Issues for Resource Access Decision FTF discussion mailing list

To comment on any of these issues, send email to rad-ftf@omg.org. (Please include the issue number in the Subject: header, thusly: [Issue ###].) To submit a new issue, send email to issues@omg.org.

List of issues (green=resolved, yellow=pending Board vote, red=unresolved)

List options: All ; Open Issues only; or Closed Issues only

Issue 3178: RAD FTF Issues document
Issue 3211: RAD idl problems
Issue 3253: Number of security policies supporteb by PolicyEvaluator arbitrarily large
Issue 3254: Invalid IDL
Issue 3255: Use of names in defined exceptions
Issue 3256: The exception InputFormatError is only raises by one operation
Issue 3257: DynamicAttributeService issue
Issue 5088: Resource Access Decision Security
Issue 5089: Resource Access Decision service
Issue 5435: The following operations in the EntityFactory Interface need adjustments

Issue 3178: RAD FTF Issues document (rad-ftf)

Click here for this issue's archive.
Nature: Uncategorized Issue
Severity:
Summary: 
Due to very scetchy issue descriptions the document will be handled as 1 issue. The complete doc can be found in the issues archive

Resolution:
Revised Text: Page: 9 [dsf1][Errata] There doesn’t seem to be any such document on the OMG server. Reply: This comment is in reference to document 99-02-29, which does not exist in drafted Adopted Specification. Page: 10 [dsf2][FTF] Missing word Reply: This comment is in reference to an rfp requirement found in section 1.7.1 which does not exist in draft Adopted Specification. Page: 10 [dsf3][FTF] Missing word Reply: This comment is in reference to a paragraph about future specifications found in section 1.7.1 which does not exist in draft Adopted Specification. Page: 11 [dsf4][Errata] Remove: not appropriate for final submission Reply: This comment is in reference to a response to “How new CORBAMed specifications will employ the submitted specification” which does not exist in draft Adopted Specification. Page: 12 [dsf5][Errata] Remove: not appropriate for final submission Reply: This comment is in reference to “Mechanisms provided for extensibility” which does not exist in draft Adopted Specification. Page: 16 [dsf6][Errata] Ditto Reply: The following comment is found under DynamicAttributeService “The submitters plan to include standard administrative interfaces for this facility in the revised submission.” This comment was deleted in the draft Adopted Specification. Page: 17 [dsf7][FTF] Grammar Reply: KB Fixed. Grammar error found in the text portion of the Access Decision Model. Page: 17 [dsf8] It isn't clear what the notation in these two diagrams is. They don't seem to be officially any of the standard UML diagrams. This makes some things unclear. For instance, there are three consults lines coming from Access Decsion. Do the consultations need to occur in any particular order? The text says that the Decision Combinator's decision is what finally returns to the client, but other than that the ordering (or whether an order is required) isn’t clear. Reply: This is issue 3178A. This comment is in reference to the text in the Access Decision Model, which can be found in section 1.2.1 of the draft Adopted Specification, page 1-4. Page: 19 [dsf9][Errata] Although PolicyEvaluatorLocatorAdmin is referenced many times in the text of this document, including the table of contents, it is just a forward reference in this document’s IDL and does not appear at all in the revised IDL (99-05-01).Not all instances of this were fixed. Reply: KB fixed. Page: 19 [dsf10]Why is this discussion under the administrative model rather than the access decision model? Reply: This is issue 3178B. This comment is found at the end of the following sentence: “This combinator is responsible for taking the results of the PolicyEvaluators evaluate() method and making a final access decision“ This can be located in section 1.2.2 Administrative Model, on page 1-5 of the draft Adopted Specification (3 rd paragraph). Page: 19 [dsf11][FTF] Grammar Reply: KB Fixed. Grammar error found in the 4 th paragraph of the Administrative Model. Page: 20 [dsf12]This UML diagram needs some work: 7 [Errata] By definition, the cardinality of a strong aggregation (black diamonds) on the aggregate side cannot be 1..* or 0..*. It can only be 0..1 or 1..1. 7 [Errata] It shows NO_ACCESS_POLICY being a subtype of PolicyName. It is actually a particular instance of PolicyName. This can be shown in UML 1.1 via a dependency from NO_ACCESS_POLICY to PolicyName with an <<instance>> stereotype. 7 [Errata] The AttributeList typedef would be better shown by a dependency from AttributeList to Security::AttributeList with a <<typedef>> stereotype applied to the dependency. In the diagram it is shown as a navigable association which would mean that AttributeList literally holds a reference to Security::AttributeList. (Note that the <<typedef>> dependency is not a standard UML stereotype--UML has no notion of typedef.) 7 [Errata] ResourceNamePattern is a typedef of ResourceName but in the UML diagram it is shown as a subtype of ResourceName. I recommend handling it similarly to the AttributeList typedef, i.e. making it a dependency from ResourceNamePattern to ResourceName, with a <<typedef>> stereotype applied to the dependency. 7 [Errata] DecisionResultList is shown in the UML diagram but does not occur anywhere else in the document. 7 [Errata] DecisionCombinator and PolicyEvaluator are stereotyped as <<interface>> in the UML Information Model diagram, whereas in the computational model they are stereotyped as <<IDL Interface>>. I recommend stereotyping them both as <<IDL Interface>> because, in UML, <<interface>> is a standard stereotype of Class that restricts the class from having attributes. PolicyEvaluator has attributes. DecisionCombinator does not have attributes, but it nevertheless would be unwise to restrict its evolution unnecessarily. Also, a question arises: Are the multiplicities shown in the diagram normative? For example, consider the relationship between PolicyEvealuatorList and NamedPolicyEvaluator. The multiplicity on the aggregate side is 0..1, meaning that a NamedPolicyEvaluator can exist without being owned by a PolicyEvaluatorList. Is this specification normative? The multiplicity on agregee side is 0..*,meaning a valid PolicyEvaluatorList can be empty. Is this normative? Reply: KB Fixed. This comment is in reference to the Information Model. Yes, it’s normative. Page: 21 [dsf13][Errata] The specification of AccessDecision as a singleton contradicts the 1..* multiplicity on the aggregate side of the relationship between AccessDecisionAdmin and AccessDecision in the UML diagram. If there can only be one instance of AccessDecision, then an AccessDecisionAdmin instance cannot be associated with more than one AccessDecision instance. [Errata] Similarly, specifying PolicyEvaluatorLocator as a singletoncontradicts the multiplicity on the aggregate side of PolicyEvaluatorLocator's relationships with PolicyEvaluatorLocatorBasicAdmin and PolicyEvaluatorLocatorPatternAdmin. [Errata] Also, this section says nothing about which administrative interfaces are singletons. For example: Since AccessDecision is a singleton, and since the UML computatonal model says that an AccessDecision is associated with exactly one AccessDecisionAdmin, this would suggest (but not technically require) that AccessDecisionAdmin is also a singleton. Thinking about the functionality, since what an AccessDecisionAdmin does is encapsulate references to the singleton PolicyEvaluator Locator and to the singleton DynamicAttributeService, logically AccessDecisionAdmin should be a singleton. Reply: KB Fixed. Comment in response to statement found in the Computational Model – “Among runtime interfaces, AccessDecision, PolicyEvaluatorLocator, and DynamicAttributeService are singletons.” This can be found in section 1.2.4, page 1-8 of the draft Adopted Specification. Page: 23 [dsf14][FTF] Grammar. Reply: This grammar error was found in a section referring to “scope of this submission” which does not exist in the draft Adopted Specification. Page: 26 [dsf15][Errata] This seems to imply by omission that value_string is allowed to be empty. If this is so, then it should be reflected in the UML diagram by specifying the multiplicity of value_string attribute as [0..1]. To do this, change "value_string: string" to "value_string [0..1] : string". Note that a multiplicity of [1] or [1..1] is the UML default for attributes. Quoting from the UML notation guide (ad/97-08- 05): Note that a multiplicity of 0..1 provides for the possibility of null values: the absence of a value, as opposed to a particular value from the range. For example, the following declaration permits a dis-tinction between the null value and the empty string: name [0..1]: String Reply: KB Fixed. This comment in reference to definition for ResourceNameComponent – “A datum element of this type is invalid if the name_string member has empty value”. This can be found in section 2.2.2, page 2-5 of the draft Adopted Specification. Page: 26 [dsf16][Errata] Should be ResourceNameComponentList Reply: KB Fixed. Page: 26 [dsf17][Errata] How is valid syntax defined? Reply: KB Fixed. The comment was in response to the definition for ResourceName. KB removed the statement about invalid syntax of ResourceNamingAuthority and added description of the data type. Page: 27 [dsf18]Why is NamedPolicyEvaluator not an interface that subtypes PolicyEvaluator? Why is it done this way, i.e. by containment rather than by subtyping? Is there a need to have the ability to provide the same PolicyEvaluator instance a different name in different contexts? Reply: This is issue 3178C. Comment is referring to the struct NamedPolicyEvaluator in the “Types associated with evaluating Access Policy.” This can be found in section 2.2.3, page 2-6 of the draft Adopted Specification. KB replied: NamedPolicyEvaluator data type is passed as an argument of invocations on DecisionCombinator. It could be an OBV. What do we gain if we make it an OBV instead of a struct? Page: 27 [dsf19][Errata] This contradicts the UML diagram, which says that a PolicyNameList is a composition of 0..