OASIS eXtensible Access Control Markup Language (XACML) TC

Expand all | Collapse all

New Issue#83: CORE ERRATA: error in 7.15.3 Missing attributes

  • 1.  New Issue#83: CORE ERRATA: error in 7.15.3 Missing attributes

    Posted 06-12-2007 17:54
    Section 7.15.3 says that the absence of matching attributes referenced 
    "in the policy" "SHALL result" in a decision of "Indeterminate". This is 
    INCORRECT. Unless an AttributeDesignator or AttributeSelector contains 
    the "MustBePresent" XML attribute, it will evaluate to an empty bag if 
    its referenced Attribute is not present in the Request Context. An empty 
    bag does not necessarily result in "Indeterminate" - you have to look at 
    the definition and use context of each XACML function to determine how 
    it deals with an empty bag. For some functions, such as "type-bag-size", 
    "type-is-in", "type-intersection", an empty bag is a normal input to the 
    function. Also, in the Target element MatchId functions, an empty bag 
    parameter results in "NotApplicable" rather than "Indeterminate".
    
    I stumbled across this in checking a claim by one of the interop 
    participants that "the definition of Indeterminate seems to be ambiguous".
    
    Regards,
    Anne
    -- 
    Anne H. Anderson             Email: Anne.Anderson@Sun.COM
    Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311     Tel: 781/442-0928
    Burlington, MA 01803-0902 USA  Fax: 781/442-1692
    


  • 2.  Re: [xacml] New Issue#83: CORE ERRATA: error in 7.15.3 Missing attributes

    Posted 06-28-2007 08:01
    I am correcting this in 3.0 and the errata. I changed it to "may result"
    since it is not certain the end result will be indeterminate. There
    could be another policy which works and is selected by the policy
    combining algorithm. I also added "if the designator or selector has the
    MustBePresent XML attribute set to true", to not confuse with empty bags.
    
    While looking into this I think I have found another minor error. In
    section 5.42 it says:
    
    ---
    
    If the node selected by the specified XPath expression is not one of
    those listed above (i.e. a text node, an attribute node, a processing
    instruction node or a comment node), then the result of the enclosing
    */policy/* SHALL be "Indeterminate" with a StatusCode value of
    "urn:oasis:names:tc:xacml:1.0:status:syntax-error".
    
    ---
    
    I think this is incorrect. It should be that the value of the attribute
    selector element is indeterminate, not the enclosing policy. The value
    of the policy (or rule actually) would depend on the combining
    algorithm, which could find another policy which it prefers.
    
    Do you agree with me?
    
    Regards,
    Erik
    
    
    Anne Anderson - Sun Microsystems wrote:
    > Section 7.15.3 says that the absence of matching attributes referenced
    > "in the policy" "SHALL result" in a decision of "Indeterminate". This
    > is INCORRECT. Unless an AttributeDesignator or AttributeSelector
    > contains the "MustBePresent" XML attribute, it will evaluate to an
    > empty bag if its referenced Attribute is not present in the Request
    > Context. An empty bag does not necessarily result in "Indeterminate" -
    > you have to look at the definition and use context of each XACML
    > function to determine how it deals with an empty bag. For some
    > functions, such as "type-bag-size", "type-is-in", "type-intersection",
    > an empty bag is a normal input to the function. Also, in the Target
    > element MatchId functions, an empty bag parameter results in
    > "NotApplicable" rather than "Indeterminate".
    >
    > I stumbled across this in checking a claim by one of the interop
    > participants that "the definition of Indeterminate seems to be
    > ambiguous".
    >
    > Regards,
    > Anne
    
    


  • 3.  Re: [xacml] New Issue#83: CORE ERRATA: error in 7.15.3 Missingattributes

    Posted 06-28-2007 12:27
    Hi Erik.
    
    > If the node selected by the specified XPath expression is not one of
    > those listed above [...] the result of the enclosing */policy/*  
    > SHALL be "Indeterminate"
    >
    > I think this is incorrect. It should be that the value of the  
    > attribute
    > selector element is indeterminate, not the enclosing policy. The value
    > of the policy (or rule actually) would depend on the combining
    > algorithm, which could find another policy which it prefers.
    
