Issues for Resource Access Decision FTF discussion mailing list
To comment on any of these issues, send email to rad-ftf@omg.org. (Please include the issue number in the Subject: header, thusly: [Issue ###].) To submit a new issue, send email to issues@omg.org.
List of issues (green=resolved, yellow=pending Board vote, red=unresolved)
Issue 3178: RAD FTF Issues document
Issue 3211: RAD idl problems
Issue 3253: Number of security policies supporteb by PolicyEvaluator arbitrarily large
Issue 3254: Invalid IDL
Issue 3255: Use of names in defined exceptions
Issue 3256: The exception InputFormatError is only raises by one operation
Issue 3257: DynamicAttributeService issue
Issue 5435: The following operations in the EntityFactory Interface need adjustments
Issue 3178: RAD FTF Issues document (rad-ftf)
Click here for this issue's archive.
Source: David Frankel Consulting (Mr. David Frankel, david(at)dfrankelconsulting.com)
Nature: Uncategorized Issue
Severity:
Summary:
Due to very scetchy issue descriptions the document will be handled as 1 issue. The complete doc can be found in the issues archive
Resolution:
Revised Text: Page: 9
[dsf1][Errata] There doesn’t seem to be any such document on the OMG
server.
Reply: This comment is in reference to document 99-02-29, which does
not exist in drafted Adopted Specification.
Page: 10
[dsf2][FTF] Missing word
Reply: This comment is in reference to an rfp requirement found in
section 1.7.1 which does not exist in draft Adopted Specification.
Page: 10
[dsf3][FTF] Missing word
Reply: This comment is in reference to a paragraph about future
specifications found in section 1.7.1 which does not exist in draft
Adopted Specification.
Page: 11
[dsf4][Errata] Remove: not appropriate for final submission
Reply: This comment is in reference to a response to “How new CORBAMed
specifications will employ the submitted specification” which does not
exist in draft Adopted Specification.
Page: 12
[dsf5][Errata] Remove: not appropriate for final submission
Reply: This comment is in reference to “Mechanisms provided for
extensibility” which does not exist in draft Adopted Specification.
Page: 16
[dsf6][Errata] Ditto
Reply: The following comment is found under DynamicAttributeService
“The submitters plan to include standard administrative interfaces for
this facility in the revised submission.” This comment was deleted in
the draft Adopted Specification.
Page: 17
[dsf7][FTF] Grammar
Reply: KB Fixed. Grammar error found in the text portion of the
Access Decision Model.
Page: 17
[dsf8] It isn't clear what the notation in these two diagrams is. They
don't seem to be officially any of the standard UML diagrams. This
makes some things unclear. For instance, there are three consults lines
coming from Access Decsion. Do the consultations need to occur in any
particular order? The text says that the Decision Combinator's decision
is what finally returns to the client, but other than that the ordering (or whether an order is required) isn’t clear.
Reply: This is issue 3178A. This comment is in reference to the text
in the Access Decision Model, which can be found in section 1.2.1 of
the draft Adopted Specification, page 1-4.
Page: 19
[dsf9][Errata] Although PolicyEvaluatorLocatorAdmin is referenced many
times in the text of this document, including the table of contents, it
is just a forward reference in this document’s IDL and does not appear
at all in the revised IDL (99-05-01).Not all instances of this were
fixed.
Reply: KB fixed.
Page: 19
[dsf10]Why is this discussion under the administrative model rather
than the access decision model?
Reply: This is issue 3178B. This comment is found at the end of the
following sentence: “This combinator is responsible for taking the
results of the PolicyEvaluators evaluate() method and making a final
access decision“ This can be located in section 1.2.2 Administrative
Model, on page 1-5 of the draft Adopted Specification (3 rd paragraph).
Page: 19
[dsf11][FTF] Grammar
Reply: KB Fixed. Grammar error found in the 4 th paragraph of the
Administrative Model.
Page: 20
[dsf12]This UML diagram needs some work:
7 [Errata] By definition, the cardinality of a strong aggregation
(black diamonds) on the aggregate side cannot be 1..* or 0..*. It can
only be 0..1 or 1..1.
7 [Errata] It shows NO_ACCESS_POLICY being a subtype of PolicyName. It
is actually a particular instance of PolicyName. This can be shown in
UML 1.1 via a dependency from NO_ACCESS_POLICY to PolicyName with an
<<instance>> stereotype.
7 [Errata] The AttributeList typedef would be better shown by a
dependency from AttributeList to Security::AttributeList with a
<<typedef>> stereotype applied to the dependency. In the diagram it is
shown as a navigable association which would mean that AttributeList
literally holds a reference to Security::AttributeList. (Note
that the <<typedef>> dependency is not a standard UML stereotype--UML
has no notion of typedef.)
7 [Errata] ResourceNamePattern is a typedef of ResourceName but in the
UML diagram it is shown as a subtype of ResourceName. I recommend
handling it similarly to the AttributeList typedef, i.e. making it a
dependency from ResourceNamePattern to ResourceName, with a <<typedef>>
stereotype applied to the dependency.
7 [Errata] DecisionResultList is shown in the UML diagram but does not
occur anywhere else in the document.
7 [Errata] DecisionCombinator and PolicyEvaluator are stereotyped as
<<interface>> in the UML Information Model diagram, whereas in the
computational model they are stereotyped as <<IDL Interface>>. I recommend stereotyping them both as <<IDL Interface>> because, in UML,
<<interface>> is a standard stereotype of Class that restricts the
class from having attributes. PolicyEvaluator has attributes.
DecisionCombinator does not have attributes, but it nevertheless would
be unwise to restrict its evolution unnecessarily. Also, a question
arises: Are the multiplicities shown in the diagram normative? For
example, consider the relationship between PolicyEvealuatorList and
NamedPolicyEvaluator. The multiplicity on the aggregate side is 0..1,
meaning that a NamedPolicyEvaluator can exist without being owned by a
PolicyEvaluatorList. Is this specification normative? The multiplicity
on agregee side is 0..*,meaning a valid PolicyEvaluatorList can be
empty. Is this normative?
Reply: KB Fixed. This comment is in reference to the Information
Model. Yes, it’s normative.
Page: 21
[dsf13][Errata] The specification of AccessDecision as a singleton
contradicts the 1..* multiplicity on the aggregate side of the
relationship between AccessDecisionAdmin and AccessDecision in the UML
diagram. If there can only be one instance of AccessDecision, then an
AccessDecisionAdmin instance cannot be associated with more than one
AccessDecision instance.
[Errata] Similarly, specifying PolicyEvaluatorLocator as a
singletoncontradicts the multiplicity on the aggregate side of
PolicyEvaluatorLocator's relationships with
PolicyEvaluatorLocatorBasicAdmin and
PolicyEvaluatorLocatorPatternAdmin.
[Errata] Also, this section says nothing about which administrative
interfaces are singletons. For example: Since AccessDecision is a
singleton, and since the UML computatonal model says that an
AccessDecision is associated with exactly one AccessDecisionAdmin, this
would suggest (but not technically require) that AccessDecisionAdmin is
also a singleton. Thinking about the functionality, since what an
AccessDecisionAdmin does is encapsulate references to the singleton
PolicyEvaluator Locator and to the singleton DynamicAttributeService,
logically AccessDecisionAdmin should be a singleton.
Reply: KB Fixed. Comment in response to statement found in the
Computational Model – “Among runtime interfaces, AccessDecision,
PolicyEvaluatorLocator, and DynamicAttributeService are singletons.”
This can be found in section 1.2.4, page 1-8 of the draft Adopted
Specification.
Page: 23
[dsf14][FTF] Grammar.
Reply: This grammar error was found in a section referring to “scope
of this submission” which does not exist in the draft Adopted
Specification.
Page: 26
[dsf15][Errata] This seems to imply by omission that value_string is
allowed to be empty. If this is so, then it should be reflected in the
UML diagram by specifying the multiplicity of value_string attribute as
[0..1]. To do this, change "value_string: string" to "value_string
[0..1] : string". Note that a multiplicity of [1] or [1..1] is the UML default for attributes. Quoting from the UML notation guide (ad/97-08-
05): Note that a multiplicity of 0..1 provides for the possibility of
null values: the absence of a value, as opposed to a particular value
from the range. For example, the following declaration permits a dis-tinction
between the null value and the empty string: name [0..1]:
String
Reply: KB Fixed. This comment in reference to definition for
ResourceNameComponent – “A datum element of this type is invalid if the
name_string member has empty value”. This can be found in section
2.2.2, page 2-5 of the draft Adopted Specification.