* PolicyName instances. To align the UML diagram with this text, the multiplicity should be changed to 1..*. Reply: KB Fixed. This comment is referring to text associated with PolicyNameList. Page: 28 [dsf20]{Errata] Then the UML diagram should show the multiplicity of evaluator_name as [0..1]. Reply: KB Fixed. This comment is referring to text associated with NamedPolicyEvaluator. Page: 28 [dsf21][Errata] No such operation mentioned anywhere else in this document or in the revised IDL. Reply: KB Fixed. Referring to get_policy_evaluators. Page: 28 [dsf22][Errata] This is an operation of PolicyEvaluatorLocatorBasicAdmin, not of PolicyEvaluatorLocatorAdmin which, as previously noted, does not exist. Reply: KB Fixed. Referring to set_default_evaluators. Page: 28 [dsf23][Errata] Which does not exist. These operations are in other interfaces. Reply: KB Fixed. Page: 28 [dsf24][FTF] Replace "method" with "operation". CORBA does not define method. Reply: KB Fixed. Referring to text associated with PolicyEvaluatorList. Page: 29 [dsf25]Call this something other than "ed" to distinguish it from the item in the other exceptions named "ed" which is an ExceptionData. Reply: KB Fixed. Associated with InternalErrorType. Renamed to “it.” Page: 30 [dsf26][Errata] Fatal rather than RadFatal, according to the IDL – references “If the ComponentError is RadFatal, the AccessDecision object must determine if it can continue to process without the component.” [dsf27][Errata] InternalError rathan RadInternalError, according to the IDL. – references “If it cannot, it must throw a RadInternalError.” [dsf28][Errata] Fatal rather than RadFatal, according to the IDL – references “with RadFatal.” Reply: This is issue 3178D. All three of these comments are related to text found under ComponentError in section 2.2.5 Exceptions, on page 2-10 of the draft Adopted Specification. Page: 30 [dsf29][Errata] Spelling of operation name Reply: KB Fixed. Page: 31 [dsf30]Is this a validity rule for all instances of PolicyEvaluatorList? (Note that no validity rules were given for PolicyEvaluatorList.) Reply: In reference to InvalidPolicyNameList found in section 2.2.5 Exceptions, page 2-11 in the draft Adopted Specifications. KB Reply: Not exactly. A duplicate evaluator name may happen when two PolicyEvaluatorLists are associated with the same resource name in such a way that each of them does not have duplicate evaluator name but the union does. So, I’m not sure that if we put this restriction into the definition of PolicyEvaluatorList we can remove it from the description of this exception. Page: 31 [dsf31][FTF] Grammar Reply: KB Fixed. Page: 31 [dsf32][FTF] Grammar Reply: This is issue 3178E. This is in reference to the following sentence under InvalidPolicyEvaluatorList: “first_invalid_element is first named policy evalautor in the invalid list which caused the list to be invalid.” Suggested fix – “ first_invalid_element is the first named policy evaluator in the invalid list which caused the list to be invalid.” This can be found in section 2.2.5 Exceptions, page 2-11 of the draft Adopted Specification. Page: 31 [dsf33][Errata] Instead of "in the invalid list" shouldn't this be "in the PolicyNameList" ? Reply: This is issue 3178F. This comment is in reference to the following sentence under InvalidPolicyNameList: “first_invalid_element is first named policy evaluator in the invalid list which caused the list to be invalid.” This can be found in section 2.2.5 Exceptions, page 2-11 of the draft Adopted Specification. Page: 31 [dsf34][FTF] Grammar Reply: KB Fixed. Page: 31 [dsf35]Why not have an exception specifically for an empty list? Reply: This is issue 3178G. This is in reference to the following sentence under InvalidPolicyEvaluatorList: “If the value of this data member is nil, then the list is invalid not because of a particular element, but because of some other reason (for example, because the list is empty). KB Reply: Carol and Bob, remember we discussed this, and one of you suggested to only have one exception. This is how we removed EmptyPolicyEvaluatorList exception, I believe. Do you guys want it back? This can be found in section 2.2.5 Exceptions, page 2-11 of the draft Adopted Specification. Page: 31 [dsf36][FTF] Grammar Reply: This is issue 3178E. This comment refers to the following sentence found under InvalidPolicyEvaluatorList: “This exception is raised when a policy evalautor list, passed as a part of an operation arguments. This can be found in section 2.2.5 Exceptions, page 2-11. Page: 31 [dsf37][Errata] Spelling of interface name Reply: KB Fixed. Page: 31 [dsf38][Errata] As far as I can see, no specification of what constitutes a valid or invalid datum is provided for PolicyEvaluatorList or for NamedPolicyEveluator, instances of which are members of a PolicyEvaluatorList. Reply: KB Fixed. This comment is in reference to text found in InvalidPolicyEvaluatorList. KB added definition invalidity for PolicyEvaluatorList and for NamedPolicyEvaluator. Page: 31 [dsf39]Same comment as #35 above Reply: This is issue 3178G1. KB replied with the same comment as above. Page: 32 [dsf40][FTF] Elsewhere it was stated that this interface is a singleton. That should be stated here, the site of the primary specification of the interface. Reply: This is issue 3178H. This comment is in reference to the AccessDecision Interface text, which can be found in section 2.3, page 2-12 of the draft Adopted Specification. Page: 32 [dsf41]Note that preconditions such as this one would not have to be repetitively stated for many operations if the definitions of validity were explicitly characterized as invariants. Specification of invariants is a key concept in design by contract. From the standpoint of the computational model (i.e. from the computational viewpoint) invariants constitute universal pre and post conditions for all operations, although not every invariant is directly relevant to every operation. Since this document provides validity criteria for most (it’s missing for a few) of the types, this work (i.e. formal specification of invariants) is mostly done. A few small adjustments would tie this all neatly together: 7 [FTF] Explicitly label the validity rules as invariants. 7 [FTF] Add a statement to the section on pre/postcondition semantics noting that the invariants are considered to be pre and postconditions for all operations. 7 [FTF] Remove the pre and postconditions that thus become redundant. (Note that this document is not consistent in repeating such validity rules as preconditions. For example, the set_evaluators( ) operation of PolicyEvaluationLocatorNameAdmin requires a ResoureName as input, yet does not specify any preconditions.) Reply: This is issue 3178I. This comment is in reference to the preconditions found under access_allowed(). You can find this in section 2.3, on page 2-13 of the draft Adopted Specifications. Page: 33 [dsf42][FTF] Grammar Reply: This is issue 3178G2. This comment is in reference to the following sentence found under postconditions of multiple_access_allowed(): “Where an authorization decision ==authorization decision for the requested operation on the specified resource name by a principal with the specified security attributes. This can be found in section 2.3, on page 2-13 of the draft Adopted Specification. Page: 33 [dsf43][FTF] Elsewhere it was stated that this interface is a singleton. That should be stated here, the site of the primary specification of the interface. Reply: This is issue 3178H2. This comment is in reference to the DynamicAttributeService Interface text, which can be found in section 2.4, page 2-13 of the draft Adopted Specification. Page: 33 [dsf44][FTF] This is stated rather imprecisely. It should say something to the effect that, in addtion to adding new attributes, the orginal attributes can be altered. Reply: This is issue 3178J. This comment is in reference to the following sentence under get_dynamic_attributes(): “In addition, the returned AttributeList may be modified by this service.” This can be found in section 2.4, page 2-14 of the draft Adopted Specification. Page: 33 [dsf45][FTF] Grammar Reply: This is issue 3178G3. This comment is in reference to the following sentence under get_dynamic_attributes(): “The service may add or remove SecAttributes to this list.” This can be found in section 2.4, page 2-14 of the draft Adopted Specification. Page: 34 [dsf46][FTF] Elsewhere it was stated that this interface is a singleton. That should be stated here, the site of the primary specification of the interface. Reply: This is issue 3178H3. This comment is in reference to the PolicyEvaluatorLocator Interface text, which can be found in section 2.5, page 2-14 of the draft Adopted Specification. Page: 34 [dsf47][FTF] Grammar Reply: This is issue 3178G4. This comment is in reference to following sentence found under get_policy_decision_evaluators(): “A PolicyDecisionEvaluators structure, which contains a list of NamedPolicyEvaluator consisting of the names of the PolicyEvaluators and their object references, and the DecisionCombinator object reference for the resource is returned to the client.” This can be found in section 2.5, page 2-15 of the draft Adopted Specification. Page: 34[dsf48][FTF] Oddly phrased. Seems more appropriate for the bulk of this to be re-cast as a postcondition. Reply: This is issue 3178K. This comment is in reference to the following sentence found under get_policy_decision_evaluators(): “A PolicyDecisionEvaluators structure, which contains a list of NamedPolicyEvaluator consisting of the names of the PolicyEvaluators and their object references, and the DecisionCombinator object reference for the resource is returned to the client.” This can be found in section 2.5, page 2-15 of the draft Adopted Specification. Page: 34 [dsf49][FTF] Spelling Reply: KB Fixed. Page: 35 [dsf50]Why