OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

REST Profile wd04

  • 1.  REST Profile wd04

    Posted 05-22-2012 19:25
    Section 1.5  - Can we add a use case for PDP <- PAP?   A PDP may use the REST API to fetch policies for evaluation.   ----   Section 2.2.3.2 Policy or PolicySet   There’s no indication or guidance about how the version of the document being posted is computed or identified.  Is this a minor revision, or is this bumping the revision from 1.0.0.123 to 1.5?   Suggestion: The client MUST set the Policy/Set version field to the version string desired for the new document to be created by the POST.  If the unique key combination of policy ID + version string already exists in the repository, the response MUST fail with (409 Conflict).   -------   Suggestion: An observation somewhere that GET/POST/DELETE may not be symmetric for all policy resources.  Implementations may expose individual policies for reading via GET but not support direct editing of that policy because that policy is a child element contained in a parent policyset. The parent policyset document can be identified by a link with an “enclosure” link relation.  The linked parent document should be the topmost parent or “root” policyset document (not an intermediate parent which is itself a child of the root policyset).   Perhaps the phrasing should be turned the other way around:  Because XACML policy/set references allow referencing external policy/sets without regard to their containment, REST API implementations SHOULD make child policy/sets accessible via GET even if such resources are not editable independently of their parent documents. The parent policyset document can be identified in the child policy ATOM element by a link with an “enclosure” link relation.  The linked parent document should be the topmost parent or “root” policyset document (not an intermediate parent which is itself a child of the root policyset).     I’m not sure how to express in the linkrels that editing of the child policy must be done by POSTing the parent document.   The reason for noting this asymmetry in the REST API profile is to reduce the REST API exposure to the semantics of how version numbers change in revisions, particularly between different policies.  Asymmetric operations on child policies allow for implementations to manage version propagation internally when changes are made to a child policy. When making a change to a contained child policy, it’s usually the case that the parent / container also needs to have its version bumped, all the way up the parent chain to the root node, in order to preserve the semantics of the container prior to the child revision. This is not an issue for external policy/set references.   -Danny   Danny Thorpe Product Architect Quest Software - Now including the people and products of BiTKOO www.quest.com    


  • 2.  Re: [xacml] REST Profile wd04

    Posted 05-22-2012 19:34

    >> Suggestion: The client MUST set the Policy/Set version field to the version string desired for the new document to be created by the POST. 
    >> If the unique key combination of policy ID + version string already exists in the repository, the response MUST fail with (409 Conflict).

    Shouldn't the server control the version?

    I'd imagine the "RESTful" way to do this would to have the client POST to the base URL, then have the server generate a new version and return the URL of this new version in the Location HTTP header.

    Regards,
    Craig

    -------
    craig forster technical lead, tivoli security policy manager
    cforster@us.ibm.com
    -------

    Danny Thorpe ---05/22/2012 02:25:42 PM---Section 1.5 - Can we add a use case for PDP <- PAP? A PDP may use the REST API to fetch policies




    From:
    Danny Thorpe <Danny.Thorpe@quest.com>


    To:
    "remon.sinnema@emc.com" <remon.sinnema@emc.com>,


    Cc:
    "xacml@lists.oasis-open.org" <xacml@lists.oasis-open.org>


    Date:
    05/22/2012 02:25 PM


    Subject:
    [xacml] REST Profile wd04


    Sent by:
    <xacml@lists.oasis-open.org>




    Section 1.5 - Can we add a use case for PDP <- PAP? A PDP may use the REST API to fetch policies for evaluation.

    ----

    Section 2.2.3.2 Policy or PolicySet

    There’s no indication or guidance about how the version of the document being posted is computed or identified. Is this a minor revision, or is this bumping the revision from 1.0.0.123 to 1.5?

    Suggestion: The client MUST set the Policy/Set version field to the version string desired for the new document to be created by the POST. If the unique key combination of policy ID + version string already exists in the repository, the response MUST fail with (409 Conflict).

    -------

    Suggestion: An observation somewhere that GET/POST/DELETE may not be symmetric for all policy resources. Implementations may expose individual policies for reading via GET but not support direct editing of that policy because that policy is a child element contained in a parent policyset. The parent policyset document can be identified by a link with an “enclosure” link relation. The linked parent document should be the topmost parent or “root” policyset document (not an intermediate parent which is itself a child of the root policyset).

