Unclear. SEE ALSO: #59 STATUS: Discussed 11/25/02. RESPONSE: ACTION ITEM: 52d. [Michiharu Kudo] Need Michiharu's opinion as an XPath expert. ACTIONS: ========================================================================== 0059. http://lists.oasis-open.org/archives/xacml-comment/200211/msg00129.html Subject: XACML questions ... From: Gene Thurston [ mailto:gthurston@amberpoint.com ] Sent: Wednesday, November 20, 2002 8:21 PM I was working with the latest XACML draft, and I had a few questions, mostly around the optional XPath capability outlined in it: ------------------------------------------------------------------------ 0059b. When used inside a <SubjectMatch> element, is the XPath expression found in the <AttributeSelector> evaluated over the entire context document, or just over the <Subjects> sub-tree? CATEGORY: Unclear. STATUS: Discussed 12/02/02. SEE ALSO: #52 RESPONSE: Depends on resolution to #52. ACTIONS: ------------------------------------------------------------------------ 0059c. Same question for <ResourceMatch> and <ActionMatch>? CATEGORY: Unclear. STATUS: Discussed 12/02/02. SEE ALSO: #52 RESPONSE: Depends on resolution to #52. ACTIONS: ------------------------------------------------------------------------ 0059d. If the answer to the above is that the XPath expressions are always evaluated over the entire context document, then what are the semantics if such an expression inside, say, a <SubjectMatch> element evaluates to something outside the <Subjects> sub-tree? Is this just, "OK" (as I suspect), or is there supposed to be something special about the fact that it was inside a <SubjectMatch> so we shouldn?t match anything outside the subject?s attributes? CATEGORY: Unclear. STATUS: Discussed 12/02/02. SEE ALSO: #52 RESPONSE: Depends on resolution to #52. ACTIONS: ------------------------------------------------------------------------ 0059e. If it is "OK", then there is no difference between <SubjectMatch>, <ResourceMatch>, or <ActionMatch>, and perhaps there should be a generic <AttributeSelectorMatch> or something similar? CATEGORY: Inconsistent STATUS: Discussed 12/02/02. SEE ALSO: #52 RESPONSE: Depends on resolution to #52. ACTIONS: ------------------------------------------------------------------------ DISCUSSION FOR ALL: [Tim Moses, responding to Gene directly] I'll pass your questions on to the XACML comment list, in order to ensure that they get recorded and addressed, and that any lack of clarity is corrected. Basically, attributes of subjects, resources and actions (but not environment) may appear in a policy's target. A policy is applicable to a request if at least one of its subject matches is true AND at least one of its resource matches is true AND at least on of its action matches is true. AttributeSelector may be used in any of these match types. In the case of a subject match, for instance, the "context" node for the XPath expression is xacml-context/Subject. And similarly for the other types. On the other hand, AttributeSelector may also be used in an Apply element to define an argument to an expression. In this case, the "context" node for the XPath expression is the whole xacml:context. So, it can select any attribute of any entity (subject, resource, action or environment), but it has to explicitly indicate which type of entity is intended. [John Merrells, responding to Tim Moses] > AttributeSelector may be used in any of these match types. In the > case of a subject match, for instance, the "context" node for the > XPath expression is xacml-context/Subject. And similarly for the > other types. Whoa... the spec doesn't say that. The spec says that for an AttributeSelector the context node for the evaluation of the XPath expression is the Request element... !?! ========================================================================== 0063. http://lists.oasis-open.org/archives/xacml-comment/200212/msg00008.html Subject: SubjectCategory XML attribute:string or URI? From: Anne Anderson <Anne.Anderson@Sun.com> Date: Tue, 03 Dec 2002 11:20:45 -0500 (EST) I recommend we change the type of the SubjectCategory XML attribute in both the Policy and, based on the 12/02/02 change, in the Context. RATIONALE: All the values we have defined for SubjectCategory are URIs. It is very important that custom SubjectCategory values not collide with each other. When subject-category was an XACML attribute, it probably made sense for the Policy SubjectCategory XML attribute to be a string since we specified that string-equals comparison was to be done. But the actual syntax of the SubjectCategory value should be something that is likely to be unique, and can be made not to collide with other values, and now that we are specifying that syntax, I believe it should be a