is the return binary whereas evaluate( ) returns a ternary? Reply: This comment is in reference to the boolean combine_decisions found in the DecisionCombinator interface, section 2.6, page 2-15 of the draft Adopted Specification. KB Reply – because it is a final decision, which could not have “don’t know” result. Page: 35 [dsf51][FTF] Grammar Reply: This is issue 3178G5. This comment is in reference to the following sentence found in the text directly beneath the DecisionCombinator interface idl: “The DecisionCombinator interface is used to encapsulate the policy for the way that decisions of multiple PolicyEvaluators is combined.” This can be found in section 2.6, page 2-15 of the draft Adopted Specification. Page: 36 [dsf52][Errata] The definition of PolicyEvaluatorList did not specify validity rules Reply: KB Fixed. Page: 36 [dsf53][FTF] It should be possible to state a postcondition here, as is done for the access_allowed( ) and evaluate( ) operations. Reply: This is issue 3178L. This is in reference to the statement that there are no postconditions for combine_decisions. This can be found in section 2.6, page 2-17 of the draft Adopted Specification. Page: 37 [dsf54]Why aren't these four operations modeled as two attributes? Reply: This is issue 3178M. This is in reference to AccessDecisionAdmin interface. KB: Carol or Bob, will you explain? This can be found in section 2.8, page 2-18 of the draft Adopted Specification. Page: 38 [dsf55][FTF] The rules in these two sentences could (and probably should) be framed as postconditions for get_policy_decision_evaluators. Reply: . This is issue 3178K2. This comment is in reference to the following sentence under set_default_evaluators: “Default evaluators are overridden by the add_evaluators() or replace_evaluators() methods. The default evaluators will be returned by the PolicyEvaluatorLocator get_policy_decision_evaluators() method when no PolicyEvaluators have been explicitly assigned for a ResourceName.” This can be found in section 2.8, page 2-20 of the draft Adopted Specification. Page: 38 [dsf56][FTF] This way of specifying the postcondition would be more rigorous if default_evaluators were formally defined as a role of PolicyEvaluationList in a relationship between PolicyEvaluatorLocator and PolicyEvaluationList. The relationship and role could be defined via UML notation or by textual means. This same approach could be applied to many of the postconditions that follow. Reply: This is issue 3178O. This comment is in reference to the postcondition stated under set_default_evaluators, which can be found in section 2.8, page 2-20 of the draft Adopted Specification. Page: 39 [dsf57][FTF] The explanation above of set_default_evaluators( ) stated how the defaults are overridden. For consistency it should be stated here how the default DecisionCombinator is overridden. Reply: This is issue 3178P. This comment is in reference to set_default_combinator, which can be found in section 2.8, page 2-20 of the draft Adopted Specification. Page: 39 [dsf58][FTF] This rule should probably be framed as a postcondition for get_policy_decision_evaluators. Reply: This is issue 3178K3. This comment is in reference to the following sentence found under set_default_combinator: “This combinator will be returned by the PolicyEvaluatorLocator get_policy_decision_evaluators() method for these resources. This can be found in section 2.8, page 2-20 of the draft Adopted Specification. Page: 39 [dsf59][FTF] The declaration that the operation raises this exception appears to be defining how the object behaves when a precondition is not met, which contradicts the policy stated at the outset that such behavior is undefined. (Although "ResourceName is valid" is not stated as a precondition for this operation, this omission is inconsistent, as has already been pointed out, with other operations that require a ResourceName in-parameter. Truly, this validity requirement is a precondition.) Reply: This is issue 3178N. This comment is in reference to InvalidResourceName found in the PolicyEvaluatorLocatorNameAdmin interface, section 2.10, page 2-21 of the draft Adopted Specification. Page: 39 [dsf60][Errata] I believe this should be ResourceName rather than ResourceNamePattern. Ditto for the remainder of the operations in this interface. Reply: This is issue 3178Q. This comment is in reference to the PolicyEvaluatorLocatorNameAdmin interface, which can be found in section 2.10, page 2-21 of the draft Adopted Specification. Page: 43 [dsf61][FTF] Should be singular. Reply: This is issue 3178R. This comment is in reference to ResourceNamePatterns found in the following sentence under the PolicyEvaluatorLocatorPatternAdmin interface: “The PolicyEvaluatorLocatorPatternAdmin object is used to associate PolicyEvaluators with a ResourceNamePatterns.” This is the first sentence under the PolicyEvaluatorLocatorPatternAdmin interface idl in section 2.11, page 2-25 of the draft Adopted Specification. Page: 43 [dsf62]This seems to suggest that in order for a name_string to conform to this second kind, must literally be equal to "*". However, the presentation given to CORBAmed shows that it can contain "*" but not literally be "*". The example in the presentation was something like "Red.*" Reply: This is issue 3178S. This comment is in reference to the following sentence under the second kind of ResourceNameComponent: “MATCHES_AS_GRE – returns “yes” if the string provided by first argument matches another string provided by second argument, where the second string is interpreted according to regular expression syntax specified in the definition of ResourceNamePattern type on Page Error! Bookmark not defined., otherwise “no.” This can be found in section 2.11, page 2-26 of the draft Adopted Specification. Page: 43 [dsf63]Same comment as previous--value_string doesn't have to literally be equal to "*". Reply: I cannot locate this comment in the document. Page: 44 [dsf64][Errata] Despite the helpful diagram, the pattern matching logic is hard to comprehend. I feel it imperative that several concrete examples be provided. Reply: This is issue 3178T. This comment is in reference to the following paragraph found under the PolicyEvaluatorLocatorPatternAdmin interface: “MATCHES_AS_GRE – returns “yes” if the string provided by first argument matches another string provided by second argument, where the second string is interpreted according to regular expression syntax specified in the definition of ResourceNamePattern type on Page Error! Bookmark not defined., otherwise “no.” KB Reply – Carol, I will try to go back to you with some examples by Wednesday. This can be found in section 2.11, page 2-26 of the draft Adopted Specification. Page: 46 [dsf65][Errata] Unclear Reply: This is issue 3178U. This comment is in reference to the following sentence found under the definition of register_resource_name_patter: “Since a ResourceName is a ResourceNamePattern, ResourceNames must also be registered if these administrative interfaces are administer evaluators and combinators.” This can be found in section 2.11, page 2-26 of the draft Adopted Specification. Page: 49 [dsf66][Errata] In the postcondition this is called "policy_name" (singular), which is more logical. Reply: This is issue 3178V. This comment is referring to the fact that in the idl, “policy_name has an “s” on the end – policy_names. This can be found in section 2.12, page 2-30 of the draft Adopted Specification. Page: 49 [dsf67][FTF] Should be included in the postconditions. Reply: This is issue 3178W. This comment is in reference to the following statement found under set_policies: “If a single PolicyName of NO_ACCESS_POLICY is specified, then all policy is removed for the resource. This can be found in section 2.12, page 2-30 of the draft Adopted Specification. Page: 50 [dsf68][Errata] Unclear. Does this mean all PolicyNames that have been input via set_policies( ), add_policies( ), and set_default_policy( ) and that have not been removed via delete_policies( )? Or does it mean all PolicyNames that exist in the system even if they haven't been attached via this interface? I would presume the former, but this should be clarified. Reply: KB Fixed. This comment is in reference to the following sentence found under list_policies: “A list of all existing PolicyNames is returned to the client.” KB Reply: A list of all policies that this instance of PolicyEvaluator supports is returned by this operation. In the draft Adopted Specification, this sentence now is: “A list of names of all policies supported by this instance of PolicyEvaluator is returned to the client.” This can be found in section 2.12, page 2-31 of the draft Adopted Specification. Page: 51 [dsf69][FTF] Attribute, not data member Reply: This is issue 3178X. This comment is in reference to the following sentence found under Conformance Classes: “In this case pattern_admin data member of PolicyEvaluatorLocator interface implementation must have value null.” This can be found in section 2.13, page 2-32 of the draft Adopted Specification. Page: 61 [dsf70][FTF] This is the first time in the document that we've seen an example of a ResourceName. I recommend enhancing the usage scenario in the previous section to similarly show the anatomy of the ResourceName being used in the example. Reply: Issue 3178Y. This comment is in reference to the following sentence found in Appendix C: “create RAD resource names according to the following rules:” This can be found on page C-2 of the draft Adopted Specifications. Page: 62 [dsf71]It might be a good idea for ResourceNameComponent to have a boolean data item indicating whether the component is mandatory or optional. Reply: This is issue 3178Z. This comment is in reference to the following sentence found under Appendix C, #5: “all other elements of ResourceName data member resource_name_component_list are optional.” This can be found on page C-2 of the draft Adopted Specifications.
Actions taken:
January 5, 2000: received issue
January 9, 2001: closed issue

