OASIS eXtensible Access Control Markup Language (XACML) TC

[xacml] Fwd: Updated Schema Issues list

  • 1.  [xacml] Fwd: Updated Schema Issues list

    Posted 08-02-2002 01:03
    See attached mail message. Anne Anderson Anne.Anderson@Sun.COM Internet Security Research Group, Sun Labs Sun Microsystems, Inc., Burlington, MA ---  Begin Message  --- From : Anne Anderson <aha@ieee.org> To : Anne.Anderson@Sun.COM Date : Thu, 1 Aug 2002 20:48:41 -0400 () Title: XACML schema issues Author: Anne Anderson ISSUES: 34. [Michiharu] XPath Subset http://lists.oasis-open.org/archives/xacml/200207/msg00066.html http://lists.oasis-open.org/archives/xacml/200207/msg00162.html <AttributeSelector> is used to specify XPath expression in the <target> element. I am assuming that <AttributeDesignator> will be used for the expression without XPath. Four new (non-mandatory) functions are used to compare values. function:general-string-equal function:boolean function:node-equal function:xpath-match <XPathVersion> element in <Defaults> element is used to specify the version of the XPath expression used in the policy. Schema definition will be posted by Simon. CLOSED: we don't place any restrictions on XPath usage in XACML 1.0. We may give some typical XPath uses in the spec as informational. We may define a subset for 1.1 or later. 36. [Anne] attribute references and indeterminate results Long, verbose, religious, tedious thread starts with: http://lists.oasis-open.org/archives/xacml/200207/msg00071.html Subsidiary thread (pdp status element): http://lists.oasis-open.org/archives/xacml/200207/msg00140.html Some sub-issues and options Order of evaluation a. In what order MUST arguments be evaluated Implementation-dependent unless the function definition specifies an order. orderedOr and orderedAne are the only standard functions we have defined that specifies an order. b. MUST all arguments be evaluated? No, if a result can be returned without evaluating all. You could define a custom function that requires evaluating all arguments, but none of our standard functions does this. c. MAY all arguments be evaluated, even if not required to reach a function result? Yes, but can never change the overall result. Operational errors (e.g. divide by 0) and missing information (AttributeDesignator freturns empty set) a. Reporting of errors via the response obtained while evaluating a request by PDP: Reporting by PDP in the Response is optional. PDP MAY include error information in the Status element of the Response. PEP must not depend on the PDP supplying this information. b. Operational errors and missing information are handled as follows - Standard OR and ORDERED-OR implementation: Evaluate arguments in any order (or in specified order) IF (you receive an error or null AttributeDesignator result) { Go on to next argument evaluation unless all evaluated IF (you get at least one TRUE) { return TRUE } ELSE { return error (which may be a set of errors) } } ELSE IF (you get at least one TRUE) { return TRUE } ELSE { return FALSE } - Standard AND and ORDERED-AND implementation: Evaluate arguments in any order (or in specified order) IF (you receive an error) { Go on to next argument evaluation unless all evaluated IF (you get at least one FALSE) { return FALSE } ELSE { return error (which may be a set of errors) } } ELSE IF (you get at least one FALSE) { return FALSE } ELSE { return TRUE } - function:present: returns TRUE if argument is not empty set. Returns FALSE if argument is empty set. If evaluating argument results in an error, return error. - function:not returns TRUE if argument is FALSE, returns FALSE if argument is TRUE. If argument results in an error, return error. - Other standard functions: return "error" if any argument is an error or if an operational error in computing the function occurs. - Custom functions must behave like "Other standard functions" unless specific handling of errors is specified. c. What is Rule result if Condition evaluates to (exactly same as table in v15 of specification): - operational Error? INDETERMINATE(error=operational error) - "necessary information not available"? INDETERMINATE (error=missing information) - FALSE? NOT APPLICABLE - TRUE? PERMIT or DENY (as specified in rule's Effect) d. What is Rule result if Target evaluates to FALSE? NOT APPLICABLE e. Combining Algorithms must specify how PERMIT, DENY, INDETERMINATE, and NOT APPLICABLE are handled. Standard algorithms already do this. f. If operational errors are reported, how is the type of error reported? Reported via Status element in Response CLOSED: See decisions above. 37. [Michiharu] Use of XPath with namespaces. http://lists.oasis-open.org/archives/xacml/200207/msg00056.html Namespace URI functions and Global Name functions. Another option: namespace prefix in the XPATH expression, but this needs some assumptions on the target document. CLOSED: We will explain this in usage examples. 