Page: 26
[dsf16][Errata] Should be ResourceNameComponentList
Reply: KB Fixed.
Page: 26
[dsf17][Errata] How is valid syntax defined?
Reply: KB Fixed. The comment was in response to the definition for
ResourceName. KB removed the statement about invalid syntax of
ResourceNamingAuthority and added description of the data type.
Page: 27
[dsf18]Why is NamedPolicyEvaluator not an interface that subtypes
PolicyEvaluator? Why is it done this way, i.e. by containment rather
than by subtyping? Is there a need to have the ability to provide the
same PolicyEvaluator instance a different name in different contexts?
Reply: This is issue 3178C. Comment is referring to the struct
NamedPolicyEvaluator in the “Types associated with evaluating Access
Policy.” This can be found in section 2.2.3, page 2-6 of the draft
Adopted Specification. KB replied: NamedPolicyEvaluator data type is
passed as an argument of invocations on DecisionCombinator. It could
be an OBV. What do we gain if we make it an OBV instead of a struct?
Page: 27
[dsf19][Errata] This contradicts the UML diagram, which says that a
PolicyNameList is a composition of 0..* PolicyName instances. To align
the UML diagram with this text, the multiplicity should be changed to
1..*.
Reply: KB Fixed. This comment is referring to text associated with
PolicyNameList.
Page: 28
[dsf20]{Errata] Then the UML diagram should show the multiplicity of
evaluator_name as [0..1].
Reply: KB Fixed. This comment is referring to text associated with
NamedPolicyEvaluator.
Page: 28
[dsf21][Errata] No such operation mentioned anywhere else in this
document or in the revised IDL. Reply: KB Fixed. Referring to get_policy_evaluators.
Page: 28
[dsf22][Errata] This is an operation of
PolicyEvaluatorLocatorBasicAdmin, not of PolicyEvaluatorLocatorAdmin
which, as previously noted, does not exist.
Reply: KB Fixed. Referring to set_default_evaluators.
Page: 28
[dsf23][Errata] Which does not exist. These operations are in other
interfaces.
Reply: KB Fixed.
Page: 28
[dsf24][FTF] Replace "method" with "operation". CORBA does not define
method.
Reply: KB Fixed. Referring to text associated with
PolicyEvaluatorList.
Page: 29
[dsf25]Call this something other than "ed" to distinguish it from the
item in the other exceptions named "ed" which is an ExceptionData.
Reply: KB Fixed. Associated with InternalErrorType. Renamed to “it.”
Page: 30
[dsf26][Errata] Fatal rather than RadFatal, according to the IDL –
references “If the ComponentError is RadFatal, the AccessDecision
object must determine if it can continue to process without the
component.”
[dsf27][Errata] InternalError rathan RadInternalError, according to
the IDL. – references “If it cannot, it must throw a RadInternalError.”
[dsf28][Errata] Fatal rather than RadFatal, according to the IDL –
references “with RadFatal.”
Reply: This is issue 3178D. All three of these comments are related
to text found under ComponentError in section 2.2.5 Exceptions, on page
2-10 of the draft Adopted Specification.
Page: 30
[dsf29][Errata] Spelling of operation name
Reply: KB Fixed.
Page: 31
[dsf30]Is this a validity rule for all instances of
PolicyEvaluatorList? (Note that no validity rules were given for
PolicyEvaluatorList.)
Reply: In reference to InvalidPolicyNameList found in section 2.2.5
Exceptions, page 2-11 in the draft Adopted Specifications. KB Reply:
Not exactly. A duplicate evaluator name may happen when two
PolicyEvaluatorLists are associated with the same resource name in such
a way that each of them does not have duplicate evaluator name but the union does. So, I’m not sure that if we put this restriction into the
definition of PolicyEvaluatorList we can remove it from the description
of this exception.
Page: 31
[dsf31][FTF] Grammar
Reply: KB Fixed.
Page: 31
[dsf32][FTF] Grammar
Reply: This is issue 3178E. This is in reference to the following
sentence under InvalidPolicyEvaluatorList: “first_invalid_element is
first named policy evalautor in the invalid list which caused the list
to be invalid.” Suggested fix – “
first_invalid_element is the first named policy evaluator in the
invalid list which caused the list to be invalid.” This can be found
in section 2.2.5 Exceptions, page 2-11 of the draft Adopted
Specification.
Page: 31
[dsf33][Errata] Instead of "in the invalid list" shouldn't this be "in
the PolicyNameList" ?
Reply: This is issue 3178F. This comment is in reference to the
following sentence under InvalidPolicyNameList: “first_invalid_element
is first named policy evaluator in the invalid list which caused the
list to be invalid.” This can be found in section 2.2.5 Exceptions,
page 2-11 of the draft Adopted Specification.
Page: 31
[dsf34][FTF] Grammar
Reply: KB Fixed.
Page: 31
[dsf35]Why not have an exception specifically for an empty list?
Reply: This is issue 3178G. This is in reference to the following
sentence under InvalidPolicyEvaluatorList: “If the value of this data
member is nil, then the list is invalid not because of a particular
element, but because of some other reason (for example, because the
list is empty). KB Reply: Carol and Bob, remember we discussed this,
and one of you suggested to only have one exception. This is how we
removed EmptyPolicyEvaluatorList exception, I believe. Do you guys
want it back? This can be found in section 2.2.5 Exceptions, page 2-11
of the draft Adopted Specification.
Page: 31
[dsf36][FTF] Grammar
Reply: This is issue 3178E. This comment refers to the following
sentence found under InvalidPolicyEvaluatorList: “This exception is
raised when a policy evalautor list, passed as a part of an operation
arguments. This can be found in section 2.2.5 Exceptions, page 2-11. Page: 31
[dsf37][Errata] Spelling of interface name
Reply: KB Fixed.
Page: 31
[dsf38][Errata] As far as I can see, no specification of what
constitutes a valid or invalid datum is provided for
PolicyEvaluatorList or for NamedPolicyEveluator, instances of
which are members of a PolicyEvaluatorList.
Reply: KB Fixed. This comment is in reference to text found in
InvalidPolicyEvaluatorList. KB added definition invalidity for
PolicyEvaluatorList and for NamedPolicyEvaluator.
Page: 31
[dsf39]Same comment as #35 above
Reply: This is issue 3178G1. KB replied with the same comment as
above.
Page: 32
[dsf40][FTF] Elsewhere it was stated that this interface is a
singleton. That should be stated here, the site of the primary
specification of the interface.
Reply: This is issue 3178H. This comment is in reference to the
AccessDecision Interface text, which can be found in section 2.3, page
2-12 of the draft Adopted Specification.
Page: 32
[dsf41]Note that preconditions such as this one would not have to be
repetitively stated for many operations if the definitions of validity
were explicitly characterized as invariants. Specification of
invariants is a key concept in design by contract. From the standpoint
of the computational model (i.e. from the computational viewpoint)
invariants constitute universal pre and post conditions for all
operations, although not every invariant is directly relevant to every
operation. Since this document provides validity criteria for most
(it’s missing for a few) of the types, this work (i.e. formal
specification of invariants) is mostly done. A few small adjustments
would tie this all neatly together:
7 [FTF] Explicitly label the validity rules as invariants.
7 [FTF] Add a statement to the section on pre/postcondition semantics
noting that the invariants are considered to be pre and postconditions
for all operations.
7 [FTF] Remove the pre and postconditions that thus become
redundant. (Note that this document is not consistent in repeating such
validity rules as preconditions. For example, the set_evaluators( )
operation of PolicyEvaluationLocatorNameAdmin requires a ResoureName as
input, yet does not specify any preconditions.)
Reply: This is issue 3178I. This comment is in reference to the
preconditions found under access_allowed(). You can find this in
section 2.3, on page 2-13 of the draft Adopted Specifications.
Page: 33 [dsf42][FTF] Grammar
Reply: This is issue 3178G2. This comment is in reference to the
following sentence found under postconditions of
multiple_access_allowed(): “Where an authorization decision
==authorization decision for the requested operation on the specified
resource name by a principal with the specified security attributes.