    Perhaps the phrasing should be turned the other way around: Because XACML policy/set references allow referencing external policy/sets without regard to their containment, REST API implementations SHOULD make child policy/sets accessible via GET even if such resources are not editable independently of their parent documents. The parent policyset document can be identified in the child policy ATOM element by a link with an “enclosure” link relation. The linked parent document should be the topmost parent or “root” policyset document (not an intermediate parent which is itself a child of the root policyset).


    I’m not sure how to express in the linkrels that editing of the child policy must be done by POSTing the parent document.

    The reason for noting this asymmetry in the REST API profile is to reduce the REST API exposure to the semantics of how version numbers change in revisions, particularly between different policies. Asymmetric operations on child policies allow for implementations to manage version propagation internally when changes are made to a child policy. When making a change to a contained child policy, it’s usually the case that the parent / container also needs to have its version bumped, all the way up the parent chain to the root node, in order to preserve the semantics of the container prior to the child revision. This is not an issue for external policy/set references.

    -Danny

    Danny Thorpe
    Product Architect Quest Software - Now including the people and products of BiTKOO www.quest.com






  • 3.  RE: [xacml] REST Profile wd04

    Posted 05-22-2012 21:18




    Sure, the server can handle autoincrementing the version for minor revs, but how would the client indicate it intends for the revision to be a major version
    bump?  1.0.15 -> 1.7 for example.
     
    Hmm. 

    1.       
    POST /policies/{policyid}/   -> version field in body must match the current tip, and server autoincrements to produce new version (1.0.15 -> 1.0.16)
    2.       
    POST /policies/{policyid}/{version}  -> creates a new “branch” of the document with the indicated version (1.7). The base version from which the new
    version is branched can be expressed in the version string in the policy in the body of the request.
     
    That might suffice, but this requires the client to know how to compose the vendor’s URL pattern.  The REST API profile thus far has avoided specifying any
    URL patterns.
     
    Other ideas?
     
    -Danny
     

    Danny Thorpe

    Product Architect

    Quest Software -
    Now including the people and products of BiTKOO
    www.quest.com

     


    From: Craig R Forster [mailto:cforster@us.ibm.com]

    Sent: Tuesday, May 22, 2012 12:32 PM
    To: Danny Thorpe
    Cc: remon.sinnema@emc.com; xacml@lists.oasis-open.org
    Subject: Re: [xacml] REST Profile wd04


     
    >> Suggestion: The client MUST set the Policy/Set version field to the version string desired for the new document to be created by the POST. 

    >> If the unique key combination of policy ID + version string already exists in the repository, the response MUST fail with (409 Conflict).


    Shouldn't the server control the version?

    I'd imagine the "RESTful" way to do this would to have the client POST to the base URL, then have the server generate a new version and return the URL of this new version in the Location HTTP header.

    Regards,
    Craig

    -------
    craig forster technical lead, tivoli security policy manager
    cforster@us.ibm.com
    -------

    Danny
    Thorpe ---05/22/2012 02:25:42 PM---Section 1.5 - Can we add a use case for PDP <- PAP? A PDP may use the REST API to fetch policies





    From:



    Danny Thorpe < Danny.Thorpe@quest.com >





    To:



    " remon.sinnema@emc.com " < remon.sinnema@emc.com >,






    Cc:



    " xacml@lists.oasis-open.org " < xacml@lists.oasis-open.org >





    Date:



    05/22/2012 02:25 PM





    Subject:



    [xacml] REST Profile wd04





    Sent by:



    < xacml@lists.oasis-open.org >










    Section 1.5 - Can we add a use case for PDP <- PAP? A PDP may use the REST API to fetch policies for evaluation.


    ----

    Section 2.2.3.2 Policy or PolicySet

    There’s no indication or guidance about how the version of the document being posted is computed or identified. Is this a minor revision, or is this bumping the revision from 1.0.0.123 to 1.5?

    Suggestion: The client MUST set the Policy/Set version field to the version string desired for the new document to be created by the POST. If the unique key combination of policy ID + version string already exists in the repository, the response MUST fail with
    (409 Conflict).

    -------

    Suggestion: An observation somewhere that GET/POST/DELETE may not be symmetric for all policy resources. Implementations may expose individual policies for reading via GET but not support direct editing of that policy because that policy is a child element
    contained in a parent policyset. The parent policyset document can be identified by a link with an “enclosure” link relation. The linked parent document should be the topmost parent or “root” policyset document (not an intermediate parent which is itself a
    child of the root policyset).