URI. CATEGORY: Alternative. SEE ALSO: STATUS: Not yet discussed. RESPONSE: ACTIONS: DISCUSSION: ========================================================================== 0064. http://lists.oasis-open.org/archives/xacml-comment/200212/msg00014.html Subject: <StatusCode Value= type> From: Anne Anderson <Anne.Anderson@Sun.com> Date: Tue, 03 Dec 2002 15:30:59 -0500 (EST) In the current schema, the type of the StatusCode Value XML attribute is specified as xs:QName. I believe it should be xs:anyURI to agree with our previous decisions about avoiding use of QNames except within schemas to refer to other schema elements. CATEGORY: Inconsistent. SEE ALSO: STATUS: Not yet discussed. RESPONSE: ACTIONS: DISCUSSION: ========================================================================== 0065. http://lists.oasis-open.org/archives/xacml-comment/200212/msg00015.html Subject: resource question & comment From: Seth Proctor <seth.proctor@sun.com> Date: Tue, 03 Dec 2002 17:43:31 -0500 ------------------------------------------------------------------------------- 0065a. Comment: In section 7.8, the urns for the scope types are called out, but the resource id is referred to simply as 'ResourceId' and not by its complete urn. This should reference the urn for resource-id (I suspect this is left over from when the Resource section of a Request actually had a ResourceId). CATEGORY: Inconsistent. SEE ALSO: STATUS: Not yet discussed. RESPONSE: ACTIONS: DISCUSSION: ------------------------------------------------------------------------- 0065b. Question: In the ResultType, there is a ResourceId XML attribute, but it's of type anyURI. Should this be a string instead? Many systems allow things like spaces in path names, which is illegal in a URI. I realize that these can be escaped in URIs, but that may be extra processing for the application to do. I don't care either way, but I thought I'd bring it up. CATEGORY: Alternative. SEE ALSO: STATUS: Not yet discussed. RESPONSE: ACTIONS: DISCUSSION: ========================================================================== 0066. http://lists.oasis-open.org/archives/xacml-comment/200212/msg00016.html Subject: another resource question From: Seth Proctor <seth.proctor@sun.com> Date: Tue, 03 Dec 2002 18:08:04 -0500 Section 7.8 doesn't say anything about error conditions, and I'm wondering if it should. I know that some things are out of scope and shouldn't be considered (eg, if only some Descendants could be resolved, the app-specific code should decide whether or not this is an error). But what should happen if there is some unrecoverable error in the process of discovering the resource list? Should the PDP return an error, or should it evaluate with the single resource that was provided in the Request? I would hope it could return an error, but 7.8 doesn't say anything about this. CATEGORY: Incomplete. SEE ALSO: STATUS: Not yet discussed. RESPONSE: ACTIONS: DISCUSSION: [Bill Parducci] i believe that the behavior is a return of INDETERMINATE with a status code of '[...]processing-error' (now that status codes are no longer optional). ========================================================================== 0067. http://lists.oasis-open.org/archives/xacml-comment/200212/msg00018.html Subject:Section 8.2 "Extensible XACML attribute types" needsrevision From: Anne Anderson <Anne.Anderson@Sun.com> Date: Wed, 04 Dec 2002 08:15:42 -0500 (EST) Section 8.2 is a bit garbled, and now that we have SubjectCategory as an XML attribute instead of an XACML Attribute, it needs re-wording anyway. Here is my proposal: 1. Eliminate Section 8.2. Now that subject-category is not an XACML attribute, there are no longer any XACML-defined AttributeIds that have pre-defined, but extensible, values. 2. Add "SubjectCategory" to the list of "Extensible XML attribute types" in Section 8.1. CATEGORY: Incorrect. SEE ALSO: STATUS: Not yet discussed. RESPONSE: ACTIONS: DISCUSSION: ========================================================================== 0068. http://lists.oasis-open.org/archives/xacml-comment/200211/msg00134.html Subject: D002 From: John Merrells <merrells@jiffysoftware.com> Date: Tue, 26 Nov 2002 17:35:05 -0800 [Same comment submitted for D024] The policy uses string-equal as if the args were (bag<string>,string), this should probably be using the any-of method... <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-tests:bogus" DataType=" http://www.w3.org/2001/XMLSchema#string"/ > <AttributeValue DataType=" http://www.w3.org/2001/XMLSchema#string" ;;>Zaphod Beeblebrox</AttributeValue> CATEGORY: Incorrect. SEE ALSO: STATUS: Not yet discussed. RESPONSE: ACTIONS: DISCUSSION: [Anne Anderson] As in D002, this Condition was intended to produce an Indeterminate result (by passing the