This can be found in section 2.3, on page 2-13 of the draft Adopted
Specification.
Page: 33
[dsf43][FTF] Elsewhere it was stated that this interface is a
singleton. That should be stated here, the site of the primary
specification of the interface.
Reply: This is issue 3178H2. This comment is in reference to the
DynamicAttributeService Interface text, which can be found in section
2.4, page 2-13 of the draft Adopted Specification.
Page: 33
[dsf44][FTF] This is stated rather imprecisely. It should say something
to the effect that, in addtion to adding new attributes, the orginal
attributes can be altered.
Reply: This is issue 3178J. This comment is in reference to the
following sentence under get_dynamic_attributes(): “In addition, the
returned AttributeList may be modified by this service.” This can be
found in section 2.4, page 2-14 of the draft Adopted Specification.
Page: 33
[dsf45][FTF] Grammar
Reply: This is issue 3178G3. This comment is in reference to the
following sentence under get_dynamic_attributes(): “The service may add
or remove SecAttributes to this list.” This can be found in section
2.4, page 2-14 of the draft Adopted Specification.
Page: 34
[dsf46][FTF] Elsewhere it was stated that this interface is a
singleton. That should be stated here, the site of the primary
specification of the interface.
Reply: This is issue 3178H3. This comment is in reference to the
PolicyEvaluatorLocator Interface text, which can be found in section
2.5, page 2-14 of the draft Adopted Specification.
Page: 34
[dsf47][FTF] Grammar
Reply: This is issue 3178G4. This comment is in reference to
following sentence found under get_policy_decision_evaluators(): “A
PolicyDecisionEvaluators structure, which contains a list of
NamedPolicyEvaluator consisting of the names of the PolicyEvaluators
and their object references, and the DecisionCombinator object
reference for the resource is returned to the client.” This can be
found in section 2.5, page 2-15 of the draft Adopted Specification.
Page: 34[dsf48][FTF] Oddly phrased. Seems more appropriate for the bulk of
this to be re-cast as a postcondition.
Reply: This is issue 3178K. This comment is in reference to the
following sentence found under get_policy_decision_evaluators(): “A
PolicyDecisionEvaluators structure, which contains a list of
NamedPolicyEvaluator consisting of the names of the PolicyEvaluators
and their object references, and the DecisionCombinator object
reference for the resource is returned to the client.” This can be
found in section 2.5, page 2-15 of the draft Adopted Specification.
Page: 34
[dsf49][FTF] Spelling
Reply: KB Fixed.
Page: 35
[dsf50]Why is the return binary whereas evaluate( ) returns a ternary?
Reply: This comment is in reference to the boolean combine_decisions
found in the DecisionCombinator interface, section 2.6, page 2-15 of
the draft Adopted Specification. KB Reply – because it is a final
decision, which could not have “don’t know” result.
Page: 35
[dsf51][FTF] Grammar
Reply: This is issue 3178G5. This comment is in reference to the
following sentence found in the text directly beneath the
DecisionCombinator interface idl: “The DecisionCombinator interface is
used to encapsulate the policy for the way that decisions of multiple
PolicyEvaluators is combined.” This can be found in section 2.6, page
2-15 of the draft Adopted Specification.
Page: 36
[dsf52][Errata] The definition of PolicyEvaluatorList did not specify
validity rules
Reply: KB Fixed.
Page: 36
[dsf53][FTF] It should be possible to state a postcondition here, as
is done for the access_allowed( ) and evaluate( ) operations.
Reply: This is issue 3178L. This is in reference to the statement
that there are no postconditions for combine_decisions. This can be
found in section 2.6, page 2-17 of the draft Adopted Specification.
Page: 37
[dsf54]Why aren't these four operations modeled as two attributes?
Reply: This is issue 3178M. This is in reference to
AccessDecisionAdmin interface. KB: Carol or Bob, will you explain?
This can be found in section 2.8, page 2-18 of the draft Adopted
Specification.
Page: 38 [dsf55][FTF] The rules in these two sentences could (and probably
should) be framed as postconditions for get_policy_decision_evaluators.
Reply: . This is issue 3178K2. This comment is in reference to the
following sentence under set_default_evaluators: “Default evaluators
are overridden by the add_evaluators() or replace_evaluators() methods.
The default evaluators will be returned by the PolicyEvaluatorLocator
get_policy_decision_evaluators() method when no PolicyEvaluators have
been explicitly assigned for a ResourceName.” This can be found in
section 2.8, page 2-20 of the draft Adopted Specification.
Page: 38
[dsf56][FTF] This way of specifying the postcondition would be more
rigorous if default_evaluators were formally defined as a role of
PolicyEvaluationList in a relationship between PolicyEvaluatorLocator
and PolicyEvaluationList. The relationship and role could be defined
via UML notation or by textual means. This same approach could be
applied to many of the postconditions that follow.
Reply: This is issue 3178O. This comment is in reference to the
postcondition stated under set_default_evaluators, which can be found
in section 2.8, page 2-20 of the draft Adopted Specification.
Page: 39
[dsf57][FTF] The explanation above of set_default_evaluators( ) stated
how the defaults are overridden. For consistency it should be stated
here how the default DecisionCombinator is overridden.
Reply: This is issue 3178P. This comment is in reference to
set_default_combinator, which can be found in section 2.8, page 2-20 of
the draft Adopted Specification.
Page: 39
[dsf58][FTF] This rule should probably be framed as a postcondition
for get_policy_decision_evaluators.
Reply: This is issue 3178K3. This comment is in reference to the
following sentence found under set_default_combinator: “This combinator
will be returned by the PolicyEvaluatorLocator
get_policy_decision_evaluators() method for these resources. This can
be found in section 2.8, page 2-20 of the draft Adopted Specification.
Page: 39
[dsf59][FTF] The declaration that the operation raises this exception
appears to be defining how the object behaves when a precondition is
not met, which contradicts the policy stated at the outset that such
behavior is undefined. (Although "ResourceName is valid" is not stated
as a precondition for this operation, this omission is inconsistent, as
has already been pointed out, with other operations that require a
ResourceName in-parameter. Truly, this validity requirement is a
precondition.)
Reply: This is issue 3178N. This comment is in reference to
InvalidResourceName found in the PolicyEvaluatorLocatorNameAdmin
interface, section 2.10, page 2-21 of the draft Adopted Specification.
Page: 39 [dsf60][Errata] I believe this should be ResourceName rather than
ResourceNamePattern. Ditto for the remainder of the operations in this
interface.
Reply: This is issue 3178Q. This comment is in reference to the
PolicyEvaluatorLocatorNameAdmin interface, which can be found in
section 2.10, page 2-21 of the draft Adopted Specification.
Page: 43
[dsf61][FTF] Should be singular.
Reply: This is issue 3178R. This comment is in reference to
ResourceNamePatterns found in the following sentence under the
PolicyEvaluatorLocatorPatternAdmin interface: “The
PolicyEvaluatorLocatorPatternAdmin object is used to associate
PolicyEvaluators with a ResourceNamePatterns.” This is the first
sentence under the PolicyEvaluatorLocatorPatternAdmin interface idl in
section 2.11, page 2-25 of the draft Adopted Specification.
Page: 43
[dsf62]This seems to suggest that in order for a name_string to conform
to this second kind, must literally be equal to "*". However, the
presentation given to CORBAmed shows that it can contain "*" but not
literally be "*". The example in the presentation was something like
"Red.*"
Reply: This is issue 3178S. This comment is in reference to the
following sentence under the second kind of ResourceNameComponent:
“MATCHES_AS_GRE – returns “yes” if the string provided by first
argument matches another string provided by second argument, where the
second string is interpreted according to regular expression syntax
specified in the definition of ResourceNamePattern type on Page Error!
Bookmark not defined., otherwise “no.” This can be found in section
2.11, page 2-26 of the draft Adopted Specification.
Page: 43
[dsf63]Same comment as previous--value_string doesn't have to literally
be equal to "*".
Reply: I cannot locate this comment in the document.
Page: 44
[dsf64][Errata] Despite the helpful diagram, the pattern matching
logic is hard to comprehend. I feel it imperative that several concrete
examples be provided.