Discussion: 
Sub-Issue No: 3178A
It isn't clear what the notation in these two diagrams is. They don't seem to be
officially any of the standard UML diagrams.
Clarification:
This comment is in reference to the text in the Access Decision Model, which
can be found in section 1.2.1 of the draft Adopted Specification, page 1-4.
Resolution:
Reject. No change. The diagram was not intended to be UML. It is illustrative;
the specification is fully defined in the text.
Revised Text: None.
Sub-Issue No: 3178B
Why is this discussion under the administrative model rather than the access
decision model?
Clarification:
This comment is found at the end of the following sentence: "This combinator
is responsible for taking the results of the PolicyEvaluators
evaluate() method and making a final access decision" This can be located in section 1.2.2 Administrative Model, on page 1-5 of the draft
Adopted Specification (3rd paragraph).
Resolution:
Move the sentence "This combinator is responsible for taking the results of
the PolicyEvaluators evaluate() method and making a final access
decision" from section 1.2.2 to section 1.2.1 as the last sentence in the
section.
Revised Text: see resolution description.
Sub-Issue No: 3178C
Why is NamedPolicyEvaluator not an interface that subtypes
PolicyEvaluator? Why is it done this way, i.e. by containment rather than
by subtyping? Is there a need to have the ability to provide the same
PolicyEvaluator instance a different name in different contexts?
Clarification:
Comment is referring to the struct NamedPolicyEvaluator in the
"Types associated with evaluating Access Policy." This can be found in
section 2.2.3, page 2-6 of the draft Adopted Specification.
Resolution:
Reject. No change.
Revised Text: None
Sub-Issue No: 3178E, F, and G1
Sub-Issue 3178E [FTF] Grammar
Sub-Issue 3178F [Errata] Instead of "in the invalid list" shouldn’t this be "in the
PolicyNameList"
Issue 3178G1 states: Same comment as #35 above (3178F).
Clarification:Clarification (3178E). This is in reference to the following sentence under
InvalidPolicyEvaluatorList: "first_invalid_element is first
named policy evaluator in the invalid list which caused the list to be invalid."
This can be found in section 2.2.5 Exceptions, page 2-11 of the draft Adopted
Specification.
Clarification (3178F) and references the same sentence in 3178E.
Clarification (3178G1). KB replied with the same comment as
above.
Resolution:
Proposed resolution to all: change referenced statement to read
"first_invalid_element is the first named policy evaluator in the
PolicyNameList which caused the list to be invalid."
Revised Text: see resolution description.
Sub-Issue No: 3178EE
Grammar
Clarification:
This comment refers to the following sentence found under
InvalidPolicyEvaluatorList: "This exception is raised when a policy
evaluator list, passed as a part of an operation arguments.” This can be found
in section 2.2.5 Exceptions, page 2-11.
Resolution:
Change sentence to read: "This exception is raised when a
PolicyEvaluatorList contains invalid elements".
Revised Text: see resolution description.
Sub-Issue No: 3178G2 Grammar
Clarification:
This comment is in reference to the following sentence found under
postconditions of multiple_access_allowed(): "Where an
authorization decision ==authorization decision for the requested operation on
the specified resource name by a principal with the specified security
attributes. This can be found in section 2.3, on page 2-13 of the draft Adopted
Specification.
Resolution:
Remove the offending sentence fragment.
Revised Text: see resolution description.
Sub-Issue No: 3178G3
Grammar
Clarification:
This comment is in reference to the following sentence under
get_dynamic_attributes(): "The service may add or remove
SecAttributes to this list." This can be found in section 2.4, page 2-14 of
the draft Adopted Specification.
Resolution:
Change the text to read "The service may add SecAttributes to this list, or
remove SecAttributes from this list."
Revised Text: see resolution description.
Sub-Issue No: 3178G4
Grammar
Clarification: This comment is in reference to following sentence found under
get_policy_decision_evaluators(): "A
PolicyDecisionEvaluators structure, which contains a list of
NamedPolicyEvaluator consisting of the names of the
PolicyEvaluators and their object references, and the
DecisionCombinator object reference for the resource is returned to the
client." This can be found in section 2.5, page 2-15 of the draft Adopted
Specification.
Resolution:
Remove the sentence and replace it with the following "A
PolicyDecisionEvaluators structure is returned to the client. A
PolicyDecisionEvaluators structure contains a
PolicyEvaluatorList and the DecisionCombinator."
Revised Text: see resolution description.
Sub-Issue No: 3178G5
Grammar
Clarification:
This is issue 3178G. This comment is in reference to the following sentence
found in the text directly beneath the DecisionCombinator interface idl:
"The DecisionCombinator interface is used to encapsulate the policy for
the way that decisions of multiple PolicyEvaluators is combined." This
can be found in section 2.6, page 2-15 of the draft Adopted Specification.
Resolution:
Change the sentence to read: "The DecisionCombinator interface is used
to encapsulate a policy for combining decisions of multiple consulted
PolicyEvaluators that may disagree."
Revised Text: see resolution description.
Sub-Issue No: 3178H Elsewhere it was stated that this interface is a singleton. That should be
stated here, the site of the primary specification of the interface.
Clarification:
This comment is in reference to the AccessDecision Interface text, which
can be found in section 2.3, page 2-12 of the draft Adopted Specification.
Resolution:
Add the word "singleton" before the word object in the first sentence of
section 2.3, page 2-12. "The singleton Access Decision object..."
Revised Text: see resolution description.
Sub-Issue No: 3178H2
Elsewhere it was stated that this interface is a singleton. That should be
stated here, the site of the primary specification of the interface.
Clarification:
This comment is in reference to the DynamicAttributeService Interface
text, which can be found in section 2.4, page 2-13 of the draft Adopted
Specification.
Resolution:
Reject. No change. Although only one DynamicAttributeService
reference is held at a time by a RAD, the object may be replaced by an
alternate. The specification makes this clear.
Revised Text: None
Sub-Issue No: 3178H3
Elsewhere it was stated that this interface is a singleton. That should be
stated here, the site of the primary specification of the interface.
Clarification: This comment is in reference to the PolicyEvaluatorLocator Interface
text, which can be found in section 2.5, page 2-14 of the draft Adopted
Specification.
Resolution:
Reject. No change. Although only one PolicyEvaluatorLocator
reference is held at a time by a RAD, the object may be replaced by an
alternate. The specification makes this clear.
Revised Text: None
Sub-Issue No: 3178I
Note that preconditions such as this one would not have to be repetitively
stated for many operations if the definitions of validity were explicitly
characterized as invariants. Specification of invariants is a key concept in
design by contract. From the standpoint of the computational model (i.e. from
the computational viewpoint) invariants constitute universal pre and post
conditions for all operations, although not every invariant is directly relevant to
every operation. Since this document provides validity criteria for most (it’s
missing for a few) of the types, this work (i.e. formal specification of
invariants) is mostly done. A few small adjustments would tie this all neatly
together:
7 [FTF] Explicitly label the validity rules as invariants.
7 [FTF] Add a statement to the section on pre-postcondition semantics noting
that the invariants are considered to be pre and postconditions for all
operations.
7 [FTF] Remove the pre and postconditions that thus become redundant.
(Note that this document is not consistent in repeating such validity rules as
preconditions. For example, the set_evaluators() operation of
PolicyEvaluationLocatorNameAdmin requires a ResoureName as
input, yet does not specify any preconditions.)
Clarification:
This comment is in reference to the preconditions found under
access_allowed(). You can find this in section 2.3, on page 2-13 of the
draft Adopted >Specifications.
Resolution:
Reject this issue. This was not an issue for implementors.
Revised Text: None Sub-Issue No: 3178K
Oddly phrased. Seems more appropriate for the bulk of this to be re-cast as a
postcondition
Clarification:
This comment is in reference to the following sentence found under
get_policy_decision_evaluators(): "A
PolicyDecisionEvaluators structure, which contains a list of
NamedPolicyEvaluator consisting of the names of the
PolicyEvaluators and their object references, and the
DecisionCombinator object reference for the resource is returned to the
client." This can be found in section 2.5, page 2-15 of the draft Adopted
Specification.
Resolution:
This is resolved by the proposed resolution to issue 3178G4 (same
sentence).
Revised Text: None
Sub-Issue No: 3178K2
The rules in these two sentences could (and probably should) be framed as
postconditions for get_policy_decision_evaluators.
Clarification:
This comment is in reference to the following sentence under
set_default_evaluators: "Default evaluators are overridden by the
add_evaluators() or replace_evaluators() methods. The default
evaluators will be returned by the PolicyEvaluatorLocator
get_policy_decision_evaluators() method when no
PolicyEvaluators have been explicitly assigned for a ResourceName."
This can be found in section 2.8, page 2-20 of the draft Adopted Specification.
Resolution:
Reject the request to express this as a postcondition as this was not an issue
for implementors. Change the referenced sentence to read: "Default
evaluators are overridden by the add_evaluators() or replace_evaluators() operations. The default evaluators will be returned
by the PolicyEvaluatorLocator
get_policy_decision_evaluators() operation when no
PolicyEvaluators have been explicitly assigned for a ResourceName."
This fixes incorrect terminology.
Revised Text: See resolution
Sub-Issue No: 3178K3