wrong argument type to the function) in order to test the requirements of the "first-applicable" algorithm, which says that a Permit or Deny result will be returned even if an Indeterminate result follows. [Polar Humenn, responding to Anne Anderson] The condition that John is referring to in urn:oasis:names:tc:xacml:1.0:conformance-test:IID024:policy3 in test D024 is not type correct and therefore is not a valid policy, and therefore not a valid policy set. Although it might niavely parse through the policy-schema, it should not even be evaluated, because it is not type correct. [Anne Anderson, responding to Polar] Polar, I disagree. In my opinion, the type checking for arguments to functions should be done at the time the function is evaluated, not at the time the policy is parsed. Since we have not specified the type-correctness of XACML functions using XML, the type correctness must be checked after the policy is parsed by the XML parser. It could be done as a second, XACML-specific parsing step, but I believe it is probably cleaner to have the type checking done at the time the function is evaluated. This may make it easier to deal with plug-in custom functions. [Simon Godik, responding to Anne Anderson] In my opinion, compile-time policy type-checking is essential (although not normative) for the xacml implementation. If you do not have typechecking done you are never sure what is going to happen at run-time. I do not think that run-time type-checking is 'clean', I think it is 'wrong'. Static typechecker will reject policies you may find appropriate just because they pass schema validation. [Daniel Engovatov, responding to Simon Godik] It seems to me that we are not talking about the same "time". XACML does not specify (and can not specify) the content of the context at "compile" time - i.e. policy exists independent of the context. How can it be guaranteed to be typechecked simultaneously (though it certainly can be done, in particular implementations that do have control over context and do not have external function extensions)? Only certain arguments can be always typechecked in advance (such as static value specified in policy, or <apply> elements). This is actually why it is important to NOT have polymorphic functions in condition, so that <apply> element always has a predefined type, even if its arguments are retrieved from context in the runtime.. [Polar Humenn, responding to Anne Anderson] > Polar, I disagree. In my opinion, the type checking for > arguments to functions should be done at the time the function > is evaluated, not at the time the policy is parsed. Hmmm. so, we must be calling every policy that merely passes the policy schema a "valid" policy? That's like saying that class Josed { String ridiculous(String s) { return 1 + s; } } is a valid Java class definition. Try to evaluate that. > Since we have not specified the type-correctness of XACML > functions using XML, the type correctness must be checked after > the policy is parsed by the XML parser. Well there is no way to describe type correctness in XML through the use of a schema. That technology is far less advanced than the idea. The schema is merely a syntax grammar. That's why we have the document. To describe the semantics that cannot be described in XML. > It could be done as a second, XACML-specific parsing step, but > I believe it is probably cleaner to have the type checking done > at the time the function is evaluated. This may make it easier > to deal with plug-in custom functions. Now, doesn't that force a PDP to accept BAD policies? I wouldn't call that "security savvy". Any policy that has something wrong with it, like a type error is extremely suspect and leaves me no assurance as to its correctness of its other parts. Are we forcing PDP's to accept policy sets with nonsensical policies, accept policies with nonsensical rules, accept rules with nonsensical conditions, and accept conditions with nonsensical elements, for example, within an AND or and OR, of which only depending on certain input you find them invalid? IMHO, horrible! If XACML forces my PDP to accept Policy Sets that merely validate against a parse tree but cannot come to some semantic meaning or integrity of evaluation, then why bother with the types at all? In fact, why even bother validating against the policy or request schema? Do we have conformance tests for Policies and RequestContext that do not conform to the schemas? If not, why not? If so, what do they evaluate to? A conformance test for: <?xml version="1.0" encoding="UTF-8"?> <Policy/> against <?xml version="1.0" encoding="UTF-8"?