    Perhaps the phrasing should be turned the other way around: Because XACML policy/set references allow referencing external policy/sets without regard to their containment, REST API implementations SHOULD make child policy/sets accessible via GET even if such
    resources are not editable independently of their parent documents. The parent policyset document can be identified in the child policy ATOM element by a link with an “enclosure” link relation. The linked parent document should be the topmost parent or “root”
    policyset document (not an intermediate parent which is itself a child of the root policyset).


    I’m not sure how to express in the linkrels that editing of the child policy must be done by POSTing the parent document.

    The reason for noting this asymmetry in the REST API profile is to reduce the REST API exposure to the semantics of how version numbers change in revisions, particularly between different policies. Asymmetric operations on child policies allow for implementations
    to manage version propagation internally when changes are made to a child policy. When making a change to a contained child policy, it’s usually the case that the parent / container also needs to have its version bumped, all the way up the parent chain to
    the root node, in order to preserve the semantics of the container prior to the child revision. This is not an issue for external policy/set references.

    -Danny

    Danny Thorpe
    Product Architect
    Quest Software -
    Now including the people and products of BiTKOO
    www.quest.com









  • 4.  RE: [xacml] REST Profile wd04

    Posted 05-23-2012 08:49
    Craig, From: Craig R Forster [ mailto:cforster@us.ibm.com ] Sent: Tuesday, May 22, 2012 9:32 PM To: Danny Thorpe Cc: Sinnema, Remon; xacml@lists.oasis-open.org Subject: Re: [xacml] REST Profile wd04 > Shouldn't the server control the version? I don't see how a server could know whether an update indicates a minor or major change. So unless you have a very simplistic versioning scheme, where you just increment a single digit, the server can't implement it. The client, on the other hand, is in a much better position, since it most likely has knowledge of what events led to the creation of a new version of the policy. So it could, for example, implement semantic versioning [1]. So there are basically two approaches that we can take: (1) let the client specify the version (2) let the client indicate to the server what kind of change is made Approach #2 is what you see in source code control systems like SVN, where there are different commands for incrementing the minor and major version (commit vs. branch). I like #1 better, because (1) it's simpler, which keeps the costs for implementation low (2) it allows the client to chose any versioning scheme it wants, instead of having the server dictate one (3) it allows the server to validate the given policy as-is against the policy schema #2 is especially important for the Authorization-as-a-Service use case, where different tenants may want to use different versioning schemes, while using the same server (farm). Thanks, Ray [1] http://www.osgi.org/wiki/uploads/Links/SemanticVersioning.pdf


  • 5.  RE: [xacml] REST Profile wd04

    Posted 05-23-2012 14:23
    That's a fair explanation Ray, and I agree with your conclusions. To me, it seems like this API is not exposing PAP functionality but Policy Repository functionality -- in my mind, the authoring/administration component would be the one pushing policies via this API and the PDP would be the one reading them for runtime evaluation. If the client is controlling the version too, then the server in this profile is even more like a pure policy repository. From your other note: >> most PAPs will write policies to some sort of Policy Repository, which the PDP then queries I completely agree, and the "PAP" API defined in the REST profile would be the perfect protocol for both sides of this flow. Regards, Craig ------- craig forster technical lead, tivoli security policy manager cforster@us.ibm.com ------- ---05/23/2012 03:49:05 AM---Craig, From: Craig R Forster [ mailto:cforster@us.ibm.com ] From: <remon.sinnema@emc.com> To: Craig R Forster/Austin/IBM@IBMUS, Cc: <xacml@lists.oasis-open.org> Date: 05/23/2012 03:49 AM Subject: RE: [xacml] REST Profile wd04 Sent by: <xacml@lists.oasis-open.org> Craig, From: Craig R Forster [ mailto:cforster@us.ibm.com ] Sent: Tuesday, May 22, 2012 9:32 PM To: Danny Thorpe Cc: Sinnema, Remon; xacml@lists.oasis-open.org Subject: Re: [xacml] REST Profile wd04 > Shouldn't the server control the version? I don't see how a server could know whether an update indicates a minor or major change. So unless you have a very simplistic versioning scheme, where you just increment a single digit, the server can't implement it. The client, on the other hand, is in a much better position, since it most likely has knowledge of what events led to the creation of a new version of the policy. So it could, for example, implement semantic versioning [1]. So there are basically two approaches that we can take: (1) let the client specify the version (2) let the client indicate to the server what kind of change is made Approach #2 is what you see in source code control systems like SVN, where there are different commands for incrementing the minor and major version (commit vs. branch). I like #1 better, because (1) it's simpler, which keeps the costs for implementation low (2) it allows the client to chose any versioning scheme it wants, instead of having the server dictate one (3) it allows the server to validate the given policy as-is against the policy schema #2 is especially important for the Authorization-as-a-Service use case, where different tenants may want to use different versioning schemes, while using the same server (farm). Thanks, Ray [1] http://www.osgi.org/wiki/uploads/Links/SemanticVersioning.pdf