    That sounds right to me.
    
    
    seth
    


  • 4.  Re: [xacml] New Issue#83: CORE ERRATA: error in 7.15.3 Missingattributes

    Posted 06-28-2007 12:46
    I concur with both of these.
    
    Anne
    
    Erik Rissanen wrote:
    > I am correcting this in 3.0 and the errata. I changed it to "may result"
    > since it is not certain the end result will be indeterminate. There
    > could be another policy which works and is selected by the policy
    > combining algorithm. I also added "if the designator or selector has the
    > MustBePresent XML attribute set to true", to not confuse with empty bags.
    > 
    > While looking into this I think I have found another minor error. In
    > section 5.42 it says:
    > 
    > ---
    > 
    > If the node selected by the specified XPath expression is not one of
    > those listed above (i.e. a text node, an attribute node, a processing
    > instruction node or a comment node), then the result of the enclosing
    > */policy/* SHALL be "Indeterminate" with a StatusCode value of
    > "urn:oasis:names:tc:xacml:1.0:status:syntax-error".
    > 
    > ---
    > 
    > I think this is incorrect. It should be that the value of the attribute
    > selector element is indeterminate, not the enclosing policy. The value
    > of the policy (or rule actually) would depend on the combining
    > algorithm, which could find another policy which it prefers.
    > 
    > Do you agree with me?
    > 
    > Regards,
    > Erik
    > 
    > 
    > Anne Anderson - Sun Microsystems wrote:
    > 
    >>Section 7.15.3 says that the absence of matching attributes referenced
    >>"in the policy" "SHALL result" in a decision of "Indeterminate". This
    >>is INCORRECT. Unless an AttributeDesignator or AttributeSelector
    >>contains the "MustBePresent" XML attribute, it will evaluate to an
    >>empty bag if its referenced Attribute is not present in the Request
    >>Context. An empty bag does not necessarily result in "Indeterminate" -
    >>you have to look at the definition and use context of each XACML
    >>function to determine how it deals with an empty bag. For some
    >>functions, such as "type-bag-size", "type-is-in", "type-intersection",
    >>an empty bag is a normal input to the function. Also, in the Target
    >>element MatchId functions, an empty bag parameter results in
    >>"NotApplicable" rather than "Indeterminate".
    >>
    >>I stumbled across this in checking a claim by one of the interop
    >>participants that "the definition of Indeterminate seems to be
    >>ambiguous".
    >>
    >>Regards,
    >>Anne
    > 
    > 
    
    -- 
    Anne H. Anderson, Sun Microsystems Laboratories
    1 Network Drive,UBUR02-311, Burlington, MA 01803-0902 USA
    Tel: 781/442-0928  Fax: 781/442-1692
    Email: Anne.Anderson@Sun.COM until mid-August 2007
    Email: Anne.Anderson@alum.swarthmore.edu after mid-August 2007
    


  • 5.  Re: [xacml] New Issue#83: CORE ERRATA: error in 7.15.3 Missing attributes

    Posted 06-28-2007 15:09
    
    
      
    
    
    Hi Erik,

    Possibly my reply to this question got overlooked because it was in
    response to the original context where the issue came up:

        http://www.oasis-open.org/archives/xacml-demo-tech/200706/msg00084.html

    however, in any event my reply there was this:

    "" ... I (Rich) noticed when reading section 7.15.3 lines 3593-3595, it says "... SHALL result ... 'Indeterminate' ... as described in Sections 5.37 and 5.42". In both these sections there a description of the Optional "MustBePresent" attribute, which explicitly says "This attribute governs whether the element returns 'Indeterminate' or an empty bag ...". My interpretation of these statements together is that they appear to support what Anne says is intended, so possibly there is not an issue there after all? ""

    I am concerned that simply replacing "SHALL" with "MAY" is going to confuse readers
    unless there is additional context explaining why.

    Also, I think that bringing in the issue of the policy-combining algorithm is not
    an appropriate context, since I think it is pretty clear that when we are talking
    about the what the AttributeSelector element or the SubjectAttributeDesignor
    element returns (as stated in 5.37, 5.42) not what the ultimate policy decision is.