> <RequestContext/> Both structures are valid XML, aren't they? What would a compliant valid PDP evaluate this scenario to? [Daniel Engovatov, responding to Polar Humenn] > Both structures are valid XML, aren't they? What would a > compliant valid PDP evaluate this scenario to? They are not, not according to this schema: <xs:element name="Policy" type="xacml:PolicyType"/> <xs:complexType name="PolicyType"> <xs:sequence> <xs:element ref="xacml:Description" minOccurs="0"/> <xs:element ref="xacml:PolicyDefaults" minOccurs="0"/> <xs:element ref="xacml:Target"/> <xs:element ref="xacml:Rule" minOccurs="0" maxOccurs="unbounded"/> <xs:element ref="xacml:Obligations" minOccurs="0"/> </xs:sequence> <xs:attribute name="PolicyId" type="xs:anyURI" use="required"/> <xs:attribute name="RuleCombiningAlgId" type="xs:anyURI" use="required"/> </xs:complexType> In any case it is not the issue of the document validity - but the issue that the policy exists (and can be "compiled" and accepted independent of the data context, in the general case. [Polar Humenn, responding to Daniel Engovatov] > It seems to me that we are not talking about the same > "time". XACML does not specify (and can not specify) the > content of the context at "compile" time - i.e. policy exists > independent of the context. That is true. > How can it be guaranteed to be typechecked simultaneously > (though it certainly can be done, in particular implementations > that do have control over context and do not have external > function extensions)? Easily. The Policy is typechecked unto itself, as is the RequestContext. The attributes in the context are all typed, and selection from the policy is based on type. If attribute A of type T is in the context, but the policy is looking for attribute A of type U, then the sought after attribute isn't there. Everything works. > Only certain arguments can be always typechecked in advance > (such as static value specified in policy, or <apply> > elements). All arguments can be type checked in advance. > This is actually why it is important to NOT have polymorphic > functions in condition, so that <apply> element always has a > predefined type, even if its arguments are retrieved from > context in the runtime.. D; The theory of type systems and polymorphic functions allows complete typing of every element of an expression. [Daniel Engovatov, responding to Polar Humenn] >All arguments can be type checked in advance. Define "advance"? Yes, it is typechecked before the decision is made. The exact sequence of said operations is implementation dependent. That's why I said we are talking about different definition of time. My point was that the policy document MAY be tested and accepted INDEPENDENT of context data type verification. In implementation that is concerned about efficiency that may be a key distinction. >The theory of type systems and polymorphic functions allows >complete typing of every element of an expression. The practice of implementation of said systems cause a great deal of PITA for extension API development, that being the reason of such language being rather unpopular. [Polar Humenn, responding to Daniel Engovatov] I didn't say whether the scenario was valid XACML, but it valid XML, isn't it? Isn't that enough criteria? Some SAX/DOM parser can handle it, right? My point is, if we actually have conformance tests for badly formed policies of a certain ilk, then why not have conformance tests for other badly formed policies? > Define "advance"? It was your term. > Yes, it is typechecked before the decision is made. The exact > sequence of said operations is implementation dependent. > That's why I said we are talking about different definition of > time. > > My point was that the policy document MAY be tested and > accepted INDEPENDENT of context data type verification. Yes, but I was not referring to the context data. The actual policy was not type correct, and hence not well formed. ========================================================================== 0069. http://lists.oasis-open.org/archives/xacml/200212/msg00027.html Subject: IIC012: syntax-error or processing-error? * From: Anne Anderson <Anne.Anderson@Sun.com> * To: XACML TC <xacml@lists.oasis-open.org> * Date: Wed, 04 Dec 2002 08:58:43 -0500 (EST) Conformance Test IIC012 is intended to test for the error case in which a Condition FunctionId uses a function that does not return a Boolean result. The <Condition is: <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-subtract"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:age" DataType=" http://www.w3.org/2001/XMLSchema#integer"/ > </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-one-and-only"> <EnvironmentAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:conformance-test:bart-simpson-age" DataType=" http://www.w3.org/2001/XMLSchema#integer"/ > </Apply> </Condition> Question: should the StatusCode