  • 6.  RE: [xacml] REST Profile wd04

    Posted 05-23-2012 20:21
    Craig, From: Craig R Forster [ mailto:cforster@us.ibm.com ] Sent: Wednesday, May 23, 2012 4:21 PM To: Sinnema, Remon Cc: xacml@lists.oasis-open.org Subject: RE: [xacml] REST Profile wd04 > To me, it seems like this API is not exposing PAP functionality but Policy Repository functionality The core spec mentions the concept of a policy repository, but provides little detail -- I think on purpose. From what's in the core spec, it's hard to distinguish between a PAP and a policy repository. I guess it boils down to what one thinks "administration" means. I limited this to CRUD in the REST profile, since that seems to be the only functionality one can know for sure will be provided by all PAPs/policy repositories. As is evident from section 1.5.2., I don't consider a policy editor to be a PAP per se. Maybe we need to define these terms better? Thanks, Ray


  • 7.  RE: [xacml] REST Profile wd04

    Posted 05-23-2012 17:29
    What happens when App A uses one versioning scheme when posting revisions to a repository, and App B uses a different versioning scheme when posting revisions to the same repository? One app's post could violate the other app's semantics. -Danny Danny Thorpe Product Architect Quest Software - Now including the people and products of BiTKOO www.quest.com


  • 8.  RE: [xacml] REST Profile wd04

    Posted 05-23-2012 20:24
    Danny, >


  • 9.  RE: [xacml] REST Profile wd04

    Posted 05-23-2012 21:36
    >>>>>>>>>>>> > > What happens when App A uses one versioning scheme when posting > revisions to a repository, and App B uses a different versioning scheme > when posting revisions to the same repository? One app's post could > violate the other app's semantics. Are you referring to the Authorization-as-a-Service scenario? In that case, I expect the policies of different tenants to be completely separate. <<< Agreed, but not the case of concern. >>> In the case of different applications of a single tenant, one could ask why there are multiple interfaces for maintaining shared policies in the first place? <<< Not multiple interfaces - Multiple applications using the same REST API interface to access shared policies. By the earlier suggestion, each application (client) is responsible for implementing versioning semantics, and the REST API server is just a holder of (mostly) opaque blobs. If by "application" we mean a server based application that uses the REST API on the backend, well that's a somewhat controlled environment and can probably be managed into submission if two leviathan apps need to feed on the same policy repository. However, if by "application" we mean Skippy's policy editor for Windows and George's policy editor for Mac, both running on the desktop and operating completely independently of each other against the same REST API repository operating on the same policies, then we have a much greater chance that these apps will not implement the same versioning semantics. This scenario is less of a concern if the server enforces a particular versioning model. I'm just concerned that leaving versioning semantics as an exercise for the client application developer will severely undermine interoperability - not because the client can't work with different implementations of the REST API, but because multiple clients working with the same REST API server on shared policies may interfere with each other's work if their respective versioning models are incompatible. Since our hands are tied on the versioning semantic front (for now), maybe there's no way out of this at this point in time. I also have a hunch that perhaps my concern is overblown, in the sense of how different could the versioning models of two apps be, given the environmental constraints laid out by the XACML core spec? Child policies are contained within parent policies. Parent policy behaviors are determined by their child policies. Modifying a child policy inherently modifies the parent policy's behavior as well, for every direct and indirect parent of the child policy all the way up to the root. Therefore, we could argue that any modification to a child policy must modify the version of the child policy and every policy in the parent chain, because not modifying the parent versions means you'd get different behaviors from the same "version" of the parent policy when child policies are modified. This is true regardless of how the repository stores the policies internally. It's an artifact of the XACML containment model. For XACML policy references, version propagation isn’t an issue. Modifying a referenced policy doesn't require bumping the version of the referees. So if this is an implied consequence of the XACML policy containment model, perhaps it just isn't possible for two applications to implement versioning in dramatically different ways? If there's consensus that this is the case, I'd be happy to declare my concern as 'moot'. :> -Danny