This rule should probably be framed as a postcondition for
get_policy_decision_evaluators.
Clarification:
This comment is in reference to the following sentence found under
set_default_combinator: "This combinator will be returned by the
PolicyEvaluatorLocator get_policy_decision_evaluators()
method for these resources. This can be found in section 2.8, page 2-20 of
the draft Adopted Specification.
Resolution:
This was not an issue for implementors. Reject request to frame as a
postcondition. Change, however, the sentence to read: "This combinator will
be returned by the PolicyEvaluatorLocator
get_policy_decision_evaluators() operation for these resources."
Revised Text: see resolution
Sub-Issue No: 3178L
It should be possible to state a postcondition here, as is done for the
access_allowed() and evaluate() operations.
Clarification:
This is in reference to the statement that there are no postconditions for
combine_decisions. This can be found in section 2.6, page 2-17 of the
draft Adopted Specification.
Resolution: Reject. No Change. The return from the operation is a Boolean. There were
no issues for implementors that no postcondition was stated.
Revised Text: None
Sub-Issue No: 3178M
Why aren’t these four operations modeled as two attributes?
Clarification:
This is in reference to AccessDecisionAdmin interface. This can be found
in section 2.8, page 2-18 of the draft Adopted Specification.
Resolution:
Not an issue. No change.
Revised Text: None
Sub-Issue No: 3178N
The declaration that the operation raises this exception appears to be defining
how the object behaves when a precondition is not met, which contradicts the
policy stated at the outset that such behavior is undefined. (Although
"ResourceName is valid" is not stated as a precondition for this operation,
this omission is inconsistent, as has already been pointed out, with other
operations that require a ResourceName in-parameter. Truly, this validity
requirement is a precondition.)
Clarification:
This is issue 3178N. This comment is in reference to
InvalidResourceName found in the
PolicyEvaluatorLocatorNameAdmin interface, section 2.10, page 2-21
of the draft Adopted Specification.
Resolution:
No change. The exception is needed.
Revised Text: None Sub-Issue No: 3178O
This way of specifying the postcondition would be more rigorous if
default_evaluators were formally defined as a role of
PolicyEvaluationList in a relationship between
PolicyEvaluatorLocator and PolicyEvaluationList. The
relationship and role could be defined via UML notation or by textual means.
This same approach could be applied to many of the postconditions that
follow.
Clarification:
This comment is in reference to the postcondition stated under
set_default_evaluators, which can be found in section 2.8, page 2-20
of the draft Adopted Specification.
Resolution:
Not an issue for implementors. No change.
Revised Text: None
Sub-Issue No: 3178P
The explanation above of set_default_evaluators() stated how the
defaults are overridden. For consistency it should be stated here how the
default DecisionCombinator is overridden.
Clarification:
This comment is in reference to set_default_combinator, which can be
found in section 2.8, page 2-20 of the draft Adopted Specification.
Resolution:
Delete the sentence that is referenced as saying how defaults are overridden.
The sentence to remove is in the first paragraph of page 2-20 and starts:
"Default evaluators may be overridden by the ..." One of the operations listed
is no longer in the spec (replace_evaluators). How evaluators and
combinators are replaced is explained elsewhere in the specification. This will
resolve the consistency issue and fix the reference.
Revised Text: See resolution Sub-Issue No: 3178Q
I believe this should be ResourceName rather than
ResourceNamePattern. Ditto for the remainder of the operations in this
interface.
Clarification:
This comment is in reference to the
PolicyEvaluatorLocatorNameAdmin interface, which can be found in
section 2.10, page 2-21 of the draft Adopted Specification.
Resolution:
Accept. Change every instance of the parameter "in
ResourceNamePattern" in operations of the interface
PolicyEvaluatorLocatorNameAdmin to "in ResourceName". Change
any supporting text in section 2.10 and the complete IDL.
Revised Text:
Sub-Issue No: 3178R
Should be singular.
Clarification:
This comment is in reference to ResourceNamePatterns found in the
following sentence under the PolicyEvaluatorLocatorPatternAdmin
interface: "The PolicyEvaluatorLocatorPatternAdmin object is used
to associate PolicyEvaluators with a ResourceNamePatterns." This is
the first sentence under the PolicyEvaluatorLocatorPatternAdmin
interface idl in section 2.11, page 2-25 of the draft Adopted Specification.
Resolution:
Change the sentence to read: "The
PolicyEvaluatorLocatorPatternAdmin object is used to associate
PolicyEvaluators with a ResourceNamePattern."
Revised Text: see resolution
Sub-Issue No: 3178S This seems to suggest that in order for a name_string to conform to this
second kind, must literally be equal to "*". However, the presentation given to
CORBAmed shows that it can contain "*" but not literally be "*". The example
in the presentation was something like "Red.*"
Clarification:
This comment is in reference to the following sentence under the second kind
of ResourceNameComponent: "The second kind of
ResourceNameComponent which can occur in a pattern is a component
wildcard pattern: -name_string is "*" ; value_string is "*"" This can be
found in section 2.11, page 2-26 of the draft Adopted Specification.
Resolution:
The specification is correct. The second kind of ResourceNameComponent
(wildcard) requires that both name and value be precisely "*". To clarify this,
change the bullets on page 2-26 to read:
- name_string exactly matches "*" and
- value_string exactly matches "*"
Revised Text: see resolution
Sub-Issue No: 3178T
Despite the helpful diagram, the pattern matching logic is hard to
comprehend. I feel it imperative that several concrete examples be provided.
Clarification:
This comment is in reference to the following paragraph found under the
PolicyEvaluatorLocatorPatternAdmin interface: "MATCHES_AS_GRE
returns "yes" if the string provided by first argument matches another string
provided by second argument, where the second string is interpreted
according to regular expression syntax specified in the definition of
ResourceNamePattern type on Page 26, otherwise "no.". Also, the "helpful
diagram" is missing in the draft adopted spec. Our feeling is that with the
diagram the algorithm is understandable.
Resolution:
1) Change the wording of the above sentence to read: "MATCHES_AS_GRE returns "yes" if the resource "name" matches the
resource name "pattern", where the "pattern" is interpreted according to the
regular expression syntax specified in the definition of
ResourceNamePattern in section 2.2.2 page 2-5.
2) Insert the diagram containing the algorithm (this is contained in the same
section of the revised submission corbamed/99-04-05 - an editing error
removed it from the draft submission) after the sentence on page 2-26 "A
resource name matches a pattern if and only if the algorithm shown in the
figure below returns MATCH."
Revised Text: see resolution
Sub-Issue No: 3178U
Unclear
Clarification:
This comment is in reference to the following sentence found under the
definition of register_resource_name_pattern: "Since a
ResourceName is a ResourceNamePattern, ResourceNames must also
be registered if these administrative interfaces are administer evaluators and
combinators." This can be found in section 2.11, page 2-26 of the draft
Adopted Specification.
Resolution:
Change the sentence to read: "Since a ResourceName is a
ResourceNamePattern, ResourceNames must also be registered if these
administrative interfaces are used to administer evaluators and combinators."
Revised Text: see resolution
Sub-Issue No: 3178V
In the postcondition this is called "policy_name" (singular), which is more
logical.
Clarification:
This comment is referring to the fact that in the IDL, "policy_name has an
"s" on the end policy_names. This can be found in section 2.12, page 2-30
of the draft Adopted Specification. Resolution:
No change. Editor can’t find the offending postcondition.
Revised Text: None
Sub-Issue No: 3178W
Should be included in the postconditions.
Clarification:
This comment is in reference to the following statement found under
set_policies: "If a single PolicyName of NO_ACCESS_POLICY is
specified, then all policy is removed for the resource. This can be found in
section 2.12, page 2-30 of the draft Adopted Specification.
Resolution:
State in the postcondition that if PolicyName == NO_ACCESS_POLICY then
no policy exists for the resource.
Revised Text: see resolution
Sub-Issue No: 3178X
Attribute, not data member.
Clarification:
This comment is in reference to the following sentence found under
Conformance Classes: "In this case pattern_admin data member of
PolicyEvaluatorLocator interface implementation must have value null."
This can be found in section 2.13, page 2-32 of the draft Adopted
Specification.
Resolution:
Change the sentence to read: "In this case the pattern_admin attribute of
the PolicyEvaluatorLocator interface implementation must be/return
null."
Revised Text: see resolution Sub-Issue No: 3178Y
This is the first time in the document that we’ve seen an example of a
ResourceName. I recommend enhancing the usage scenario in the previous
section to similarly show the anatomy of the ResourceName being used in
the example.
Clarification:
This comment is in reference to the following sentence found in Appendix C:
"create RAD resource names according to the following rules:" This can be
found on page C-2 of the draft Adopted Specifications.
Resolution:
Reject. No change. This is an example, not part of the normative part of the
spec.
Revised Text: None
Sub-Issue No: 3178Z
It might be a good idea for ResourceNameComponent to have a boolean
data item indicating whether the component is mandatory or optional.
Clarification:
This comment is in reference to the following sentence found under Appendix
C, #5: "all other elements of ResourceName data member
resource_name_component_list are optional." This can be found on
page C-2 of the draft Adopted Specifications.
Resolution:
Reject.
Revised Text: None
Disposition: Resolved
Disposition Parameter: None