Reply: This is issue 3178T. This comment is in reference to the
following paragraph found under the PolicyEvaluatorLocatorPatternAdmin
interface: “MATCHES_AS_GRE – returns “yes” if the string provided by
first argument matches another string provided by second argument,
where the second string is interpreted according to regular expression
syntax specified in the definition of ResourceNamePattern type on Page
Error! Bookmark not defined., otherwise “no.” KB Reply – Carol, I will
try to go back to you with some examples by Wednesday. This can be
found in section 2.11, page 2-26 of the draft Adopted Specification.
Page: 46 [dsf65][Errata] Unclear
Reply: This is issue 3178U. This comment is in reference to the
following sentence found under the definition of
register_resource_name_patter: “Since a ResourceName is a
ResourceNamePattern, ResourceNames must also be registered if these
administrative interfaces are administer evaluators and combinators.”
This can be found in section 2.11, page 2-26 of the draft Adopted
Specification.
Page: 49
[dsf66][Errata] In the postcondition this is called "policy_name"
(singular), which is more logical.
Reply: This is issue 3178V. This comment is referring to the fact
that in the idl, “policy_name has an “s” on the end – policy_names.
This can be found in section 2.12, page 2-30 of the draft Adopted
Specification.
Page: 49
[dsf67][FTF] Should be included in the postconditions.
Reply: This is issue 3178W. This comment is in reference to the
following statement found under set_policies: “If a single PolicyName
of NO_ACCESS_POLICY is specified, then all policy is removed for the
resource. This can be found in section 2.12, page 2-30 of the draft
Adopted Specification.
Page: 50
[dsf68][Errata] Unclear. Does this mean all PolicyNames that have been
input via set_policies( ), add_policies( ), and set_default_policy( )
and that have not been removed via delete_policies( )? Or does it mean
all PolicyNames that exist in the system even if they haven't been
attached via this interface? I would presume the former, but this
should be clarified.
Reply: KB Fixed. This comment is in reference to the following
sentence found under list_policies: “A list of all existing PolicyNames
is returned to the client.” KB Reply: A list of all policies that
this instance of PolicyEvaluator supports is returned by this
operation. In the draft Adopted Specification, this sentence now is:
“A list of names of all policies supported by this instance of
PolicyEvaluator is returned to the client.” This can be found in
section 2.12, page 2-31 of the draft Adopted Specification.
Page: 51
[dsf69][FTF] Attribute, not data member
Reply: This is issue 3178X. This comment is in reference to the
following sentence found under Conformance Classes: “In this case
pattern_admin data member of PolicyEvaluatorLocator interface
implementation must have value null.” This can be found in section
2.13, page 2-32 of the draft Adopted Specification.
Page: 61
[dsf70][FTF] This is the first time in the document that we've seen an example of a ResourceName. I recommend enhancing the usage scenario in
the previous section to similarly show the anatomy of the ResourceName
being used in the example.
Reply: Issue 3178Y. This comment is in reference to the following
sentence found in Appendix C: “create RAD resource names according to
the following rules:” This can be found on page C-2 of the draft
Adopted Specifications.
Page: 62
[dsf71]It might be a good idea for ResourceNameComponent to have a
boolean data item indicating whether the component is mandatory or
optional.
Reply: This is issue 3178Z. This comment is in reference to the
following sentence found under Appendix C, #5: “all other elements of
ResourceName data member resource_name_component_list are optional.”
This can be found on page C-2 of the draft Adopted Specifications.
Actions taken:
January 5, 2000: received issue
January 9, 2001: closed issue
Discussion: Sub-Issue No: 3178A
It isn't clear what the notation in these two diagrams is. They don't seem to be
officially any of the standard UML diagrams.
Clarification:
This comment is in reference to the text in the Access Decision Model, which
can be found in section 1.2.1 of the draft Adopted Specification, page 1-4.
Resolution:
Reject. No change. The diagram was not intended to be UML. It is illustrative;
the specification is fully defined in the text.
Revised Text: None.
Sub-Issue No: 3178B
Why is this discussion under the administrative model rather than the access
decision model?
Clarification:
This comment is found at the end of the following sentence: "This combinator
is responsible for taking the results of the PolicyEvaluators
evaluate() method and making a final access decision" This can be located in section 1.2.2 Administrative Model, on page 1-5 of the draft
Adopted Specification (3rd paragraph).
Resolution:
Move the sentence "This combinator is responsible for taking the results of
the PolicyEvaluators evaluate() method and making a final access
decision" from section 1.2.2 to section 1.2.1 as the last sentence in the
section.
Revised Text: see resolution description.
Sub-Issue No: 3178C
Why is NamedPolicyEvaluator not an interface that subtypes
PolicyEvaluator? Why is it done this way, i.e. by containment rather than
by subtyping? Is there a need to have the ability to provide the same
PolicyEvaluator instance a different name in different contexts?
Clarification:
Comment is referring to the struct NamedPolicyEvaluator in the
"Types associated with evaluating Access Policy." This can be found in
section 2.2.3, page 2-6 of the draft Adopted Specification.
Resolution:
Reject. No change.
Revised Text: None
Sub-Issue No: 3178E, F, and G1
Sub-Issue 3178E [FTF] Grammar
Sub-Issue 3178F [Errata] Instead of "in the invalid list" shouldn’t this be "in the
PolicyNameList"
Issue 3178G1 states: Same comment as #35 above (3178F).
Clarification:Clarification (3178E). This is in reference to the following sentence under
InvalidPolicyEvaluatorList: "first_invalid_element is first
named policy evaluator in the invalid list which caused the list to be invalid."
This can be found in section 2.2.5 Exceptions, page 2-11 of the draft Adopted
Specification.
Clarification (3178F) and references the same sentence in 3178E.
Clarification (3178G1). KB replied with the same comment as
above.
Resolution:
Proposed resolution to all: change referenced statement to read
"first_invalid_element is the first named policy evaluator in the
PolicyNameList which caused the list to be invalid."
Revised Text: see resolution description.
Sub-Issue No: 3178EE
Grammar
Clarification:
This comment refers to the following sentence found under
InvalidPolicyEvaluatorList: "This exception is raised when a policy
evaluator list, passed as a part of an operation arguments.” This can be found
in section 2.2.5 Exceptions, page 2-11.
Resolution:
Change sentence to read: "This exception is raised when a
PolicyEvaluatorList contains invalid elements".
Revised Text: see resolution description.
Sub-Issue No: 3178G2 Grammar
Clarification:
This comment is in reference to the following sentence found under
postconditions of multiple_access_allowed(): "Where an
authorization decision ==authorization decision for the requested operation on
the specified resource name by a principal with the specified security
attributes. This can be found in section 2.3, on page 2-13 of the draft Adopted
Specification.
Resolution:
Remove the offending sentence fragment.
Revised Text: see resolution description.
Sub-Issue No: 3178G3
Grammar
Clarification:
This comment is in reference to the following sentence under
get_dynamic_attributes(): "The service may add or remove
SecAttributes to this list." This can be found in section 2.4, page 2-14 of
the draft Adopted Specification.
Resolution:
Change the text to read "The service may add SecAttributes to this list, or
remove SecAttributes from this list."
Revised Text: see resolution description.
Sub-Issue No: 3178G4
Grammar
Clarification: This comment is in reference to following sentence found under
get_policy_decision_evaluators(): "A
PolicyDecisionEvaluators structure, which contains a list of
NamedPolicyEvaluator consisting of the names of the
PolicyEvaluators and their object references, and the
DecisionCombinator object reference for the resource is returned to the
client." This can be found in section 2.5, page 2-15 of the draft Adopted
Specification.
Resolution:
Remove the sentence and replace it with the following "A
PolicyDecisionEvaluators structure is returned to the client. A
PolicyDecisionEvaluators structure contains a
PolicyEvaluatorList and the DecisionCombinator."
Revised Text: see resolution description.
Sub-Issue No: 3178G5
Grammar
Clarification:
This is issue 3178G. This comment is in reference to the following sentence
found in the text directly beneath the DecisionCombinator interface idl:
"The DecisionCombinator interface is used to encapsulate the policy for
the way that decisions of multiple PolicyEvaluators is combined." This
can be found in section 2.6, page 2-15 of the draft Adopted Specification.
