Issue 1765: Credentails.set_privileges() (sec-rev) Source: (, ) Nature: Clarification Severity: Significant Summary: Summary: The documentation states that the force_commit parameter given the value of false will cause the privileges to be set at a later time. If so, what does the out parameter "actual_privileges" return? Is this valid only if force_commit was true and successful? Also, boolean states a return value. I believe this should be void, and state that exceptions will be raised with reasons for failure. Resolution: Close Issue 1765: set_privileges Revised Text: Close Issue 1765: set_privileges with the following modifications: Figure 15-32 on Page 15-61: Change "set_privileges" to "set_attributes". Eliminate Paragarph 328 and its bullet as no longer can we "set a wider range of attributes" on a credentials object. Para 345 on page 15-65: Change "set_privileges" to "set_attributes". Para 347 and 348 on page 15-66: Change "set_privileges" to "set_attributes". (Editorial: Change "Credential" to "Credentials" while we are at it). Page 15-95 to Page 15-96 Replace entire section on set_privileges [para. 495] including the NOTE with the following section [ Thank you Andre! ]: set_attributes This operation is used to set all the attributes for a Credentials object. The operation set_attributes is used with get_attributes to constrain the attributes associated with a Credentials object.Some attributes may be tightly bound to the Credentials object based on the underlying mechanism. If the mechanism supports it, setting those attributes may cause mechanism specific communication with a credentialing party. If the operation fails because the mechanism underlying the Credentials object does not support modifying the attributes, CORBA::BAD_OPERATION is raised. Page 15-96: Remove the note Page 15-96: Add: boolean set_attributes ( in Security::AttributeList requested_attributes, out Security::AttributeList actual_attributes ); Parameters requested_attributes The complete attribute list to be associated with the Credentials object. Only attributes in the requested_attributes parameter will be associated with the Credentials object upon successful completion of the operation. Passing an empty list means that all attributes that can be removed will be removed. actual_attributes The list of attributes actually associated with the Credentials object after attempting to set the requested attributes. This list is equivalent to the result obtained if get_attributes were called with an empty list as its parameter immediately after calling set_attributes. Return Value TRUE Indicates that requested_attributes and actual_attributes are the same length and have the same values (all requested attributes were accepted). FALSE Indicates that one or more of the requested_attributes could not removed. Page 15-102 [522]: Change Credentials::set_privileges to Credentials::set_attributes Appendix A: In IDL replace set_privileges definition with: boolean set_attributes ( in Security::AttributeList requested_attributes, out Security::AttributeList actual_attributes ); Page 15-385 [1832]: Change "(see the set_privileges..." to "(see the set_attributes..." Actions taken: August 2, 1998: received issue April 20, 1999: closed issue Discussion: End of Annotations:===== Return-Path: Date: Sun, 2 Aug 1998 18:05:09 -0400 From: www To: juergen@omg.org, web-incoming@omg.org Subject: WWW Form output Name: Polar Humenn Company: Adiron, LLC Email: polar@adiron.com Notification: Yes Specification: Services (Security) Section: 15.7.2.3 Formal #: who-knows Version: CORBAsec v1.2 Draft Revision_Date: 5 jan 1998 Page: 15-91 Nature: Clarification Severity: Significant full_desc: Credentails.set_privileges() The documentation states that the force_commit parameter given the value of false will cause the privileges to be set at a later time. If so, what does the out parameter "actual_privileges" return? Is this valid only if force_commit was true and successful? Also, boolean states a return value. I believe this should be void, and state that exceptions will be raised with reasons for failure. submit: Submit Issue Report From: "Andre Srinivasan" Date: Tue, 23 Mar 1999 06:04:00 -0800 (PST) To: sec-rev@omg.org, issues@omg.org Subject: Security Issue 1765: Proposal Reply-To: andre@inprise.com During the RTF meeting, we agreed that the force_commit parameter to Credentials::set_privileges generated problems and confusion. While the intent, to defer going out to a trusted third party until the credential is actually going to be used, is a good one, the resulting indeterminate state of the credentials object is not a good thing. The fact that the operation is called set_privileges rather than set_attributes is misleading as well. The operation, as documented, only applies to privilege attributes, but this would limit the changes to attributes in extensible family 1 (family definer 0). The operation is therefore not applicable to attributes in vendor defined families. Furthermore, if you follow the current definition, you are able to change the AccessId but not the AuditId. As I was going through the changes required, I came across an interesting overload within the set_privilege/set_attributes