38. [Daniel] Split non-null-set-intersection function http://lists.oasis-open.org/archives/xacml/200207/msg00076.html [1)] [Tim] http://lists.oasis-open.org/archives/xacml/200207/msg00077.html Split non-null-set-intersection into intersection(xs:list, xs:list) - returning xs:list and not-empty(xs:list), returning boolean. [Michiharu] XPATH 2.0 does not use xs:list. xs:list is an awkward type to use. Recommend use of xs:list and functions that require it not be mandatory. XPATH 2.0 returns <sequence>, which may be empty. CLOSED: Daniel and Polar presented a collection of functions that operate on sequences. These were accepted. These functions include operations for intersection, etc. on sequences. 44. [Simon] Schema for advice/status in xacml:Response http://lists.oasis-open.org/archives/xacml/200207/msg00126.html CLOSED: Use Response schema in 16a, which replaces xacml:Advice with xacml:Status schema. XSLT that transforms xacml:Response into saml:AuthorizationDecisionResponse will translate certain xacml:Status values into saml:Advice elements. Status is allowed with any DecisionType value (Permit, Deny, Indeterminate, NotApplicable). Status element will be copied entirely into saml:Advice element. 45. [All] Can AttributeDesignator be simpler than XPATH? [Anne] http://lists.oasis-open.org/archives/xacml/200207/msg00095.html [Simon] http://lists.oasis-open.org/archives/xacml/200207/msg00130.html [Michiharu] http://lists.oasis-open.org/archives/xacml/200207/msg00131.html [Simon example] http://lists.oasis-open.org/archives/xacml/200207/msg00152.html CLOSED: Use Simon's proposal. This 1) flattens the Context, 2) includes AttributeSelector (not mandatory to implement) for when you want/need to use XPATH, and 3) includes AttributeDesignator (mandatory) for referencing XACML-defined elements of the Request context. Either XPATH or application-specific functions will be required for retrieving sub-components of an attribute or of the resource content. 46. [Anne] Replace saml:AssertionType with xacml:AssertionType http://lists.oasis-open.org/archives/xacml/200207/msg00097.html Error in mailing: "sequence" should be "choice". saml: Assertion currently referenced only in PolicySetType (as PolicyAssertion and PolicySetAssertion). Should also have a Policy[Set]Designator in this list. Note: we have no way in XACML syntax to refer to any elements an Assertion header. Only a Combining Algorithm could possibly refer to anything in an Assertion header. Options: 1. Extend saml:AssertionType to include element ref="xacml:PolicySetStatement" and element ref="xacml:PolicyStatement" 2. Define our own xacml:AssertionType. 3. Don't try to deal with assertions in XACML schema at all. Remove AssertionDesignator, PolicySetAssertion, and PolicyAssertion from xacml:PolicySetType. CLOSED: #3. 49. [Michiharu] Which regular expression definition to use? http://lists.oasis-open.org/archives/xacml/200207/msg00129.html [Anne] http://lists.oasis-open.org/archives/xacml/200204/msg00132.html Options: 1. Use definitions specified in XML Schema part 2: Datatypes, Appendix F Regular Expressions. 2. Basic regular expressions (BRE) as defined in POSIX specification 2: http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003 3. Extended regular expressions (ERE) as defined in POSIX specification 2 (these add an "or" metacharacter so you can match on one of multiple separate regular expressions) http://www.opengroup.org/onlinepubs/007908799/xbd/re.html#tag_007_003 4. Use whatever J2SE supports. [Michiharu] Since Java 2 SDK 1.4 supports regular expression, I think it is sufficient while it is not XML Schema compliant. If people prefer regex that is XML Schema-compliant, Xerces (Apache XML Parser, free) supports this. CLOSED: #1. Xerces implementation is available in Java and C++. 52. [John Howard] Support OR in Target http://lists.oasis-open.org/archives/xacml-comment/200207/msg00000.html Supporting OR in Target, either explicitly or implicitly, would make merging Rule Targets by union to create Policy Target easier. E.g. <Rule ID=1> <Target> <Subjects>Category=CodeSource</Subjects> <Resources>Type=audio-file</Resources> </Target> </Rule> <Rule ID=2> <Target> <Subjects>Category=AccessSubject AND SubjectID=Anne</Subjects> <Resources>Type=video-file</Resources> </Target> </Rule> <Policy ID=3> <Target> <Subjects> <Subject> <SubjectMatch MatchId="function:X500Name-equals"> <SubjectAttributeDesignator AttributeID="SubjectID" SubjectCategory="AccessSubject"/> <AttributeValue DataType="X500Name"> cn=Polar </AttributeValue> </SubjectMatch> <SubjectMatch MatchId="function:string-equal"> <SubjectAttributeDesignator AttributeID="SubjectIDFormat" SubjectCategory="AccessSubject"/> <AttributeValue DataType="anyURI"> X500Name </AttributeValue> </SubjectMatch> </Subject> <Subject> <SubjectMatch MatchId="function:string-equal"> <SubjectAttributeDesignator AttributeID="SubjectID" SubjectCategory="CodeSource"/> <AttributeValue DataType="anyURI"> http://www.sun.com/javaClasses </AttributeValue> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource>Type=audio-file</Resource> <Resource>Type=video-file</Resource> </Resources> </Target> <RuleSet> <Rule ID=1> <Rule ID=2> </RuleSet> </Policy> Semantics: <AND> ( <Subjects> <OR> ( <Subject>Category=AccessSubject AND SubjectID=Anne</Subject> <Subject>Category=CodeSource</Subject> </OR> ) </Subjects> <Resources> <OR> ( <Resource>Type=audio-file</Resource> <Resource>Type=video-file</Resource> </OR> ) </Resources> </AND> ) </Target> CLOSED: In Target, OR the separate Subject elements, AND the SubjectElements within a single Subject just like the separate Resource elements. Then do any AND'ing in the condition or in the Rule Target. Breakout session will verify. 