Resolution:
Change the sentence to read: "The DecisionCombinator interface is used
to encapsulate a policy for combining decisions of multiple consulted
PolicyEvaluators that may disagree."
Revised Text: see resolution description.
Sub-Issue No: 3178H Elsewhere it was stated that this interface is a singleton. That should be
stated here, the site of the primary specification of the interface.
Clarification:
This comment is in reference to the AccessDecision Interface text, which
can be found in section 2.3, page 2-12 of the draft Adopted Specification.
Resolution:
Add the word "singleton" before the word object in the first sentence of
section 2.3, page 2-12. "The singleton Access Decision object..."
Revised Text: see resolution description.
Sub-Issue No: 3178H2
Elsewhere it was stated that this interface is a singleton. That should be
stated here, the site of the primary specification of the interface.
Clarification:
This comment is in reference to the DynamicAttributeService Interface
text, which can be found in section 2.4, page 2-13 of the draft Adopted
Specification.
Resolution:
Reject. No change. Although only one DynamicAttributeService
reference is held at a time by a RAD, the object may be replaced by an
alternate. The specification makes this clear.
Revised Text: None
Sub-Issue No: 3178H3
Elsewhere it was stated that this interface is a singleton. That should be
stated here, the site of the primary specification of the interface.
Clarification: This comment is in reference to the PolicyEvaluatorLocator Interface
text, which can be found in section 2.5, page 2-14 of the draft Adopted
Specification.
Resolution:
Reject. No change. Although only one PolicyEvaluatorLocator
reference is held at a time by a RAD, the object may be replaced by an
alternate. The specification makes this clear.
Revised Text: None
Sub-Issue No: 3178I
Note that preconditions such as this one would not have to be repetitively
stated for many operations if the definitions of validity were explicitly
characterized as invariants. Specification of invariants is a key concept in
design by contract. From the standpoint of the computational model (i.e. from
the computational viewpoint) invariants constitute universal pre and post
conditions for all operations, although not every invariant is directly relevant to
every operation. Since this document provides validity criteria for most (it’s
missing for a few) of the types, this work (i.e. formal specification of
invariants) is mostly done. A few small adjustments would tie this all neatly
together:
7 [FTF] Explicitly label the validity rules as invariants.
7 [FTF] Add a statement to the section on pre-postcondition semantics noting
that the invariants are considered to be pre and postconditions for all
operations.
7 [FTF] Remove the pre and postconditions that thus become redundant.
(Note that this document is not consistent in repeating such validity rules as
preconditions. For example, the set_evaluators() operation of
PolicyEvaluationLocatorNameAdmin requires a ResoureName as
input, yet does not specify any preconditions.)
Clarification:
This comment is in reference to the preconditions found under
access_allowed(). You can find this in section 2.3, on page 2-13 of the
draft Adopted >Specifications.
Resolution:
Reject this issue. This was not an issue for implementors.
Revised Text: None Sub-Issue No: 3178K
Oddly phrased. Seems more appropriate for the bulk of this to be re-cast as a
postcondition
Clarification:
This comment is in reference to the following sentence found under
get_policy_decision_evaluators(): "A
PolicyDecisionEvaluators structure, which contains a list of
NamedPolicyEvaluator consisting of the names of the
PolicyEvaluators and their object references, and the
DecisionCombinator object reference for the resource is returned to the
client." This can be found in section 2.5, page 2-15 of the draft Adopted
Specification.
Resolution:
This is resolved by the proposed resolution to issue 3178G4 (same
sentence).
Revised Text: None
Sub-Issue No: 3178K2
The rules in these two sentences could (and probably should) be framed as
postconditions for get_policy_decision_evaluators.
Clarification:
This comment is in reference to the following sentence under
set_default_evaluators: "Default evaluators are overridden by the
add_evaluators() or replace_evaluators() methods. The default
evaluators will be returned by the PolicyEvaluatorLocator
get_policy_decision_evaluators() method when no
PolicyEvaluators have been explicitly assigned for a ResourceName."
This can be found in section 2.8, page 2-20 of the draft Adopted Specification.
Resolution:
Reject the request to express this as a postcondition as this was not an issue
for implementors. Change the referenced sentence to read: "Default
evaluators are overridden by the add_evaluators() or replace_evaluators() operations. The default evaluators will be returned
by the PolicyEvaluatorLocator
get_policy_decision_evaluators() operation when no
PolicyEvaluators have been explicitly assigned for a ResourceName."
This fixes incorrect terminology.
Revised Text: See resolution
Sub-Issue No: 3178K3
This rule should probably be framed as a postcondition for
get_policy_decision_evaluators.
Clarification:
This comment is in reference to the following sentence found under
set_default_combinator: "This combinator will be returned by the
PolicyEvaluatorLocator get_policy_decision_evaluators()
method for these resources. This can be found in section 2.8, page 2-20 of
the draft Adopted Specification.
Resolution:
This was not an issue for implementors. Reject request to frame as a
postcondition. Change, however, the sentence to read: "This combinator will
be returned by the PolicyEvaluatorLocator
get_policy_decision_evaluators() operation for these resources."
Revised Text: see resolution
Sub-Issue No: 3178L
It should be possible to state a postcondition here, as is done for the
access_allowed() and evaluate() operations.
Clarification:
This is in reference to the statement that there are no postconditions for
combine_decisions. This can be found in section 2.6, page 2-17 of the
draft Adopted Specification.
Resolution: Reject. No Change. The return from the operation is a Boolean. There were
no issues for implementors that no postcondition was stated.
Revised Text: None
Sub-Issue No: 3178M
Why aren’t these four operations modeled as two attributes?
Clarification:
This is in reference to AccessDecisionAdmin interface. This can be found
in section 2.8, page 2-18 of the draft Adopted Specification.
Resolution:
Not an issue. No change.
Revised Text: None
Sub-Issue No: 3178N
The declaration that the operation raises this exception appears to be defining
how the object behaves when a precondition is not met, which contradicts the
policy stated at the outset that such behavior is undefined. (Although
"ResourceName is valid" is not stated as a precondition for this operation,
this omission is inconsistent, as has already been pointed out, with other
operations that require a ResourceName in-parameter. Truly, this validity
requirement is a precondition.)
Clarification:
This is issue 3178N. This comment is in reference to
InvalidResourceName found in the
PolicyEvaluatorLocatorNameAdmin interface, section 2.10, page 2-21
of the draft Adopted Specification.
Resolution:
No change. The exception is needed.
Revised Text: None Sub-Issue No: 3178O
This way of specifying the postcondition would be more rigorous if
default_evaluators were formally defined as a role of
PolicyEvaluationList in a relationship between
PolicyEvaluatorLocator and PolicyEvaluationList. The
relationship and role could be defined via UML notation or by textual means.
This same approach could be applied to many of the postconditions that
follow.
Clarification:
This comment is in reference to the postcondition stated under
set_default_evaluators, which can be found in section 2.8, page 2-20
of the draft Adopted Specification.
Resolution:
Not an issue for implementors. No change.
Revised Text: None
Sub-Issue No: 3178P
The explanation above of set_default_evaluators() stated how the
defaults are overridden. For consistency it should be stated here how the
default DecisionCombinator is overridden.
Clarification:
This comment is in reference to set_default_combinator, which can be
found in section 2.8, page 2-20 of the draft Adopted Specification.
Resolution:
Delete the sentence that is referenced as saying how defaults are overridden.
The sentence to remove is in the first paragraph of page 2-20 and starts:
"Default evaluators may be overridden by the ..." One of the operations listed
is no longer in the spec (replace_evaluators). How evaluators and
combinators are replaced is explained elsewhere in the specification. This will
resolve the consistency issue and fix the reference.
Revised Text: See resolution Sub-Issue No: 3178Q
I believe this should be ResourceName rather than
ResourceNamePattern. Ditto for the remainder of the operations in this
interface.
Clarification:
This comment is in reference to the
PolicyEvaluatorLocatorNameAdmin interface, which can be found in
section 2.10, page 2-21 of the draft Adopted Specification.
Resolution:
Accept. Change every instance of the parameter "in
ResourceNamePattern" in operations of the interface
PolicyEvaluatorLocatorNameAdmin to "in ResourceName". Change
any supporting text in section 2.10 and the complete IDL.