Issue 3211: RAD idl problems (rad-ftf)

Click here for this issue's archive.
Nature: Uncategorized Issue
Severity:
Summary: 
>You have probably already caught these problems. Just in case you haven't I
>am sending a modified copy. Mainly problems with missing or extra forward
>declarations.
>
>You can probably ignore the 'include "cds_patches.idl". We are not using a
>2.3 orb so we had to define some types that were needed by the 2.3
>security.idl.

Resolution: resolved
Revised Text: Change the list of forwards (starting with the first one below and continuing to the end of the section labeled "Basic Types" in the idl DfResourceAccessDecision file) to read as follows: interface DynamicAttributeService; interface DecisionCombinator; interface PolicyEvaluator; interface PolicyEvaluatorAdmin; interface PolicyEvaluatorLocatorBasicAdmin; interface PolicyEvaluatorLocatorNameAdmin; interface PolicyEvaluatorLocatorPatternAdmin; X-Sender: carolbrt@mindspring.com X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Date: Tue, 11 Jan 2000 23:48:33 -0600 To: issues@omg.org From: Carol Burt <cburt@2ab.com> Subject: Fwd: RAD idl problems Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_947677713==_" X-UIDL: M%:e9VB!!!UG*!!TDi!! >X-MindSpring-Loop: cburt@2ab.com >From: "Chris White" <cwhite@ic.net> >To: <cburt@2ab.com> >Cc: <jfarmer@ic.net>, "Chris White" <cwhite@ic.net> >Subject: RAD idl problems >Date: Tue, 11 Jan 2000 21:37:21 -0500 >X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) >Importance: Normal > You have probably already caught these problems. Just in case you haven’t I am sending a modified copy. Mainly problems with missing or extra forward declarations. > You can probably ignore the ’include "cds_patches.idl". We are not using a 2.3 orb so we had to define some types that were needed by the 2.3 security.idl. > By the way, we are still working on extensions for policy location using security attributes. > > //File: DfResourceAccessDecision.idl // #ifndef _DF_RESOURCE_ACCESS_DECISION_IDL_ #define _DF_RESOURCE_ACCESS_DECISION_IDL_ //#include "cds_patches.idl" //cds #include "Security.idl" #pragma prefix "omg.org" module DfResourceAccessDecision { //********************************************************* // Basic Types //********************************************************* typedef sequence<boolean> BooleanList; typedef Security::AttributeList AttributeList; interface DynamicAttributeService; interface DecisionCombinator; interface PolicyEvaluator; interface PolicyEvaluatorLocator; // interface PolicyEvaluatorLocatorAdmin; //cds interface PolicyEvaluatorAdmin; interface PolicyEvaluatorLocatorBasicAdmin; // cds interface PolicyEvaluatorLocatorNameAdmin; // cds interface PolicyEvaluatorLocatorPatternAdmin; // cds //********************************************************* // Types that identify a secured resource //********************************************************* struct ResourceNameComponent { string name_string; string value_string; }; typedef sequence<ResourceNameComponent> ResourceNameComponentList; typedef string ResourceNamingAuthority; struct ResourceName { ResourceNamingAuthority resource_naming_authority; ResourceNameComponentList resource_name_component_list; }; typedef ResourceName ResourceNamePattern; typedef string Operation; typedef sequence<Operation> OperationList; //**************************************************** // Types associated with evaluating Access Policy //**************************************************** typedef string PolicyName; typedef sequence<PolicyName> PolicyNameList; const PolicyName NO_ACCESS_POLICY = "NO_ACCESS_POLICY"; struct NamedPolicyEvaluator { string evaluator_name; PolicyEvaluator policy_evaluator; }; typedef sequence<NamedPolicyEvaluator> PolicyEvaluatorList; struct PolicyDecisionEvaluators { PolicyEvaluatorList policy_evaluator_list; DecisionCombinator decision_combinator; }; //**************************************************** // Types used to request an Access Decision //**************************************************** struct AccessDefinition { ResourceName resource_name; Operation operation; }; typedef sequence<AccessDefinition> AccessDefinitionList; enum DecisionResult {ACCESS_DECISION_ALLOWED, ACCESS_DECISION_NOT_ALLOWED, ACCESS_DECISION_UNKNOWN }; //******************************************************** //* Exception Data types //******************************************************** struct ExceptionData { short error_code; string reason; }; enum InternalErrorType {Fatal, NotFatal}; //********************************************************* // Exception thrown by the Access Decision Object //********************************************************* exception InternalError{InternalErrorType et;}; //********************************************************* // Exception thrown by Internal non-admin interfaces //********************************************************* exception ComponentError{ ExceptionData ed; InternalErrorType et; }; //********************************************************* // Exceptions thrown by Admin Interfaces //********************************************************* exception PatternConflict {ExceptionData ed;}; exception PatternDuplicate {ExceptionData ed;}; exception PatternNotRegistered {ExceptionData ed;}; exception PatternInUse {ExceptionData ed;}; exception InputFormatError {ExceptionData ed;}; exception ResourceNameNotFound {ExceptionData ed;}; exception NoAssociation {ExceptionData ed;}; exception InvalidPolicy {ExceptionData ed;}; exception DuplicateEvaluatorName {ExceptionData ed;}; exception InvalidResourceName {}; exception InvalidResourceNamePattern {}; exception InvalidPolicyEvaluatorList { ExceptionData ed; NamedPolicyEvaluator first_invalid_element; }; exception InvalidPolicyNameList { ExceptionData ed; PolicyName first_invalid_element; }; //**************************************************** // interface AccessDecision //**************************************************** interface AccessDecision { boolean access_allowed( in ResourceName resource_name, in Operation operation, in AttributeList attribute_list ) raises (InternalError); BooleanList multiple_access_allowed( in AccessDefinitionList access_requests, in AttributeList attribute_list ) raises (InternalError); }; //****************************************************** // interface DynamicAttributeService //****************************************************** interface DynamicAttributeService { AttributeList get_dynamic_attributes( in AttributeList attribute_list, in ResourceName resource_name, in Operation operation ) raises (ComponentError); }; //****************************************************** // interface PolicyEvaluatorLocator //****************************************************** interface PolicyEvaluatorLocator { readonly attribute PolicyEvaluatorLocatorBasicAdmin basic_admin; readonly attribute PolicyEvaluatorLocatorNameAdmin name_admin; readonly attribute PolicyEvaluatorLocatorPatternAdmin pattern_admin; PolicyDecisionEvaluators get_policy_decision_evaluators( in ResourceName resource_name ) raises (ComponentError); }; //******************************************************** // interface DecisionCombinator //******************************************************** interface DecisionCombinator{ boolean combine_decisions( in ResourceName resource_name, in Operation operation, in AttributeList attribute_list, in PolicyEvaluatorList policy_evaluator_list ) raises (ComponentError); }; //****************************************************** // interface PolicyEvaluator //****************************************************** interface PolicyEvaluator { readonly attribute PolicyEvaluatorAdmin pe_admin; DecisionResult evaluate( in ResourceName resource_name, in Operation operation, in AttributeList attribute_list ) raises (ComponentError); }; //****************************************************** // // Management Interfaces // //****************************************************** // interface AccessDecisionAdmin //****************************************************** interface AccessDecisionAdmin { PolicyEvaluatorLocator get_policy_evaluator_locator(); void set_policy_evaluator_locator ( in PolicyEvaluatorLocator policy_evaluator_locator ); DynamicAttributeService get_dynamic_attribute_service(); void set_dynamic_attribute_service( in DynamicAttributeService dynamic_attribute_service ); }; //******************************************************* // interface PolicyEvaluatorLocatorBasicAdmin //******************************************************* interface PolicyEvaluatorLocatorBasicAdmin { PolicyEvaluatorList set_default_evaluators( in PolicyEvaluatorList policy_evaluator_list ) raises (DuplicateEvaluatorName, InvalidPolicyEvaluatorList); PolicyEvaluatorList get_default_evaluators(); DecisionCombinator get_default_combinator (); void set_default_combinator( in DecisionCombinator decision_combinator ); }; //******************************************************* // interface PolicyEvaluatorLocatorNameAdmin //******************************************************* interface PolicyEvaluatorLocatorNameAdmin { PolicyEvaluatorList get_evaluators( in ResourceName resource_name ) raises (InvalidResourceName); void set_evaluators ( in PolicyEvaluatorList policy_evaluator_list, in ResourceName resource_name ) raises (InvalidPolicyEvaluatorList, InvalidResourceName, DuplicateEvaluatorName); void add_evaluators ( in PolicyEvaluatorList policy_evaluator_list, in ResourceName resource_name ) raises (InvalidResourceName, InvalidPolicyEvaluatorList, DuplicateEvaluatorName); void delete_evaluators ( in PolicyEvaluatorList policy_evaluator_list, in ResourceNamePattern resource_name ) raises (InvalidResourceName, InvalidPolicyEvaluatorList, DuplicateEvaluatorName); DecisionCombinator get_combinator ( in ResourceNamePattern resource_name ) raises (InvalidResourceName); void set_combinator ( in DecisionCombinator decision_combinator, in ResourceNamePattern resource_name ) raises (InvalidResourceName); void delete_combinator ( in ResourceNamePattern resource_name ) raises (InvalidResourceName); }; //******************************************************* // interface PolicyEvaluatorLocatorPatternAdmin //******************************************************* interface PolicyEvaluatorLocatorPatternAdmin { void register_resource_name_pattern( in ResourceNamePattern pattern ) raises (InvalidResourceNamePattern, PatternDuplicate, PatternConflict); void unregister_resource_name_pattern( in ResourceNamePattern pattern ) raises (InvalidResourceNamePattern, PatternNotRegistered, PatternInUse); PolicyEvaluatorList get_evaluators_by_pattern ( in ResourceNamePattern pattern ) raises (InvalidResourceNamePattern, PatternNotRegistered); void set_evaluators_by_pattern ( in PolicyEvaluatorList policy_evaluator_list, in ResourceNamePattern pattern ) raises (InputFormatError, PatternNotRegistered, DuplicateEvaluatorName); void add_evaluators_by_pattern ( in PolicyEvaluatorList policy_evaluator_list, in ResourceNamePattern pattern raises (InvalidResourceNamePattern, PatternNotRegistered, InvalidPolicyEvaluatorList, DuplicateEvaluatorName); void delete_evaluators_by_pattern ( in PolicyEvaluatorList policy_evaluator_list, in ResourceNamePattern pattern ) raises (InvalidResourceNamePattern, PatternNotRegistered, InvalidPolicyEvaluatorList, DuplicateEvaluatorName); DecisionCombinator get_combinator_by_pattern ( in ResourceNamePattern pattern ) raises (InvalidResourceNamePattern, PatternNotRegistered); void set_combinator_by_pattern ( in DecisionCombinator decision_combinator, in ResourceNamePattern pattern ) raises (InvalidResourceNamePattern, PatternNotRegistered); void delete_combinator_by_pattern ( in ResourceNamePattern pattern ) raises (InvalidResourceNamePattern, PatternNotRegistered); }; //******************************************************* // interface PolicyEvaluatorAdmin //******************************************************* interface PolicyEvaluatorAdmin { void set_policies( in PolicyNameList policy_names, in ResourceName resource_name ) raises (InvalidResourceName, ResourceNameNotFound, InvalidPolicyNameList); void add_policies( in PolicyNameList policy_names, in ResourceName resource_name ) raises (InvalidResourceName, ResourceNameNotFound, InvalidPolicyNameList); void delete_policies( in PolicyNameList policy_names, in ResourceName resource_name ) raises (InvalidResourceName, ResourceNameNotFound, InvalidPolicyNameList, NoAssociation); PolicyNameList list_policies(); PolicyName set_default_policy( in PolicyName policy_name ) raises (InvalidPolicy); }; }; #endif // _DF_RESOURCE_ACCESS_DECISION_IDL_
Actions taken:
January 11, 2000: received issue
January 9, 2001: closed issue