    I have no stake in the original wording of these conditions, however, I find that
    what is there now upon scrutiny is pretty clear to me, at least, and that the
    change as proposed is going to make things more confusing. I would support
    clarifying text in section 7.15.3 so that one doesn't have to hunt down
    5.37 and 5.42 in order to understand what is going on.

        Thanks,
        Rich



    Erik Rissanen wrote:
    I am correcting this in 3.0 and the errata. I changed it to "may result"
    since it is not certain the end result will be indeterminate. There
    could be another policy which works and is selected by the policy
    combining algorithm. I also added "if the designator or selector has the
    MustBePresent XML attribute set to true", to not confuse with empty bags.
    
    While looking into this I think I have found another minor error. In
    section 5.42 it says:
    
    ---
    
    If the node selected by the specified XPath expression is not one of
    those listed above (i.e. a text node, an attribute node, a processing
    instruction node or a comment node), then the result of the enclosing
    */policy/* SHALL be "Indeterminate" with a StatusCode value of
    "urn:oasis:names:tc:xacml:1.0:status:syntax-error".
    
    ---
    
    I think this is incorrect. It should be that the value of the attribute
    selector element is indeterminate, not the enclosing policy. The value
    of the policy (or rule actually) would depend on the combining
    algorithm, which could find another policy which it prefers.
    
    Do you agree with me?
    
    Regards,
    Erik
    
    
    Anne Anderson - Sun Microsystems wrote:
      
    Section 7.15.3 says that the absence of matching attributes referenced
    "in the policy" "SHALL result" in a decision of "Indeterminate". This
    is INCORRECT. Unless an AttributeDesignator or AttributeSelector
    contains the "MustBePresent" XML attribute, it will evaluate to an
    empty bag if its referenced Attribute is not present in the Request
    Context. An empty bag does not necessarily result in "Indeterminate" -
    you have to look at the definition and use context of each XACML
    function to determine how it deals with an empty bag. For some
    functions, such as "type-bag-size", "type-is-in", "type-intersection",
    an empty bag is a normal input to the function. Also, in the Target
    element MatchId functions, an empty bag parameter results in
    "NotApplicable" rather than "Indeterminate".
    
    I stumbled across this in checking a claim by one of the interop
    participants that "the definition of Indeterminate seems to be
    ambiguous".
    
    Regards,
    Anne
        
    
      


  • 6.  Re: [xacml] New Issue#83: CORE ERRATA: error in 7.15.3 Missing attributes

    Posted 06-29-2007 08:21
    Hi Rich,
    
    Here is the full text as it is currently on my hard drive for the next
    draft:
    
    ---8<---
    
    The absence of matching attributes in the request context for any of the
    attribute designators or selectors that are found in the policy may
    result in a 


  • 7.  Re: [xacml] New Issue#83: CORE ERRATA: error in 7.15.3 Missing attributes

    Posted 07-03-2007 02:33
    
    
      
    
    
    Hi Erik,

    I have done a preliminary analysis of the issue at hand and am finding it
    to be fairly complex, although maybe it needs a review so we can get
    it clear once and for all.

    I have partially analyzed the situation and included the results of the
    partial analysis in the modified paragraph below, which is obviously
    incomplete. However, before going thru all the details, I would at
    least like to find out if there is agreement on how interpreted things
    this far. In addition to what's there, if there is agreement on the approach
    I think the whole paragraph needs to be reordered so as to relate to the
    scopes where missing attributes apply and the possible outcomes of their
    evaluating to "Indeterminate" in those scopes.

    Here is a preliminary recommended modification to the paragraph you provided:

    The absence of matching attributes in the request context for any of the
    attribute designators or attribute selectors that are found in the policy 
    will result in an enclosing Subject, Resource, Action, or Environment
    element to return a value of "Indeterminate", if
    the designator or selector has the MustBePresent XML attribute set to
    true, as described in Sections 5.37 and 5.42,
    and may result in a <Decision> element containing the "Indeterminate" value.  
    If, in this case, and a
    status code is supplied, then the value
    
    <.... no more changes ....>
    
    
    I am slightly concerned we are opening a Pandora's box here, however,
    it is probably not a bad idea to review the current logic in the core spec,
    and in the aftermath of the XACML Interop this may not be a bad time
    to do it.