Revised Text:
Sub-Issue No: 3178R
Should be singular.
Clarification:
This comment is in reference to ResourceNamePatterns found in the
following sentence under the PolicyEvaluatorLocatorPatternAdmin
interface: "The PolicyEvaluatorLocatorPatternAdmin object is used
to associate PolicyEvaluators with a ResourceNamePatterns." This is
the first sentence under the PolicyEvaluatorLocatorPatternAdmin
interface idl in section 2.11, page 2-25 of the draft Adopted Specification.
Resolution:
Change the sentence to read: "The
PolicyEvaluatorLocatorPatternAdmin object is used to associate
PolicyEvaluators with a ResourceNamePattern."
Revised Text: see resolution
Sub-Issue No: 3178S This seems to suggest that in order for a name_string to conform to this
second kind, must literally be equal to "*". However, the presentation given to
CORBAmed shows that it can contain "*" but not literally be "*". The example
in the presentation was something like "Red.*"
Clarification:
This comment is in reference to the following sentence under the second kind
of ResourceNameComponent: "The second kind of
ResourceNameComponent which can occur in a pattern is a component
wildcard pattern: -name_string is "*" ; value_string is "*"" This can be
found in section 2.11, page 2-26 of the draft Adopted Specification.
Resolution:
The specification is correct. The second kind of ResourceNameComponent
(wildcard) requires that both name and value be precisely "*". To clarify this,
change the bullets on page 2-26 to read:
- name_string exactly matches "*" and
- value_string exactly matches "*"
Revised Text: see resolution
Sub-Issue No: 3178T
Despite the helpful diagram, the pattern matching logic is hard to
comprehend. I feel it imperative that several concrete examples be provided.
Clarification:
This comment is in reference to the following paragraph found under the
PolicyEvaluatorLocatorPatternAdmin interface: "MATCHES_AS_GRE
returns "yes" if the string provided by first argument matches another string
provided by second argument, where the second string is interpreted
according to regular expression syntax specified in the definition of
ResourceNamePattern type on Page 26, otherwise "no.". Also, the "helpful
diagram" is missing in the draft adopted spec. Our feeling is that with the
diagram the algorithm is understandable.
Resolution:
1) Change the wording of the above sentence to read: "MATCHES_AS_GRE returns "yes" if the resource "name" matches the
resource name "pattern", where the "pattern" is interpreted according to the
regular expression syntax specified in the definition of
ResourceNamePattern in section 2.2.2 page 2-5.
2) Insert the diagram containing the algorithm (this is contained in the same
section of the revised submission corbamed/99-04-05 - an editing error
removed it from the draft submission) after the sentence on page 2-26 "A
resource name matches a pattern if and only if the algorithm shown in the
figure below returns MATCH."
Revised Text: see resolution
Sub-Issue No: 3178U
Unclear
Clarification:
This comment is in reference to the following sentence found under the
definition of register_resource_name_pattern: "Since a
ResourceName is a ResourceNamePattern, ResourceNames must also
be registered if these administrative interfaces are administer evaluators and
combinators." This can be found in section 2.11, page 2-26 of the draft
Adopted Specification.
Resolution:
Change the sentence to read: "Since a ResourceName is a
ResourceNamePattern, ResourceNames must also be registered if these
administrative interfaces are used to administer evaluators and combinators."
Revised Text: see resolution
Sub-Issue No: 3178V
In the postcondition this is called "policy_name" (singular), which is more
logical.
Clarification:
This comment is referring to the fact that in the IDL, "policy_name has an
"s" on the end policy_names. This can be found in section 2.12, page 2-30
of the draft Adopted Specification. Resolution:
No change. Editor can’t find the offending postcondition.
Revised Text: None
Sub-Issue No: 3178W
Should be included in the postconditions.
Clarification:
This comment is in reference to the following statement found under
set_policies: "If a single PolicyName of NO_ACCESS_POLICY is
specified, then all policy is removed for the resource. This can be found in
section 2.12, page 2-30 of the draft Adopted Specification.
Resolution:
State in the postcondition that if PolicyName == NO_ACCESS_POLICY then
no policy exists for the resource.
Revised Text: see resolution
Sub-Issue No: 3178X
Attribute, not data member.
Clarification:
This comment is in reference to the following sentence found under
Conformance Classes: "In this case pattern_admin data member of
PolicyEvaluatorLocator interface implementation must have value null."
This can be found in section 2.13, page 2-32 of the draft Adopted
Specification.
Resolution:
Change the sentence to read: "In this case the pattern_admin attribute of
the PolicyEvaluatorLocator interface implementation must be/return
null."
Revised Text: see resolution Sub-Issue No: 3178Y
This is the first time in the document that we’ve seen an example of a
ResourceName. I recommend enhancing the usage scenario in the previous
section to similarly show the anatomy of the ResourceName being used in
the example.
Clarification:
This comment is in reference to the following sentence found in Appendix C:
"create RAD resource names according to the following rules:" This can be
found on page C-2 of the draft Adopted Specifications.
Resolution:
Reject. No change. This is an example, not part of the normative part of the
spec.
Revised Text: None
Sub-Issue No: 3178Z
It might be a good idea for ResourceNameComponent to have a boolean
data item indicating whether the component is mandatory or optional.
Clarification:
This comment is in reference to the following sentence found under Appendix
C, #5: "all other elements of ResourceName data member
resource_name_component_list are optional." This can be found on
page C-2 of the draft Adopted Specifications.
Resolution:
Reject.
Revised Text: None
Disposition: Resolved
Disposition Parameter: None
Issue 3211: RAD idl problems (rad-ftf)
Click here for this issue's archive.
Nature: Uncategorized Issue
Severity:
Summary: >You have probably already caught these problems. Just in case you haven't I
>am sending a modified copy. Mainly problems with missing or extra forward
>declarations.
>
>You can probably ignore the 'include "cds_patches.idl". We are not using a
>2.3 orb so we had to define some types that were needed by the 2.3
>security.idl.
Resolution: resolved
Revised Text: Change the list of forwards (starting with the first one below and continuing to the
end of the section labeled "Basic Types" in the idl
DfResourceAccessDecision file) to read as follows:
interface DynamicAttributeService;
interface DecisionCombinator;
interface PolicyEvaluator;
interface PolicyEvaluatorAdmin;
interface PolicyEvaluatorLocatorBasicAdmin;
interface PolicyEvaluatorLocatorNameAdmin;
interface PolicyEvaluatorLocatorPatternAdmin; X-Sender: carolbrt@mindspring.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0
Date: Tue, 11 Jan 2000 23:48:33 -0600
To: issues@omg.org
From: Carol Burt <cburt@2ab.com>
Subject: Fwd: RAD idl problems
Mime-Version: 1.0
Content-Type: multipart/mixed;
boundary="=====================_947677713==_"
X-UIDL: M%:e9VB!!!UG*!!TDi!!
>X-MindSpring-Loop: cburt@2ab.com
>From: "Chris White" <cwhite@ic.net>
>To: <cburt@2ab.com>
>Cc: <jfarmer@ic.net>, "Chris White" <cwhite@ic.net>
>Subject: RAD idl problems
>Date: Tue, 11 Jan 2000 21:37:21 -0500
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
>Importance: Normal
>
You have probably already caught these problems. Just in case you
haven’t I am sending a modified copy. Mainly problems with missing or
extra forward declarations.
>
You can probably ignore the ’include "cds_patches.idl". We are not
using a 2.3 orb so we had to define some types that were needed by the
2.3 security.idl.
>
By the way, we are still working on extensions for policy location
using security attributes.