Value from evaluating this Policy be "urn:...:status:syntax-error" (since it is a type error), or "urn:...:status:processing-error"? I'm leaning toward syntax-error. What do others think? CATEGORY: Unclear. SEE ALSO: STATUS: Not yet discussed. RESPONSE: ACTIONS: DISCUSSION: [Polar Humenn] This is the same problem as D024. This policy is not well formed. It is type incorrect. There should be no status code, because it should not even be hinted at that it should be evaluated. [Anne Anderson, responding to Polar Humenn] Well, we are required to return a Status Code, and we have a Status Code called "syntax-error", which certainly does not imply that the policy was evaluated. I think this exactly fits what you want to convey. [Polar Humenn, responding to Anne Anderson] What I am worried about is the implication is that all PDPs must return an Indeterminate with a status code of syntax-error if asked to evaluate this policy to be compliant with the standard. You can't configure my PDP with a badly formed policy, so there is no hope in god's country of it even passing this conformance test! Maybe there should be two sets of conformance tests. One set for testing acceptance of well and badly formed policies, and the other set for the evaluation of well formed Request Contexts and Policies. [Anne Anderson, responding to Polar Humenn] The specification does not say that the PDP generates the actual Response sent back to the PEP. The specification says that the Context Handler is responsible for translating the input format into an internal representation consistent with a Request, and for translating the Response output into the format expected by the PEP. I think in this case the ContextHandler will be responsible for generating the Response with Indeterminate and syntax-error as the Value for the Status Code. [Seth Proctor, responding to Anne Anderson] Let me suggest this: the result should be NotApplicable. This is an invalid policy, so the PDP should be unable to parse it. Sine the PDP should reject the policy, there will be no available policy to service the request. Hence, the NotApplicable result. This gets back to a similar thread we started a couple of weeks ago about when to return messages about bad policies (ie, is the policy paresed on PDP startup, on request processing, etc.). I think in general it's hard to define what to do in some of these cases, because different implementators will handle this differently. I want my PDP to reject the invalid policy, therefore it will never be available to a request, and will result in NotApplicable. But that's my choice. It's unclear to me whether the spec allows a PDP to parse and use an invalid policy, which is essentially what's required to get Indeterminate in this case. There is, of course, another side to this. If a request comes into the PDP that causes a policy to be fetched and parsed for the first time, and if that policy is the only applicable policy, then an error in the policy could be reported back to the PEP. Why? Because you might want to make it clear that there was a policy for the request, but it was invalid. This might be useful for diagnostic reasons, but I can't think of any other use for this distinction. The spec doesn't really nail this point down, so it's hard to know for sure what the tests should assume. It's also hard to define whether or not this is the case that the tests are exercising. [Polar Humenn, responding to Anne Anderson] PDP, ContextHandler, PEP, without interfaces, what does it really matter? You wouldn't even get this far with a bad policy. For instance, my PDP will be automatically configured out of the box with a default policy that is guarranteed and assured to be correct (i.e. always "Deny", always "Permit", etc, maybe according to some configuration file). The PDP will be configured with policies through its administration interface (not defined by XACML), and will not accept a badly formed policy, and the previous policy will remain in place. So, the "ContextHandler" (whateveer that is) will never answer the request to a badly formed policy, because you cannot get the badly formed policy into the system. It will always work against the currently configured policy, which is guarranteed to be correctly formed. We should NOT be stating to PDP vendors that to be compliant, they must evaluate badly formed policies. [Polar Humenn, responding to Seth Proctor] You make some good points. and you are right to say that your PDP will return "Not-Applicable" for this policy. In fact, you'd be right if you wanted to return Deny, Permit, or Indeterminate, as well. The fact is that the answer for badly formed policies is "undefined". In my previous example, some one can configure the PDP initially to be "Deny", "Permit", "Not-applicable", or even possibly "Indetermiante with not-configured". So if you take operation of the conformance tests to be: 1. Load Policy to PDP 2. Load Request to Context Handler 3. Make request. For a bad policy, some PDPs might accept the policy and return Indeterminate with syntax-error. Yours would return Not-Applicable. Mine would be whatever it was set to before, because the badly formed policy would never get into the PDP. So, in essence, we don't and shouldn't define what happens in this case. Now, for your "another side", of which you ellude to here: > There is, of course, another side to this. If a request comes > into the PDP that causes a policy to be fetched and parsed for > the first time, and if that policy is the only applicable > policy, then an error in the policy could be reported back to > the PEP. Why? Because you might want to make it clear that > there was a policy for the request, but it was invalid. This > might be useful for diagnostic reasons, but I can't think of > any other use for this distinction. The spec doesn't really > nail this point down, so it's hard to know for sure what the > tests should assume. It's also hard to define whether or not > this is the case that the tests are exercising. This case is actually covered in the policy combining algorithms: "If an error occurs while evaluating the target of a policy, or a reference to a policy is considered invalid or the policy evaluation results in "Indeterminate", then the policy set SHALL evaluate to "Indeterminate"." which is in all of the combinging algorithm specifications. In this case, retrieving an "invalid" policy will result in an indeterminate. However, the status code is not specified, but that could be a meriad of factors, such as the policy reference is down, the policy behind the reference is invalid, etc. However, it is still up to the PDP adminstrative interface to decide whether all referenced policies are correct at load time and decide not to accept. If you take the more dynamcic case, that may defer the answer, but it is covered. [Seth Proctor, responding to Polar Humenn] > "If an error occurs while evaluating the target of a policy, or > a reference to a policy is considered invalid or the policy > evaluation results in "Indeterminate", then the policy set > SHALL evaluate to "Indeterminate"." By my reading, this only covers some of the cases. I see three reasons for an error in the quoted text: 1. An error occurs while evaluating the target of a policy 2. A reference to a policy is considered invalid 3. Policy evaluation returns Indeterminate Reasons 1 and 3 refer to policies that have been successfully parsed by the PDP. If the policy is invalid, then we [1] won't try target evaluation, and we won't get an error on policy evaluation. That leaves reason 2, which I believe only refers to a PolicyIdReference or a PolicySetIdReference. So, my original comments about run-time retrieval still apply. If I have a module in my PDP which lets me, for example, talk to an LDAP service to get policies, and a request comes in that applies to one and only one policy in the directory, but that policy is invalid, what should I do? The quoted text does not say anything about this case. I may choose to say I couldn't find any valid policies, so I return NA, or I could say I found an invalid policy, and return SyntaxError. It may be that case 2 is supposed to apply to this problem as well, in which case I think the text should be re-worked to make that clearer. In any case, I certainly agree with you that there are several scenarios where it is up to the implementor what to do. I think you explained that clearly in the your last email, so I won't repeat any of it here :) [Daniel Engovatov] I would think it is the syntax-error. There is nothing wrong about reporting an incorrectly formed policy and nothing sacred about type incorrectness. This is what status codes are for. Does your language interpreter or compiler just die in silence if there is a typo in the code? [Polar Humenn, responding to Seth Proctor] > > "If an error occurs while evaluating the target of a policy, > > or a reference to a policy is considered invalid or the > > policy evaluation results in "Indeterminate", then the policy > > set SHALL evaluate to "Indeterminate"." > > By my reading, this only covers some of the cases. I see three > reasons for an error in the quoted text: > > 1. An error occurs while evaluating the target of a policy > 2. A reference to a policy is considered invalid > 3. Policy evaluation returns Indeterminate > > Reasons 1 and 3 refer to policies that have been successfully > parsed by the PDP. If the policy is invalid, then we [1] won't > try target evaluation, and we won't get an error on