    In particular, I think we need a clear definition of the scope of return values.
    We have the following hierarchy of elements, in general:

        PolicySet
           Target
           Policy
              Target
              Rule
                 Target
                 Condition

    First, consider Target evaluation, section 7.6. It says "If any one of the subjects,
    resources, actions, and environments specified in the target are "Indeterminate",
    then the target SHALL be "Indeterminate".

    Now, let's see if we can determine what will cause any of the subjects, resources,
    actions, or environments to return "Indeterminate". According to sections 5.7 Subject,
    5.10 Resource, 5.13 Action, and 5.16 Environment, "The <*> element shall contain
    a conjunctive sequence of <*Match> elements."

    The above statement implies to me that if any <*Match> in the above elements, returns
    "Indeterminate" then the whole element (Subject, Resource, Action, Environment)
    will return "Indeterminate".

    Unfortunately, the <*Match> elements in sections 5.* do not say under what conditions
    they return what.

    However, section 7.5 appears to cover this. In particular, lines 3392-3407. However,
    I am finding those lines difficult to mentally parse. First it says "If an operational error ...
    then the entire expression SHALL be 'Indeterminate'." This sounds like it covers the
    missing attribute case, but I am not 100% sure of that, because, while a "missing
    attribute" (with a MustBePresent) will return an "Indeterminate", I am not sure that a
    missing attribute is considered to be an "operational error".

    However, for the sake of discussion, let's say the missing attribute w MustBePresent
    based on the above logic implies that the parent element (Subject, Resource, Action,
    Environment) will return "Indeterminate".

    Now that puts us up at the collective parent elements (Subjects, Resources, Actions,
    Environments), which are disjunctive matches.

    Presumably, these elements are the source of the "may" since if there are multiple
    children, and one returns "Indeterminate", but another returns Match then the
    final value is "Match", ex Table 2, line 3443, Subjects match table.

        Thanks,
        Rich




    Erik Rissanen wrote:
    Hi Rich,
    
    Here is the full text as it is currently on my hard drive for the next
    draft:
    
    ---8<---
    
    The absence of matching attributes in the request context for any of the
    attribute designators or selectors that are found in the policy may
    result in a <Decision> element containing the "Indeterminate" value if
    the designator or selector has the MustBePresent XML attribute set to
    true, as described in Sections 5.37 and 5.42.  If, in this case, and a
    status code is supplied, then the value
    
    <.... no more changes ....>
    ---8<---
    
    Note that I write "may", not "MAY", although this might still be
    confusing. And I am not saying anything about combining algorithms. That
    was just discussion on the list to motivate the "may" in this sentence.
    
    My interpretation of this section is that it is not intended to define
    that an Indeterminate is to be returned. This is already done in
    sections 5.37 and 5.42. Rather, this section is about defining the error
    code in case of an Indeterminate. (But perhaps it would be better to put
    the error code definition in those sections as well.)
    
    I think the text is correct and quite clear as it is now. The problem
    with it previously was that it incorrectly implied that missing
    attributes always result in Indeterminate.
    
    Rich, if you think it can still be improved, can you suggest an improved
    text?
    
    Regards,
    Erik
    
    Rich Levinson wrote:
      
    Hi Erik,
    
    Possibly my reply to this question got overlooked because it was in
    response to the original context where the issue came up:
    
       
    http://www.oasis-open.org/archives/xacml-demo-tech/200706/msg00084.html
    
    however, in any event my reply there was this:
    
    "" ... I (Rich) noticed when reading section 7.15.3 lines 3593-3595,
    it says "... SHALL result ... 'Indeterminate' ... as described in
    Sections 5.37 and 5.42". In both these sections there a description of
    the Optional "MustBePresent" attribute, which explicitly says "This
    attribute governs whether the element returns 'Indeterminate' or an
    empty bag ...". My interpretation of these statements together is that
    they appear to support what Anne says is intended, so possibly there
    is not an issue there after all? ""
    
    I am concerned that simply replacing "SHALL" with "MAY" is going to
    confuse readers
    unless there is additional context explaining why.
    