>
> //File: DfResourceAccessDecision.idl
//
#ifndef _DF_RESOURCE_ACCESS_DECISION_IDL_
#define _DF_RESOURCE_ACCESS_DECISION_IDL_
//#include "cds_patches.idl" //cds
#include "Security.idl"
#pragma prefix "omg.org"
module DfResourceAccessDecision {
//*********************************************************
// Basic Types
//*********************************************************
typedef sequence<boolean> BooleanList;
typedef Security::AttributeList AttributeList; interface DynamicAttributeService;
interface DecisionCombinator;
interface PolicyEvaluator;
interface PolicyEvaluatorLocator;
// interface PolicyEvaluatorLocatorAdmin; //cds
interface PolicyEvaluatorAdmin;
interface PolicyEvaluatorLocatorBasicAdmin; // cds
interface PolicyEvaluatorLocatorNameAdmin; // cds
interface PolicyEvaluatorLocatorPatternAdmin; // cds
//*********************************************************
// Types that identify a secured resource
//*********************************************************
struct ResourceNameComponent {
string name_string;
string value_string;
};
typedef sequence<ResourceNameComponent> ResourceNameComponentList;
typedef string ResourceNamingAuthority;
struct ResourceName {
ResourceNamingAuthority resource_naming_authority;
ResourceNameComponentList resource_name_component_list;
};
typedef ResourceName ResourceNamePattern;
typedef string Operation;
typedef sequence<Operation> OperationList;
//****************************************************
// Types associated with evaluating Access Policy
//****************************************************
typedef string PolicyName;
typedef sequence<PolicyName> PolicyNameList;
const PolicyName NO_ACCESS_POLICY = "NO_ACCESS_POLICY";
struct NamedPolicyEvaluator {
string evaluator_name;
PolicyEvaluator policy_evaluator;
};
typedef sequence<NamedPolicyEvaluator> PolicyEvaluatorList;
struct PolicyDecisionEvaluators {
PolicyEvaluatorList policy_evaluator_list;
DecisionCombinator decision_combinator;
};
//****************************************************
// Types used to request an Access Decision
//****************************************************
struct AccessDefinition { ResourceName resource_name;
Operation operation;
};
typedef sequence<AccessDefinition> AccessDefinitionList;
enum DecisionResult {ACCESS_DECISION_ALLOWED,
ACCESS_DECISION_NOT_ALLOWED,
ACCESS_DECISION_UNKNOWN
};
//********************************************************
//* Exception Data types
//********************************************************
struct ExceptionData {
short error_code;
string reason;
};
enum InternalErrorType {Fatal, NotFatal};
//*********************************************************
// Exception thrown by the Access Decision Object
//*********************************************************
exception InternalError{InternalErrorType et;};
//*********************************************************
// Exception thrown by Internal non-admin interfaces
//*********************************************************
exception ComponentError{
ExceptionData ed;
InternalErrorType et;
};
//*********************************************************
// Exceptions thrown by Admin Interfaces
//*********************************************************
exception PatternConflict {ExceptionData ed;};
exception PatternDuplicate {ExceptionData ed;};
exception PatternNotRegistered {ExceptionData ed;};
exception PatternInUse {ExceptionData ed;};
exception InputFormatError {ExceptionData ed;};
exception ResourceNameNotFound {ExceptionData ed;};
exception NoAssociation {ExceptionData ed;};
exception InvalidPolicy {ExceptionData ed;};
exception DuplicateEvaluatorName {ExceptionData ed;};
exception InvalidResourceName {};
exception InvalidResourceNamePattern {};
exception InvalidPolicyEvaluatorList {
ExceptionData ed;
NamedPolicyEvaluator first_invalid_element;
};
exception InvalidPolicyNameList { ExceptionData ed;
PolicyName first_invalid_element;
};
//****************************************************
// interface AccessDecision
//****************************************************
interface AccessDecision {
boolean access_allowed(
in ResourceName resource_name,
in Operation operation,
in AttributeList attribute_list
)
raises (InternalError);
BooleanList multiple_access_allowed(
in AccessDefinitionList access_requests,
in AttributeList attribute_list
)
raises (InternalError);
};
//******************************************************
// interface DynamicAttributeService
//******************************************************
interface DynamicAttributeService {
AttributeList get_dynamic_attributes(
in AttributeList attribute_list,
in ResourceName resource_name,
in Operation operation
)
raises (ComponentError);
};
//******************************************************
// interface PolicyEvaluatorLocator
//******************************************************
interface PolicyEvaluatorLocator {
readonly attribute PolicyEvaluatorLocatorBasicAdmin
basic_admin;
readonly attribute PolicyEvaluatorLocatorNameAdmin name_admin;
readonly attribute PolicyEvaluatorLocatorPatternAdmin
pattern_admin;
PolicyDecisionEvaluators get_policy_decision_evaluators(
in ResourceName resource_name
) raises (ComponentError);
};
//********************************************************
// interface DecisionCombinator
//********************************************************
interface DecisionCombinator{
boolean combine_decisions(
in ResourceName resource_name,
in Operation operation,
in AttributeList attribute_list,
in PolicyEvaluatorList policy_evaluator_list
)
raises (ComponentError);
};
//******************************************************
// interface PolicyEvaluator
//******************************************************
interface PolicyEvaluator {
readonly attribute PolicyEvaluatorAdmin pe_admin;
DecisionResult evaluate(
in ResourceName resource_name,
in Operation operation,
in AttributeList attribute_list
)
raises (ComponentError);
};
//******************************************************
//
// Management Interfaces
//
//******************************************************
// interface AccessDecisionAdmin
//******************************************************
interface AccessDecisionAdmin {
PolicyEvaluatorLocator get_policy_evaluator_locator();
void set_policy_evaluator_locator (
in PolicyEvaluatorLocator
policy_evaluator_locator
);
DynamicAttributeService
get_dynamic_attribute_service();
void set_dynamic_attribute_service(
in DynamicAttributeService dynamic_attribute_service
);
};
//*******************************************************
// interface PolicyEvaluatorLocatorBasicAdmin
//*******************************************************
interface PolicyEvaluatorLocatorBasicAdmin {
PolicyEvaluatorList set_default_evaluators(
in PolicyEvaluatorList policy_evaluator_list
)
raises (DuplicateEvaluatorName, InvalidPolicyEvaluatorList);
PolicyEvaluatorList get_default_evaluators();
DecisionCombinator get_default_combinator ();
void set_default_combinator(
in DecisionCombinator decision_combinator
);
};
//*******************************************************
// interface PolicyEvaluatorLocatorNameAdmin
//*******************************************************
interface PolicyEvaluatorLocatorNameAdmin {
PolicyEvaluatorList get_evaluators(
in ResourceName resource_name
)
raises (InvalidResourceName);
void set_evaluators (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceName resource_name
)
raises (InvalidPolicyEvaluatorList,
InvalidResourceName,
DuplicateEvaluatorName);
void add_evaluators (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceName resource_name
)
raises (InvalidResourceName,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
void delete_evaluators (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceNamePattern resource_name
)
raises (InvalidResourceName,
InvalidPolicyEvaluatorList, DuplicateEvaluatorName);
DecisionCombinator get_combinator (
in ResourceNamePattern resource_name
)
raises (InvalidResourceName);
void set_combinator (
in DecisionCombinator decision_combinator,
in ResourceNamePattern resource_name
)
raises (InvalidResourceName);
void delete_combinator (
in ResourceNamePattern resource_name
)
raises (InvalidResourceName);
};
//*******************************************************
// interface PolicyEvaluatorLocatorPatternAdmin
//*******************************************************
interface PolicyEvaluatorLocatorPatternAdmin {
void register_resource_name_pattern(
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternDuplicate,
PatternConflict);
void unregister_resource_name_pattern(
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered,
PatternInUse);
PolicyEvaluatorList get_evaluators_by_pattern (
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
void set_evaluators_by_pattern (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceNamePattern pattern
)
raises (InputFormatError,
PatternNotRegistered,
DuplicateEvaluatorName);
void add_evaluators_by_pattern (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceNamePattern pattern raises (InvalidResourceNamePattern,
PatternNotRegistered,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
void delete_evaluators_by_pattern (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
DecisionCombinator get_combinator_by_pattern (
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
void set_combinator_by_pattern (
in DecisionCombinator decision_combinator,
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
void delete_combinator_by_pattern (
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
};
//*******************************************************
// interface PolicyEvaluatorAdmin
//*******************************************************
interface PolicyEvaluatorAdmin {
void set_policies(
in PolicyNameList policy_names,
in ResourceName resource_name
)
raises (InvalidResourceName,
ResourceNameNotFound,
InvalidPolicyNameList);
void add_policies(
in PolicyNameList policy_names,
in ResourceName resource_name
)
raises (InvalidResourceName,
ResourceNameNotFound,
InvalidPolicyNameList);
void delete_policies( in PolicyNameList policy_names,
in ResourceName resource_name
)
raises (InvalidResourceName,
ResourceNameNotFound,
InvalidPolicyNameList,
NoAssociation);
PolicyNameList list_policies();
PolicyName set_default_policy(
in PolicyName policy_name
)
raises (InvalidPolicy);
};
};
#endif // _DF_RESOURCE_ACCESS_DECISION_IDL_
Actions taken:
January 11, 2000: received issue
January 9, 2001: closed issue
Issue 3253: Number of security policies supporteb by PolicyEvaluator arbitrarily large (rad-ftf)
Click here for this issue's archive.