Issue 3253: Number of security policies supporteb by PolicyEvaluator arbitrarily large (rad-ftf)

Click here for this issue's archive.
Source: 2AB (Mr. Bob Burt, bburt(at)2ab.com)
Nature: Uncategorized Issue
Severity:
Summary: 
The number of security policies supported by a PolicyEvaluator could be
arbitrarily large. Because of this the operation "list_policies" in the
PolicyEvaluatorAdmin interface might be changed to:

	PolicyNameIter  list_policies(in num_ret, in max_iter, out
PolicyNameList policy_names);

where max_iter is maximum number of entries held by the iterator, num_ret
is the maximum number of entries returned in the "out PolicyNameList list"
argument, and "policy_names" is sequence of PolicyNames having at most
"num_ret" entries.  If the list of policy names has less than "num_ret"
entries, the iterator will be nil.

The iterator interface would look like:

interface PolicyNameIter {
	long	how_many();

	boolean next_n(in long val, out PolicyNameList policy_names);

	void destroy();
};

Note this technique could be carried to the extreme for all those
operations that return a PolicyEvaluatorList. However, it seems less likely
that one would has assigned large numbers of evaluator in the same way one
might have large numbers of security policies.

Resolution: resolved
Revised Text: Add an iterator to the list_policies operation. PolicyNameList list_policies(in unsigned long seq_max, in unsigned long iter_max, out PolicyNameListIterator iter) raises (TooMany); interface PolicyNameListIterator { unsigned long how_many(); boolean next_one(out PolicyName name); boolean next_n(in unsigned long how_many, out PolicyNameList list); void destroy(); }; NOTE: The operations next_one and next_n return false if there is no PolicyName left to return, return true if a PolicyName or PolicyNameList are returned. NOTE: The TooMany exception if raised for list_policies if the number of PolicyNames found (based on the seq_max and iter_max arguments) exceeds the implementations limit. The implementation limit can be optionally configurable by the implementation.
Actions taken:
January 26, 2000: received issue
January 9, 2001: closed issue

Issue 3254: Invalid IDL (rad-ftf)

Click here for this issue's archive.
Source: 2AB (Mr. Bob Burt, bburt(at)2ab.com)
Nature: Uncategorized Issue
Severity:
Summary: 
In multiple places in the IDL (struct AccessDefinition,
AccessDecision::access_allowed) the following is used:
	
	Operation operation;

This is invalid IDL despite the fact that many IDL compilers accept this
today.

Resolution: resolved
Revised Text: In the DfResourceAccessDecision.idl file: 1) Remove the following line in the IDL: typedef string Operation; 2) Replace all instances of "Operation" with "string" in the IDL and supporting text that references this IDL type. Note that case matters in this replacement.
Actions taken:
January 26, 2000: received issue
January 9, 2001: closed issue

Issue 3255: Use of names in defined exceptions (rad-ftf)

Click here for this issue's archive.
Source: 2AB (Mr. Bob Burt, bburt(at)2ab.com)
Nature: Uncategorized Issue
Severity:
Summary: 
Some of the exceptions defined could use names that are less like to
conflict with standard language objects and thus would not have to be fully
qualified.  For example, InternalError conflicts with
java.lang.InternalError.  Perhaps RadInternalError might be nicer.
ComponentError might be another candidate for RadComponentError.

Resolution: resolved
Revised Text: Issues 3255 and Issue 3178D have been linked. Issue 3255 Summary – Some of the exceptions defined could use names that are less like to conflict with standard language objects and thus would not have to be fully qualified. For example, InternalError conflicts with java.lang.InternalError. Perhaps RadInternalError might be nicer. ComponentError might be another candidate for RadComponentError. Comment: The IDL looked like this at one time. This is the source of issue 3178D where the text uses these names. For some reason the "Rad" prefix was removed in the final editing. Issue 3178D Summary – [Errata] Fatal rather than RadFatal, according to the IDL references "If the ComponentError is RadFatal, the AccessDecision object must determine if it can continue to process without the component." [Errata] InternalError rathan RadInternalError, according to the IDL. references "If it cannot, it must throw a RadInternalError." [Errata] Fatal rather than RadFatal, according to the IDL references "with RadFatal." All three of these comments (for 3178D) are related to text found under ComponentError in section 2.2.5 Exceptions, on page 2-10 of the draft Adopted Specification. Resolution (for both issues): Change the following exception names and all references to them in the text: InternalError to RadInternalError ComponentError to RadComponentError Leave these specific names (RadInternalError and RadComponentError) the same in the sentence referenced in Issue 3178D as they are now correct. Change RadFatal to Fatal in the section referenced by issue 3178D and anywhere else it appears incorrectly (this is an enumerated value, not an Exception).
Actions taken:
January 26, 2000: received issue
January 9, 2001: closed issue

Issue 3256: The exception InputFormatError is only raises by one operation (rad-ftf)

Click here for this issue's archive.
Source: 2AB (Mr. Bob Burt, bburt(at)2ab.com)
Nature: Uncategorized Issue
Severity:
Summary: 
The exception InputFormatError is only raises by one operation,
set_evaluators_by_pattern.  I don't understand why this would not raise the
same exceptions as add_evaluators_by_pattern or
delete_evaluators_by_pattern.  They all have the same input parameters.

Resolution: resolved
Revised Text: Remove the InputFormatError exception from the IDL and all explanatory text. Change the signature of the set_eveluators_by_pattern to throw the same exceptions as add_evaluators_by_pattern and delete_evaluators_by_pattern. See below: Change idl and associated descriptions to: void set_evaluators_by_pattern( in PolicyEvalutatorList policy_evaluator_list, in ResourceNamePattern pattern ) raises (InvalidResourceNamePattern, PatternNotRegistered, InvalidPolicyEvaluatorList, DuplicateEvaluatorName);
Actions taken:
January 26, 2000: receive dissue
January 9, 2001: closed issue

Issue 3257: DynamicAttributeService issue (rad-ftf)

Click here for this issue's archive.
Source: 2AB (Mr. Bob Burt, bburt(at)2ab.com)
Nature: Uncategorized Issue
Severity:
Summary: 
The DynamicAttributeService was designed to allow modification of
SecAttributes prior to locating and using PolicyEvaluators.  These
modifications are application are most likely specific in nature.
Unfortunately the entire service can only have one DynamicAttributeService,
therefore, instance of RAD service have to be partitioned for different
applications.  It might have been better to have associations with
ResouceNames such as was done with PolicyEvaluators.  Another alternative
might have been to associate a DynamicAttributeService with a combinator,
since different resource names can use different combinators this implies
they also could then have different DynamicAttributeServices.  This is
probably not an important issue, but it can dictate how applications must
deploy instances of the service.

Resolution: Close this issue with no change.
Revised Text:
Actions taken:
January 26, 2000: received issue
January 9, 2001: closed issue

Issue 5088: Resource Access Decision Security (rad-ftf)

Click here for this issue's archive.
Source: Cognition Group, Inc. (Dr. David Forslund, nobody)
Nature: Uncategorized Issue
Severity:
Summary: 
It seems to me that RAD may need to use RAD to provide access control over certain ResourceNames (particularly for the administrative interfaces, where some folks may own portions of the ResourceName namespace.  Has anyone tackled this?  It seems to me that it is a useful (and perhaps vital) effort.

Resolution:
Revised Text:
Actions taken:
February 19, 2002: received issue

Issue 5089: Resource Access Decision service (rad-ftf)

Click here for this issue's archive.
Source: Cognition Group, Inc. (Dr. David Forslund, nobody)
Nature: Uncategorized Issue
Severity:
Summary: 
In the text of the RAD document formal/2001-04-01, there is reference to the multiple_evaluate() method
of the PolicyEvaluator interface, but it is not defined in the IDL.

Resolution:
Revised Text:
Actions taken:
February 19, 2002: received issue

Issue 5435: The following operations in the EntityFactory Interface need adjustments (rad-ftf)

Click here for this issue's archive.
Source: NASA (Mr. Russell W. Claus, claus(at)grc.nasa.gov)
Nature: Uncategorized Issue
Severity:
Summary: 
The following operations in the EntityFactory Interface need adjustment to correctly generate geometries:


For EntityFactory::index_bodies():
LongSeq index_bodies(in LongSeqSeq oriented_shells);


The oriented_shells data must be in the form: LongSeqSeq as showns above.


LongSeq index_faces(in LongSeqSeq oriented_eloops, in LongSeqSeq vertex_loops,
in LongSeq surfaces);


The vertex_loops data must be in the form: LongSeqSeq as shown above.


Also, the name used for the first argument to index_oriented_shells() is misleading:
LongSeq index_oriented_shells(in LongSeq ofaces, in BooleanSeq sense);


ofaces should be shells.

Resolution: The recommended changes are made as suggested in the summary
Revised Text: In Section 2.2.4, the recommended changes are made to the idl and the supporting documentation
Actions taken:
June 18, 2002: received issue
July 1, 2003: closed issue