    Also, I think that bringing in the issue of the policy-combining
    algorithm is not
    an appropriate context, since I think it is pretty clear that when we
    are talking
    about the what the AttributeSelector element or the
    SubjectAttributeDesignor
    element returns (as stated in 5.37, 5.42) not what the ultimate policy
    decision is.
    
    I have no stake in the original wording of these conditions, however,
    I find that
    what is there now upon scrutiny is pretty clear to me, at least, and
    that the
    change as proposed is going to make things more confusing. I would support
    clarifying text in section 7.15.3 so that one doesn't have to hunt down
    5.37 and 5.42 in order to understand what is going on.
    
        Thanks,
        Rich
    
    
    
    Erik Rissanen wrote:
        
    I am correcting this in 3.0 and the errata. I changed it to "may result"
    since it is not certain the end result will be indeterminate. There
    could be another policy which works and is selected by the policy
    combining algorithm. I also added "if the designator or selector has the
    MustBePresent XML attribute set to true", to not confuse with empty bags.
    
    While looking into this I think I have found another minor error. In
    section 5.42 it says:
    
    ---
    
    If the node selected by the specified XPath expression is not one of
    those listed above (i.e. a text node, an attribute node, a processing
    instruction node or a comment node), then the result of the enclosing
    */policy/* SHALL be "Indeterminate" with a StatusCode value of
    "urn:oasis:names:tc:xacml:1.0:status:syntax-error".
    
    ---
    
    I think this is incorrect. It should be that the value of the attribute
    selector element is indeterminate, not the enclosing policy. The value
    of the policy (or rule actually) would depend on the combining
    algorithm, which could find another policy which it prefers.
    
    Do you agree with me?
    
    Regards,
    Erik
    
    
    Anne Anderson - Sun Microsystems wrote:
      
          
    Section 7.15.3 says that the absence of matching attributes referenced
    "in the policy" "SHALL result" in a decision of "Indeterminate". This
    is INCORRECT. Unless an AttributeDesignator or AttributeSelector
    contains the "MustBePresent" XML attribute, it will evaluate to an
    empty bag if its referenced Attribute is not present in the Request
    Context. An empty bag does not necessarily result in "Indeterminate" -
    you have to look at the definition and use context of each XACML
    function to determine how it deals with an empty bag. For some
    functions, such as "type-bag-size", "type-is-in", "type-intersection",
    an empty bag is a normal input to the function. Also, in the Target
    element MatchId functions, an empty bag parameter results in
    "NotApplicable" rather than "Indeterminate".
    
    I stumbled across this in checking a claim by one of the interop
    participants that "the definition of Indeterminate seems to be
    ambiguous".
    
    Regards,
    Anne
        
            
      
          
    
      


  • 8.  Re: [xacml] New Issue#83: CORE ERRATA: error in 7.15.3 Missing attributes

    Posted 07-03-2007 13:42
    Hi Rich,
    
    And thanks for the thorough reading of the spec.
    
    It seems that the definition of the returning of Indeterminate values is
    scattered around the spec in a somewhat inconsistent manner, although I
    don't think this is a major issue. It's probably mostly obvious what
    should happen in each case. We should go through the text and check that
    the behavior is specified in all places.
    
    Regarding you last paragraph below, there are multiple sources of the
    "may". There are disjunctive expressions of many kinds that could be
    present, such as the parts of the target hierarchy, an logical "or"
    function and some combining algorithms.
    
    I think the text you wrote is a bit easier to read, so I will adopt it
    in the copy I am editing.
    
    Regards,
    Erik
    
    Rich Levinson wrote:
    > Hi Erik,
    >
    > I have done a preliminary analysis of the issue at hand and am finding it
    > to be fairly complex, although maybe it needs a review so we can get
    > it clear once and for all.
    >
    > I have partially analyzed the situation and included the results of the
    > partial analysis in the modified paragraph below, which is obviously
    > incomplete. However, before going thru all the details, I would at
    > least like to find out if there is agreement on how interpreted things
    > this far. In addition to what's there, if there is agreement on the
    > approach
    > I think the whole paragraph needs to be reordered so as to relate to the
    > scopes where missing attributes apply and the possible outcomes of their
    > evaluating to "Indeterminate" in those scopes.
    >
    > Here is a preliminary recommended modification to the paragraph you
    > provided:
    >
    > The absence of matching attributes in the request context for any of the
    > attribute designators or *attribute *selectors that are found in the policy 
    > *will result in an enclosing Subject, Resource, Action, or Environment
    > element to return a value of "Indeterminate", *if
    > the designator or selector has the MustBePresent XML attribute set to
    > true, as described in Sections 5.37 and 5.42,
    > *and* may result in a 