55. [Anne] PDP response when no policies at all apply CLOSED: return NOTAPPLICABLE (Use a base policy with PolicyCombiner and Any-Targets if don't want this behavior). Change Response context to have NOTAPPLICABLE as a fourth possible DecisionType choice. 56. [Daniel] No-match cases in Rule truth table (Table 1) Are these correct? CLOSED: See #36. All correct. 57. [Simon] Should Rule Target be optional? Target is now optional in RuleType. When optional, it is equivalent to <anySubject>, <anyResource>, <anyAction>. CLOSED: Don't make Target optional unless intended Target of the Rule is exactly the Target of the enclosing Policy. 58. [Anne] Order schema definitions alphabetically? CLOSED: whatever. 59. [Hal] How to specify semantics of functions. Note: XPATH is designed to retrieve selected data. Our goal is to operate on the selected data. Options: 1. Cut and paste from XPATH 2.0: plus a. Distinguish between integer and decimal b. Divide by set of Attribute values is an error c. [Daniel has a list of other constraints needed] 2. Omit >2 multiple operands from XACML 3. Describe algorithm for extending XPATH 2.0 functions to >2 operands: Result[1]=Operand[1] For operands 1..m { Result[m+1]=Function(Result[m], Operand[m+1]) } Return Result[m+1] 4. Allow >2 operands only for AND, OR, equals- 5. Use higher-order logic CLOSED: Polar and Daniel produced proposal that was approved. Simon has updated schema accordingly (16d.xsd). Full text of proposal to be mailed out by Polar; following is just a summary. Daniel will still be producing detailed semantics for each function. Simon will be updating schema. Functions: integer-equals: take 2 arguments of type xs:integer *-equals functions: same, taking arguments of type * first: returns 1st element out of a sequence rest: returns sequence containing all elements from input sequence except first one length: takes sequence, number of elements in sequenced returned as xs:integer member-integer: takes integer-equals, a value of type xs:integer and a sequence of values of type xs:integer, and returns an xs:boolean subset-*: union-*: intersection-*: empty: takes sequence, returns xs:boolean <xs:complexType name="FunctionType"> <xs:choice minOccurs="0" maxOccurs="unbounded"> <xs:element ref="xacml:Function"/> <xs:element ref="xacml:AttributeValue"/> <xs:element ref="xacml:AttributeDesignator"/> </xs:choice> <xs:attribute name="FunctionId" type="xs:anyURI" use="required"/> <!-- legal types for operands and return type are defined in the function table --> </xs:complexType> <function FunctionId="member-integer"> <AtttributeValue DataType="xs:integer>1</AttributeValue> <SubjectAttributeDesignator DataType="xs:integer"> ... </SubjectAttributeDesignator> </function> <function FunctionId="integer-add"> <AtttributeValue DataType="xs:integer>1</AttributeValue> <AtttributeValue DataType="xs:integer>1</AttributeValue> </function> CLOSED: We agreed on the proposal presented by Daniel and Polar. Daniel still has an action item to define the semantics of each function, the data types of the arguments, and the data type returned. 60. [Simon] Keep Permit-overrides combining algorithms? Note: J2SE PolicyFile has these semantics. CLOSED: keep PermitOverrides. 61. [All] Dynamic attributes: how are they referenced and retrieved? Define a schema for the "static context"? This would be used for conveying cached attributes in the form of a Request Context between cooperating PDPs. CLOSED: Perhaps define such a schema for a later version of XACML. Dynamic attributes are referenced and retrieved through the "notional" XACML Request Context regardless of whether they are supplied by the PEP or retrieved from a PIP. 63. [Hal] Simplify AttributeDesignators within Target so not recursive? Target should be simple enough for a single LDAP retrieval to get the relevant policy, etc. CLOSED: no change. 