policy > evaluation. In some cases, target evaluation will be through indexing, in which you must retrieve all the policies and the policies must have been parsed beforehand, so you will know if the containing policy is really valid or not due to its consitutents. In the case where policy behind the reference is considered valid before proven invalid, then you are effectively evaluating the targets of the policy as you retreive them, in which case the "error" will happen during evaluation of that particular target. The next case is if the reference is not valid. [Polar Humenn, responding to Daniel Engovatov] I'm not saying that you shouldn't return an indeterminate with a status code of syntax error. Go ahead! I'm just not for conforming to that result. [Daniel Engovatov, responding to Polar Humenn] A question: do we state that PDP is indeed processing XACML policy and request directly? In an implementation PDP may never even see the policy in question: errors in the policy document are beeing taken care by PAP and transformed in some other internal format, while the request context is processed by PEP and context handler. PDP may read and process the policy in an entirely different format - thus it can not pass this conformance test. [Polar Humenn, responding to Daniel Engovatov] I agree. [Bill Parducci, responding to Daniel Engovatov] > I would think it is the syntax-error. There is nothing wrong > about reporting an incorrectly formed policy and nothing sacred > about type incorrectness. This is what status codes are for. this is my thinking as well. it seems to me that this conversation ties back into the 'run-time' type checking discussion: on the one hand polar seems to be saying that he will have determined policy malformedness prior to the decision processs, while anne & seth are talking about those cases whereby a problem is discovered during the decision process. if this is true, then in the former case--polar's scenario--the situation of having a problem processing a policy would only likely be the result of some internal misfiring (PAP/PRP <--> PDP miscommunication, etc.) and i would think that this would most assuredly warrant an error code of some sort with an INDETERMINATE decision. the case of the policy being written properly would not occur, so the response in that case is moot. the latter case--anne & seth's--could arise under similar circumstances as well as by run-time checking issues (poorly written policies). as pointed out in this thread this would warrant an INDETERMINATE result with an error code. in both cases i think that the decision is clearly *not* NOTAPPLICABLE because the decision making process has begun using a policy that is undigestible (or in the case of polar's case, attempting to evaluate a policy that has be rendered inoperable by some unplanned event). otherwise, how does the PDP differentiate between a happily functioning system and one that has, say acess control rights, network issues, etc. with the policy repository? [Polar Humenn, responding to Bill Parducci] > if this is true, then in the former case--polar's scenario--the > situation of having a problem processing a policy would only > likely be the result of some internal misfiring (PAP/PRP <--> > PDP miscommunication, etc.) and i would think that this would > most assuredly warrant an error code of some sort with an > INDETERMINATE decision. the case of the policy being written > properly would not occur, so the response in that case is moot. This case I believe is covered by the combining algorithms specification. > the latter case--anne & seth's--could arise under similar > circumstances as well as by run-time checking issues (poorly > written policies). as pointed out in this thread this would > warrant an INDETERMINATE result with an error code. Again, covered by the combining algorithms. > in both cases i think that the decision is clearly *not* > NOTAPPLICABLE because the decision making process has begun > using a policy that is undigestible (or in the case of polar's > case, attempting to evaluate a policy that has be rendered > inoperable by some unplanned event). If that policy is being dynamically retrived, then you are in effect covered by the combining algorithms specification, and none of our standard ones say it's Not-APplicable. However, that doesn't stop you from defining your own that does. > otherwise, how does the PDP differentiate between a happily > functioning system and one that has, say acess control rights, > network issues, etc. with the policy repository? For the case when you have a single malformed policy to be evaluated against a request, the answer is just simply undefined. The implementer can choose. Therefore, there should not be a "CONFORMANCE" test for it.