Source: 2AB (Mr. Bob Burt, bburt(at)2ab.com)
Nature: Uncategorized Issue
Severity:
Summary: The number of security policies supported by a PolicyEvaluator could be
arbitrarily large. Because of this the operation "list_policies" in the
PolicyEvaluatorAdmin interface might be changed to:
PolicyNameIter list_policies(in num_ret, in max_iter, out
PolicyNameList policy_names);
where max_iter is maximum number of entries held by the iterator, num_ret
is the maximum number of entries returned in the "out PolicyNameList list"
argument, and "policy_names" is sequence of PolicyNames having at most
"num_ret" entries. If the list of policy names has less than "num_ret"
entries, the iterator will be nil.
The iterator interface would look like:
interface PolicyNameIter {
long how_many();
boolean next_n(in long val, out PolicyNameList policy_names);
void destroy();
};
Note this technique could be carried to the extreme for all those
operations that return a PolicyEvaluatorList. However, it seems less likely
that one would has assigned large numbers of evaluator in the same way one
might have large numbers of security policies.
Resolution: resolved
Revised Text: Add an iterator to the list_policies operation.
PolicyNameList list_policies(in unsigned long seq_max,
in unsigned long iter_max,
out PolicyNameListIterator iter)
raises (TooMany);
interface PolicyNameListIterator {
unsigned long how_many();
boolean next_one(out PolicyName name);
boolean next_n(in unsigned long how_many, out
PolicyNameList list);
void destroy();
}; NOTE: The operations next_one and next_n return false if there is no
PolicyName left to return, return true if a PolicyName or PolicyNameList
are returned.
NOTE: The TooMany exception if raised for list_policies if the number of
PolicyNames found (based on the seq_max and iter_max arguments)
exceeds the implementations limit. The implementation limit can be optionally
configurable by the implementation.
Actions taken:
January 26, 2000: received issue
January 9, 2001: closed issue
Issue 3254: Invalid IDL (rad-ftf)
Click here for this issue's archive.
Source: 2AB (Mr. Bob Burt, bburt(at)2ab.com)
Nature: Uncategorized Issue
Severity:
Summary: In multiple places in the IDL (struct AccessDefinition,
AccessDecision::access_allowed) the following is used:
Operation operation;
This is invalid IDL despite the fact that many IDL compilers accept this
today.
Resolution: resolved
Revised Text: In the DfResourceAccessDecision.idl file:
1) Remove the following line in the IDL: typedef string Operation;
2) Replace all instances of "Operation" with "string" in the IDL and
supporting text that references this IDL type. Note that case matters in this
replacement.
Actions taken:
January 26, 2000: received issue
January 9, 2001: closed issue
Issue 3255: Use of names in defined exceptions (rad-ftf)
Click here for this issue's archive.
Source: 2AB (Mr. Bob Burt, bburt(at)2ab.com)
Nature: Uncategorized Issue
Severity:
Summary: Some of the exceptions defined could use names that are less like to
conflict with standard language objects and thus would not have to be fully
qualified. For example, InternalError conflicts with
java.lang.InternalError. Perhaps RadInternalError might be nicer.
ComponentError might be another candidate for RadComponentError.
Resolution: resolved
Revised Text: Issues 3255 and Issue 3178D have been linked.
Issue 3255 Summary –
Some of the exceptions defined could use names that are less like to conflict with
standard language objects and thus would not have to be fully qualified. For
example, InternalError conflicts with java.lang.InternalError. Perhaps
RadInternalError might be nicer. ComponentError might be another
candidate for RadComponentError.
Comment: The IDL looked like this at one time. This is the source of issue 3178D
where the text uses these names. For some reason the "Rad" prefix was
removed in the final editing.
Issue 3178D Summary –
[Errata] Fatal rather than RadFatal, according to the IDL references "If the
ComponentError is RadFatal, the AccessDecision
object must determine if it can continue to process without the component."
[Errata] InternalError rathan RadInternalError, according to
the IDL. references "If it cannot, it must throw a RadInternalError."
[Errata] Fatal rather than RadFatal, according to the IDL references "with
RadFatal."
All three of these comments (for 3178D) are related to text found under
ComponentError in section 2.2.5 Exceptions, on page 2-10 of the draft
Adopted Specification.
Resolution (for both issues):
Change the following exception names and all references to them in the text:
InternalError to RadInternalError ComponentError to
RadComponentError Leave these specific names (RadInternalError and
RadComponentError) the same in the sentence referenced in Issue 3178D as they are now correct. Change RadFatal to Fatal in the section referenced by
issue 3178D and anywhere else it appears incorrectly (this is an enumerated
value, not an Exception).
Actions taken:
January 26, 2000: received issue
January 9, 2001: closed issue
Issue 3256: The exception InputFormatError is only raises by one operation (rad-ftf)
Click here for this issue's archive.
Source: 2AB (Mr. Bob Burt, bburt(at)2ab.com)
Nature: Uncategorized Issue
Severity:
Summary: The exception InputFormatError is only raises by one operation,
set_evaluators_by_pattern. I don't understand why this would not raise the
same exceptions as add_evaluators_by_pattern or
delete_evaluators_by_pattern. They all have the same input parameters.
Resolution: resolved
Revised Text: Remove the InputFormatError exception from the IDL and all explanatory
text.
Change the signature of the set_eveluators_by_pattern to throw the same
exceptions as add_evaluators_by_pattern and
delete_evaluators_by_pattern. See below:
Change idl and associated descriptions to:
void set_evaluators_by_pattern(
in PolicyEvalutatorList policy_evaluator_list,
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
Actions taken:
January 26, 2000: receive dissue
January 9, 2001: closed issue
Issue 3257: DynamicAttributeService issue (rad-ftf)
Click here for this issue's archive.
Source: 2AB (Mr. Bob Burt, bburt(at)2ab.com)
Nature: Uncategorized Issue
Severity:
Summary: The DynamicAttributeService was designed to allow modification of
SecAttributes prior to locating and using PolicyEvaluators. These
modifications are application are most likely specific in nature.
Unfortunately the entire service can only have one DynamicAttributeService,
therefore, instance of RAD service have to be partitioned for different
applications. It might have been better to have associations with
ResouceNames such as was done with PolicyEvaluators. Another alternative
might have been to associate a DynamicAttributeService with a combinator,
since different resource names can use different combinators this implies
they also could then have different DynamicAttributeServices. This is
probably not an important issue, but it can dictate how applications must
deploy instances of the service.
Resolution: Close this issue with no change.
Revised Text:
Actions taken:
January 26, 2000: received issue
January 9, 2001: closed issue
Issue 5435: The following operations in the EntityFactory Interface need adjustments (rad-ftf)
Click here for this issue's archive.
Source: NASA (Mr. Russell W. Claus, nobody)
Nature: Uncategorized Issue
Severity:
Summary: The following operations in the EntityFactory Interface need adjustment to correctly generate geometries:
For EntityFactory::index_bodies():
LongSeq index_bodies(in LongSeqSeq oriented_shells);
The oriented_shells data must be in the form: LongSeqSeq as showns above.
LongSeq index_faces(in LongSeqSeq oriented_eloops, in LongSeqSeq vertex_loops,
in LongSeq surfaces);
The vertex_loops data must be in the form: LongSeqSeq as shown above.
Also, the name used for the first argument to index_oriented_shells() is misleading:
LongSeq index_oriented_shells(in LongSeq ofaces, in BooleanSeq sense);
ofaces should be shells.
Resolution: The recommended changes are made as suggested in the summary
Revised Text: In Section 2.2.4, the recommended changes are made to the idl and the supporting documentation
Actions taken:
June 18, 2002: received issue
July 1, 2003: closed issue