Does HERAS-AF core supports the XACML v.2.0 multiple resource profile?

[andrea.ceccanti]

Hi,

as stated in the subject, does  HERAS-AF core supports the XACML v.2.0 multiple resource profile?
I mean the profile described in this document:

http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-mult-profile-spec-os.pdf

Thanks for your answers.

Cheers,
Andrea

[René Eggenschwiler]

Hi Andrea

Supporting the multiple resource profile is on our wish list. Unfortunately we do not support the profile yet.
You can follow that topic also in our Issue Tracker. The exact issue mentioning the multiple resource profile is
http://jira.herasaf.org/browse/HERASAFXACMLCORE-13.
You can also vote for this feature there when you register in our JIRA.

From a planning point of view we have to be honest and tell you that most probably it will not be planned for release 1.0.0 of HERAS-AF XACML Core.

May I ask you, what's your interest in having the multiple resource profile implemented? Maybe we also give you more information about that topic when we have more infos about your intends.

Best regards,
René

[Florian Huonder]

Hi Andrea,

I have a small addition to René's comment.

Yes we have an issue for that but this is not going to be implemented very soon.
But there is a simple workaround:
You could make a wrapper around our PDP that splits up the request into multiple requests (one per resource). Then you could pass those requests one by one to the PDP.

I hope that may help you.

If you have any further questions, don't hesitate.

Regards,
Florian

[andrea.ceccanti]

Hi René,

thanks for your answer.

May I ask you, what's your interest in having the multiple resource profile implemented? Maybe we also give you more information about that topic when we have more infos about your intends.

I am actually one of the developers of the gLite authorization service that relies on your XACML engine on the PDP component.
We have use cases where some services need to do a single authorization request regarding many resources (hundreds to thousands). 
Support for the multiple resource profile could help in limiting the overhead for the callout to the authorization service.

Cheers,
Andrea

[andrea.ceccanti]

Hi Florian,

You could make a wrapper around our PDP that splits up the request into multiple requests (one per resource). Then you could pass those requests one by one to the PDP.

we'll explore whether this is feasible. Having the thing supported in the XACML engine would be better, anyway I will vote on JIRA for it.

Thanks!
Andrea

[Florian Huonder]

Hi Andrea,

I have some further comments:
If you would implement a wrapper around our PDP that does the handling like specified in the multiple resources profile there is the restriction that our XACML core implementation does not support the ResourceContent element. So we are only (currently) able to handle non-xml resources (Profile URI: urn:oasis:names:tc:xacml:2.0:profile:multiple:scope:non-xml).

You are right, it would be much nicer if the implementation would already be able to handle multiple resources. We also think so, but until now nobody did ever ask for it and so it got a low priority.
We are very open to assist you, if we can somehow, with implementing. So if you are interested in a deeper discussion, just let me know.

If we are going to implement the profile (once) I am quite sure that we would go a similar way to a wrapper, e.g. a MultipleResourceHandlingPDP or something like this, because the core XACML specification does not support multiple resources. The Context Handler is the component that is in charge of handling multiple resources. This MultipleResourceHandlingPDP then would once call the PDP and once do the composition of the response.

Regards,
Florian

PS. Due to our state of knowledge there is no XACML implementation available that supports the multiple resources profile directly.

[René Eggenschwiler]

Hi Andrea

I agree with Florian on the wrapper-approach (mid-term) because the profile specification also sounds like wrapping a default PDP.
In the specification it is written, that the ContextHandler does the converting and compositing of multiple resource requests,

On the other hand the XACML specification doesn't effectively specify a concrete deployment of the components.
So it's neither specified where the ContextHandler exactly should be built-in/deployed/used.

For HERAS-AF we always considered a deployment in that the ContextHandler should be in the PEP and also be built-in inside the PDP.
Means that we want to split the aspects provided by the ContextHandler, into responsibilities on PEP AND PDP side.
Every responsibility will be fulfilled there, where it can be fulfilled at its best.

So (form a HERAS-AF viewpoint) the multiple resource profile shouldn't be simply implemented as a wrapper. It should be supported by the PDP engine out-of-the-box and get as much performance feature as possible.

That means that I think that the Core (with its included SimplyPDP) should be extended to support the multiple resource profile.
But that could probably slow down the decision taking,
To avoid that we could give our users a configuration possibility to choose between a high performance (single resource) PDP and a slower performance PDP (multiple resource warapper)

I don't agree with Florian to introduce a MultipleResourceHandlingPDP. I would prefer extending our existing SimplePDP by adding/changing the configuration (longer term).
But that will take a while.

Best regards René

[ekrem]

Hi I'm new with heras and XACML so maybe I'm missing something important here.
I want to use heras to check privacy policies in the communication with clients. Therefore I need a way not only to check a request for permit or deny, but for finer results. In the ideal setup, a client can make a request for multiple attributes. The system check this request and only delivers those attributes which the client is permitted to read. The only solution I found to do this, is to check every attribute in a single request against the PDP and then use the deny/permit decisions to create the answer for the client.
Is there a better way to do that, without rewriting huge parts of the policy checking? (which I'm not sure if I'm capable of)

Chers, Erik

[René Eggenschwiler]

Hi Erik

First, thank you for your interest in HERAS-AF.

I think I do not exactly understand your case.
If you are asking for a solution to send/receive multiple reuquests/decision in one communication I would suggest you to read the XACML Multiple Resource Profile (http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-mult-profile-spec-os.pdf).

Please also have a look at the other topic in the forum: Does HERAS-AF core supports the XACML v.2.0 multiple resource profile? http://forum.herasaf.org/index.php/topic,117.0.html

Unfortunately HERAS-AF doesn't yet support the multiple resource profile. But from what we've analysed so far, it should be quiet simple to implement it.
If you decide for trying an implementation we would definitely help you with guidance and support.

But to get a better understanding of your need and intends it would be ver helpful for us if you could provide more information.
Can you explain the message flow in your system in bit more detail? Can you send us some example requests and policies?
Maybe we can then find a better solution.

Best regards
René

[ekrem]

Hi Renè,

thanks for your quick reply. Unfortunately I'm pretty new with the hole XACML terminology and so I have used the wrong terms in my description.
I think the multiple resource approach is exactly what I'm looking for. The link to the other topic helped a lot. I'm sorry I double posted. The wrapper for multiple resources described their should do the trick.

As a short abstract what my work is about:
We have a system storing personal data in a huge dynamic data core where every person has an unique ID. To every ID we know some attributes like position or name. Clients, here called services, can access some of these attributes. Because the services don't know which data is available, the ask for all information about a certain ID. Different services have heterogeneous access rights and the system should only deliver the attributes a service is allowed to access.
These access rights depend from a lot of different parameters. For example, could a corporate wide policy deny the access to the position attribute of all employees. But certain employees could define a policy to allow the access to their position attribute in special cases.

While looking for a way to achieve this, I found XACML and your implementation HERAS-AF. I think it is a wonderful project and fits our needs. I'm still in a bit of usability testing, so I don't have more detailed policies or request to show.

Chers, Erik

[René Eggenschwiler]

Hi Erik

I just want to ask how your progress is. Are you fine with XACML and HERAS^AF?

Feel free to contact us again if you have any kind of questions.

Best regards
René