  • 10.  RE: REST Profile wd04

    Posted 05-23-2012 08:18
    Danny, From: Danny Thorpe [ mailto:Danny.Thorpe@quest.com ] Sent: Tuesday, May 22, 2012 9:25 PM To: Sinnema, Remon Cc: xacml@lists.oasis-open.org Subject: REST Profile wd04 > Section 1.5  - Can we add a use case for PDP <- PAP?   A PDP may use the REST API to fetch policies for evaluation. I don't think a lot of systems will be implemented this way; most PAPs will write policies to some sort of Policy Repository, which the PDP then queries. Also, there is the whole policy distribution idea that Hal proposed. So I'm leaning against this idea, unless others agree with you. > Section 2.2.3.2 Policy or PolicySet > > There's no indication or guidance about how the version of the document being posted is computed or identified.  Is this a minor revision, or is this bumping the revision > from 1.0.0.123 to 1.5? My goal with the REST profile is simply to make existing PAP (and PDP) functionality available through a REST interface. I'd prefer it if we didn't introduce new functionality. IMO, if we are to define versioning of policies, then that should be done in the core spec (or a dedicated Versioning profile), not in the REST profile. I think that the policy supplied in the body must validate against the XACML policy schema (or else 400 Bad Request). This means that the Version attribute must be supplied by the client, and the version is opaque to the REST server. The server need only be able to tell whether versions are identical. If people agree with this position, then I'll document it in the profile. The core spec should define how versions are to be compared. Since it currently doesn't, as you mentioned earlier, I'm okay with temporarily adding some text about it in the REST profile, so that we can enable interoperability between different implementations of the profile. > Suggestion: An observation somewhere that GET/POST/DELETE may not be symmetric for all policy resources. That's a good idea. I'll add it to the document. > Implementations may expose individual policies for reading via GET but not support direct editing of that policy because that policy is a child element contained in a > parent policyset. The parent policyset document can be identified by a link with an "enclosure" link relation. That doesn't seem to fit the definition of "enclosure": http://tools.ietf.org/html/rfc5988#page-13 How about "up"? http://tools.ietf.org/html/rfc5988#page-16 > The linked parent document should be the topmost parent or "root" policyset document (not an intermediate parent which is itself a child of the root policyset). Yes. This needs to be spelled out in the document. > I'm not sure how to express in the linkrels that editing of the child policy must be done by POSTing the parent document. The way link relations work, is that the spec must define what operations a server accepts for the link relation and what they mean. The client must understand these semantics. Thanks, Ray


  • 11.  Re: [xacml] RE: REST Profile wd04

    Posted 05-23-2012 08:38
    Hi, With respect to a PDP using a PAP to fetch policies, I tend to follow Ray's comments. That said, I believe it would be quite possible for a PDP to use a PRP connector that would in fact just use the PAP to fetch policies. From a PDP's perspective, it still looks like it's reading policies from a PRP. On Wed, May 23, 2012 at 10:18 AM, < remon.sinnema@emc.com > wrote: Danny, From: Danny Thorpe [mailto: Danny.Thorpe@quest.com ] Sent: Tuesday, May 22, 2012 9:25 PM To: Sinnema, Remon Cc: xacml@lists.oasis-open.org Subject: REST Profile wd04 > Section 1.5  - Can we add a use case for PDP <- PAP?   A PDP may use the REST API to fetch policies for evaluation. I don't think a lot of systems will be implemented this way; most PAPs will write policies to some sort of Policy Repository, which the PDP then queries. Also, there is the whole policy distribution idea that Hal proposed. So I'm leaning against this idea, unless others agree with you. > Section 2.2.3.2 Policy or PolicySet > > There's no indication or guidance about how the version of the document being posted is computed or identified.  Is this a minor revision, or is this bumping the revision > from 1.0.0.123 to 1.5? My goal with the REST profile is simply to make existing PAP (and PDP) functionality available through a REST interface. I'd prefer it if we didn't introduce new functionality. IMO, if we are to define versioning of policies, then that should be done in the core spec (or a dedicated Versioning profile), not in the REST profile. I think that the policy supplied in the body must validate against the XACML policy schema (or else 400 Bad Request). This means that the Version attribute must be supplied by the client, and the version is opaque to the REST server. The server need only be able to tell whether versions are identical. If people agree with this position, then I'll document it in the profile. The core spec should define how versions are to be compared. Since it currently doesn't, as you mentioned earlier, I'm okay with temporarily adding some text about it in the REST profile, so that we can enable interoperability between different implementations of the profile. > Suggestion: An observation somewhere that GET/POST/DELETE may not be symmetric for all policy resources. That's a good idea. I'll add it to the document. > Implementations may expose individual policies for reading via GET but not support direct editing of that policy because that policy is a child element contained in a > parent policyset. The parent policyset document can be identified by a link with an "enclosure" link relation. That doesn't seem to fit the definition of "enclosure": http://tools.ietf.org/html/rfc5988#page-13 How about "up"? http://tools.ietf.org/html/rfc5988#page-16 > The linked parent document should be the topmost parent or "root" policyset document (not an intermediate parent which is itself a child of the root policyset). Yes. This needs to be spelled out in the document. > I'm not sure how to express in the linkrels that editing of the child policy must be done by POSTing the parent document. The way link relations work, is that the spec must define what operations a server accepts for the link relation and what they mean. The client must understand these semantics. Thanks, Ray --------------------------------------------------------------------- To unsubscribe, e-mail: xacml-unsubscribe@lists.oasis-open.org For additional commands, e-mail: xacml-help@lists.oasis-open.org -- David Brossard, M.Eng, SCEA, CSTP VP Product Marketing & Customer Relations +46(0)760 25 85 75 Axiomatics AB Skeppsbron 40 S-111 30 Stockholm, Sweden http://www.linkedin.com/companies/536082 http://www.axiomatics.com http://twitter.com/axiomatics