  • 9.  Re: [xacml] New Issue#83: CORE ERRATA: error in 7.15.3 Missingattributes

    Posted 07-03-2007 15:29
    Rich and Erik (and others),
    
    Here is a first pass at a formal description of the situations under 
    which a 


  • 10.  Re: [xacml] New Issue#83: CORE ERRATA: error in 7.15.3 Missing attributes

    Posted 07-03-2007 19:20
    Hi Anne,
    
    Just looked this over and I think it is exactly what we need. In particular,
    when we make statements, such as the one we are wrestling with in
    section 7.15.3, then we can refer to the appropriate level of this structure
    you have proposed, which will remove all the ambiguities.
    
    One thing I noticed, that may be covered if I understand how to read it,
    the 3 "Target", "Target All", "Target Any" statements should address what
    I had been trying to say about the "may" being introduced when the
    "Target Any" was encountered at the top level elements Subjects,
    Resources, etc.
    
    Also, in this regard, the top level Target children, I think are a 
    "Target All",
    at least as far as the children that are included: Subjects, etc.
    
    Bottom line is I think if people can see this hierarchy of elements and the
    way the return values are passed, it will help in the understanding of how
    the policies actually work.
    
        Thanks,
        Rich
    
    
    Anne Anderson - Sun Microsystems wrote:
    > Rich and Erik (and others),
    >
    > Here is a first pass at a formal description of the situations under 
    > which a 


  • 11.  Re: [xacml] New Issue#83: CORE ERRATA: error in 7.15.3 Missing attributes

    Posted 07-04-2007 10:47
    Hi Rich and Anne (and everyone else),
    
    As far as I can tell all of this is already fully covered by the current
    text in section 7, Functional requirements (XACML 2.0). This section
    goes through every part of XACML and specifies how each part is
    evaluated, including when they return Indeterminate. I would not like to
    change the current text as I think it is clear and correct. (Let me know
    if there is a particular section in which I didn't notice an error or if
    something is missing.)
    
    Where the text could be improved is in the specification of the status
    codes. Currently they are specified in a separate section 7.15, which,
    as Rich pointed out was worded in a confusing way, so it seemed it tried
    to define the conditions under which Indeterminate occurs in an
    incorrect manner.
    
    It would be better to specify status codes at each point in section 7
    where an Indeterminate result is defined.
    
    Another issue is that if a policy contains multiple errors, there might
    be a conflict in the specification on which particular status code must
    be returned. I think resolving this is best left to be implementation
    specific, since a typical implementation would stop at the first error
    it notices in any case. But it might be a good idea to say this in the
    spec as well.
    
    Regards,
    Erik
    
    Rich Levinson wrote:
    > Hi Anne,
    >
    > Just looked this over and I think it is exactly what we need. In
    > particular,
    > when we make statements, such as the one we are wrestling with in
    > section 7.15.3, then we can refer to the appropriate level of this
    > structure
    > you have proposed, which will remove all the ambiguities.
    >
    > One thing I noticed, that may be covered if I understand how to read it,
    > the 3 "Target", "Target All", "Target Any" statements should address what
    > I had been trying to say about the "may" being introduced when the
    > "Target Any" was encountered at the top level elements Subjects,
    > Resources, etc.
    >
    > Also, in this regard, the top level Target children, I think are a
    > "Target All",
    > at least as far as the children that are included: Subjects, etc.
    >
    > Bottom line is I think if people can see this hierarchy of elements
    > and the
    > way the return values are passed, it will help in the understanding of
    > how
    > the policies actually work.
    >
    >    Thanks,
    >    Rich
    >
    >
    > Anne Anderson - Sun Microsystems wrote:
    >> Rich and Erik (and others),
    >>
    >> Here is a first pass at a formal description of the situations under
    >> which a