Missing Attributes in a policyset

[Wolfgang Giersche]

Hi Flo/Rene,

I'm just wondering whether I'm getting things right. When evaluating a request that is missing an attribute that is only required by some of the involved policies, which are - let's say - combined by permitOverrides, then only the those policies requiring the missing attribute will be indeterminate. If a single policy evaluates to permit, the PDP will not send back information that an attribute is required, because the combining algorithm will be perfectly satisfied with that single permit decision.
To my opinion this behaviour would render the entire missing-attribute functionality useless in non-trivial policy deployments. Well, that is unless the PDP itself will contact the PIP itself to resolve the situation just after failing to evaluate the policy that requires the missing attribute.
In summary, that means, if at all, then it will practically always be the PDP (which is the performance bottleneck) that is responsible for resolving missing attributes, for it can't delegate to the PEP.
Have I got that right?

Rgds

[Florian Huonder]

Hi Wolfgang,

You are right.

The specification says for e.g. the Permit-overrides algorithm

... If an error occurs while evaluating the target of a policy, a reference to a policy is considered invalid or the policy evaluation results in "Indeterminate", then the policy set SHALL evaluate to "Indeterminate", with the appropriate error status, provided no other policies evaluate to "Permit" or "Deny". ...

.
If an error occurs (missing attribute is an error) but another policy evaluates to Permit the end-result is Permit. In my opinion the reason for this is because a decision can be made although the one policy had an error. This means that the decision could also be made if this policy would not be present. This also means that a decision can be made if this attribute (that is missing) is not present. Therefore this behavior.

Does that make sense to you?

Regards,
Florian

[Wolfgang Giersche]

Hi Flo,

 perfectly fine. I just see the impact on performance here. It'd be much more reasonable to let the PEPs do the hard work, for their number is larger by the nature of the deployment model. On Rule level on the other hand, the spec seems to allow ignoring errors/INDETERMINATEs only if a a result without error wouldn't change a thing anyway. Not sure whether that solves the problem.

Ideally, if an error due to a missing attribute somewhere deep in the policy tree potentially changed the result of the root policy set, then the PDP should have the possibility to delegate attribute resolution to the responsible PEP, agree?

Rgds

Wolfgang

[Florian Huonder]

... On Rule level on the other hand, the spec seems to allow ignoring errors/INDETERMINATEs only if a a result without error wouldn't change a thing anyway. Not sure whether that solves the problem.

I am not sure if this has something to do with it. This is in my opinion simply another overriding-algorithm than the one in the policies.

Ideally, if an error due to a missing attribute somewhere deep in the policy tree potentially changed the result of the root policy set, then the PDP should have the possibility to delegate attribute resolution to the responsible PEP, agree?

This possibility is given. The PDP can be configured to not resolve missing attributes (the factory does by default not set a PIP into the PDP). In such a case the resolution of missing attributes would be delegated to the PEP.