  • 12.  RE: REST Profile wd04

    Posted 05-23-2012 17:21
    >>>>>>>>> > Section 1.5  - Can we add a use case for PDP <- PAP?   A PDP may use the REST API to fetch policies for evaluation. I don't think a lot of systems will be implemented this way; most PAPs will write policies to some sort of Policy Repository, which the PDP then queries. Also, there is the whole policy distribution idea that Hal proposed. So I'm leaning against this idea, unless others agree with you. <<<<<<<<< FWIW, I'm planning to implement a REST API on my policy repository server. Thus my question about PDP fetching policies via a REST API. >>>>>>>>>> > Section 2.2.3.2 Policy or PolicySet > > There's no indication or guidance about how the version of the > document being posted is computed or identified.  Is this a minor revision, or is this bumping the revision from 1.0.0.123 to 1.5? My goal with the REST profile is simply to make existing PAP (and PDP) functionality available through a REST interface. I'd prefer it if we didn't introduce new functionality. IMO, if we are to define versioning of policies, then that should be done in the core spec (or a dedicated Versioning profile), not in the REST profile. I think that the policy supplied in the body must validate against the XACML policy schema (or else 400 Bad Request). This means that the Version attribute must be supplied by the client, and the version is opaque to the REST server. The server need only be able to tell whether versions are identical. If people agree with this position, then I'll document it in the profile. The core spec should define how versions are to be compared. Since it currently doesn't, as you mentioned earlier, I'm okay with temporarily adding some text about it in the REST profile, so that we can enable interoperability between different implementations of the profile. <<<<<<<<<<<< I understand and agree with not wanting to introduce new core functionality in the REST API. My concern is that if versions are a mandatory part of the XACML spec and every vendor must implement some sort of versioning semantics, how do we abstract the REST API so that a client can work with any conforming implementation but not know anything about how versioning is handled? From your reply to Craig on this topic, you suggest that the server be versioning agnostic and that the client dictate the versioning semantics. Hmm. I'll have to mull that one for a bit. I'll follow up on that thread. >>>>>>>>>>>> > Implementations may expose individual policies for reading via GET but > not support direct editing of that policy because that policy is a child element contained in a parent policyset. The parent policyset document can be identified by a link with an "enclosure" link relation. That doesn't seem to fit the definition of "enclosure": http://tools.ietf.org/html/rfc5988#page-13 How about "up"? http://tools.ietf.org/html/rfc5988#page-16 [...] > I'm not sure how to express in the linkrels that editing of the child policy must be done by POSTing the parent document. The way link relations work, is that the spec must define what operations a server accepts for the link relation and what they mean. The client must understand these semantics. <<<<<<<<< So, we could define our own linkrel "root" to indicate the root of the policy tree instead of trying to repurpose one of the well-known linkrels? -Danny


  • 13.  RE: REST Profile wd04

    Posted 05-23-2012 20:07
    Danny, >