operation. Apparently the role attribute can be used to infer other attribute changes (by way of an 'attribute set reference'). I am removing this from the spec as part of the changes since we don't have any way to support this idea in the rest of the spec. I also removed the ability to set 'default attributes'. If there are defaults, they are represented by policies. Setting default attributes should consist of collecting those polices into an attribute list and calling set_attributes. Spec changes: p. 61 [327]: In the figure, change set_privileges to set_attributes. p. 61 [328]: Change the paragraph set_attributes to set attributes in the credentials. The system will reject an attempt to set attributes if the calling principal is not entitled to one or more of the requested attributes. There may be additional restrictions on which attributes may be claimed if the caller is an intermediate in a delegated call chain attempting to set attributes on delegated Credentials. p. 65 [345], p. 66 [347], p. 66 [348]: Change Credentials::set_privileges to Credentials::set_attributes. p. 95 [495] set_attributes This is used to request a set of attributes (such as role, groups), updating the state of the supplied Credentials object. Some attributes may be tightly bound to the Credentials object based on the underlying mechanism. If the mechanism supports it, setting those attributes may cause the mechanism credential to be recreated, perhaps by way of communication with a credentialing party. If the operation fails because mechanism underlying the Credentials object does not support modifying the attributes, CORBA::BAD_OPERATION is raised. p. 96: Remove the note p. 96: boolean set_attributes ( in Security::AttributeList requested_attributes, out Security::AttributeList actual_attributes ); Parameters requested_attributes The list attribute values to be associated with the Credentials object. actual_attributes The list of attribute values actually associated with the Credentials object. This list way be a subset of the requested attributes, including empty. Return Value TRUE Indicates that requested_attributes and actual_attributes are the same length and have the same contents (all requested attribues were accepted). FALSE Indicates that actual_attributes is a subset (possibly an empty list) of requested_attributes. p. 102 [522]: Change Credentials::set_privilges to Credentials::set_attributes Appendix A: boolean set_attributes ( in Security::AttributeList requested_attributes, out Security::AttributeList actual_attributes ); p. 385 [1832]: Change "(see the set_privileges..." to "(see the set_attributes...") To: sec-rev@omg.org Cc: issues@omg.org Subject: Re: Security Issue 1765: Proposal References: <14071.40784.501086.399834@ahi.visigenic.com> X-Disclaimer: These are my statements and opinions. Mine Mine Mine Mine. X-Disclaimer: To assume or infer that these statements represent X-Disclaimer: Inprise Corporation would be, without a doubt, your error. From: "Andre Srinivasan" Date: 23 Mar 1999 17:01:45 -0800 Lines: 74 I'm modifying my own proposal...the problem was that you really can't use set_attributes to modify only some of the attributes; you need to set the entire list. p. 95 [495] set_attributes This is used to set all the attributes for a Credentials object. Usually, set_attributes will be used with get_attributes to constrain the attributes associated with a Credentials object. Some attributes may be tightly bound to the Credentials object based on the underlying mechanism. If the mechanism supports it, setting those attributes may cause the mechanism specific parts of the credential to be recreated, perhaps by way of communication with a credentialing party. If the operation fails because mechanism underlying the Credentials object does not support modifying the attributes, CORBA::BAD_OPERATION is raised. p. 96: Remove the note p. 96: boolean set_attributes ( in Security::AttributeList requested_attributes, out Security::AttributeList actual_attributes ); Parameters requested_attributes The complete attribute list to be associated with the Credentials object. Only attributes in the requested_attributes parameter will be associated with the Credentials object upon successful completion of the operation. Passing an empty list means that all attributes should be removed. actual_attributes The list of attribute values actually associated with the Credentials object after attempting to set the requested attributes. This list is equivalent to the result obtained if get_attributes were called with an empty list as its parameter immediately after calling set_attributes. Return Value TRUE Indicates that requested_attributes and actual_attributes are the same length and have the same values (all requested attributes were accepted). FALSE Indicates that one or more of the requested_attributes could not be set (or removed) from the attribute associated with the Credentials object. p. 102 [522]: Change Credentials::set_privileges to Credentials::set_attributes Appendix A: boolean set_attributes ( in Security::AttributeList requested_attributes, out Security::AttributeList all_attributes ); p. 385 [1832]: Change "(see the set_privileges..." to "(see the set_attributes...")