64. Will this TC define a way for PolicyStatement or PolicySetStatement to be encapsulated in some sort of Assertion for transmission over the network. Define way for PolicySetStatement and PolicyStatement to be encapsulated in a saml:Assertion. Current schema supports this since PolicySetStatement and PolicyStatement extend saml:StatementAbstractType. Option: 1. Do not extend saml:StatementAbstractType in mandatory-to-implement XACML policy schema. Define an optional extension to saml that extends AssertionType with xacml:PolicySetStatement and xacml:PolicyStatement. Define non-mandatory XACML policy schema extension that defines these as extensions of saml:StatementAbstractType. CLOSED: #1. Following added July 31 during TC concall and subsequent discussions: 65. [Michiharu] Add Information element to policy schema [July 30, 2002 "[xacml] Information element in the policy schema"] I have a suggestion about the inclusion of <Information> element in the policy. When you extend the core algorithm by using a local algorithm, that algorithm may need to refer to some local information (e.g. precedence of the rule, specified in the policy) for making decision. But I think there is no place to specify such local information in the current policy schema. There is a <Description> element but I think it should be used for English text. So I would like to add <Information> element below <Rule>, <Obligation>, <PolicyStatement>, and <PolicySetStatement>. I am OK with other name if it has the similar meaning. For your information, new schema fragments are: <xs:element name="Information" type="xacml:InformationType"/> <xs:complexType name="InformationType"> <xs:sequence> <xs:any namespace="##any" processContents="lax" minOccurs="0" maxOccurs="unbounded"/> </xs:sequence> <xs:anyAttribute namespace="##any" processContents="lax"/> </xs:complexType> This element is then added to RuleType, ObligationType, PolicySetStatementType, and PolicyStatementType. Proposals: 1. Call it "CombiningAlgorithmParameters". 2. Make semantics "critical", must be understood 3. Say "implement via non-standard extension if you want it". 4. Implement as sequence of AttributeType elements (Attribute with ID, DataType and optional Issuer plus value) CLOSED: implement via non-standard extension if you want it. 66. [Michiharu] Set intersection function arguments Current intersection(xs:list, xs:list) and non-empty(xs:list) would deal only with white-space separated strings. If we want more complex datatypes for "set" arguments, more specification is needed. CLOSED: Daniel and Polar presented a proposal for a collection of functions that operate on sequences. These were accepted. 67. [Daniel] Enforcement of xacml:AttributeValueType xml DataType attribute outside functions Should we say anything about how enforcement of the DataType is done in AttributeValueType? Outside of Condition, e.g. in Information element, there is no function to enforce the type. CLOSED: Without #65 (Information element as sequence of AttributeType was only case where Attribute was used without a function). 68. [Michiharu] XPATH version information via Defaults Default element in Rule or PolicyStatement header can specify XPATH specification version, etc. rather than having to include this information in each element that uses an XPATH expression. CLOSED: Default for XACML 1.0 is XPATH 1.0. This is a default facet of AttributeSelector. If you want to use any other version of XPATH, you must specify this facet in each instance of AttributeSelector, or you must include a "PolicyDefaults" or "PolicySetDefaults" element. XPath version default is concrete instantiation of abstract defaults type. 69. Schema for OR and AND of Target Subjects and Resources CLOSED: Simon reviewed this portion of the new schema, and we approved. 70. Multiple policies match LDAP query Tim's LDAP profile requires that no more than one policy in the database will match a given Request context. Do we want to deal with this via required base PolicyCombiningAlgorithm? Otherwise we assume we have one all knowing PAP for each PDP. Implication: Can we implement the PRP as a dynamic entity that "constructs" a base PolicySet on the fly based on the information in the Request context. DEFER: to post 1.0 along with #71. 71. Does XACML need to specify an LDAP Data model? NO: Complex processing; updates hard; matching functions tricky to "invert"; not all implementations will want to do it this way. YES: PDP can interact with any XACML-LDAP-Profile-compliant PAP to retrieve policies. DEFER: to post 1.0; identify as a "hot" interoperability topic. 72. [Simon] Does XACML need to specify how to retrieve Attributes using DSML Included in Simon's "Attributes and AttributeDesignators". Note: in DSML, never have structured values. They are all string, binary, or URI. CLOSED: If you want to use DSML, use "urn:oasis:names:tc:DSML:2:0:core:attr:<DSML attribute name>" as the XACML AttributeId. Map dsml:value elements to xacml:AttributeValue elements if what you get back is multi-valued. Put this into a normative, but non-mandatory "DSML Profile for XACML" in our specification. 73. [Simon] What is an AttributeDesignator? CLOSED: Anne and Simon wrote up examples and posted them to the list. 74. [Anne] Attribute identifiers for Context Attributes that were elements CLOSED: updated list of identifiers includes all these. 75. [Polar] New combining algorithms CLOSED: Add "First Determinate Decision Rule Combining Algorithm". Fixed up "Deny Overrides" description. ---  End Message  ---