I am thinking about the implementation of the reference loader in the evaluation engine.
There are to basic possible solutions and I am not sure which to take, or which is the right one.
The point that I am talking about is the fetching of local policies (e.g. if a "remote" PDP asks for a policy or if the "local" PDP needs to resolve a local policy)
Assuming the following policy-tree locally deployed, see attachment
policies.png.
The following two scenarios are thinkable (imho):
- If a "remote" PDP asks for a policy it is only able to fetch PS1 and PS2 (as a whole, that means including their subpolicies). Example: If a "remote" PDP asks for PS1 it gets a tree with PS1 as a root and two child-elements (P1 and P2)
- A "remote" PDP is able to fetch every deploy policy. That means it is possible to get PS1 (as a whole) or any of the Policies P1 - P4.
In my opinion the first solution is the one to go for because from my point of view it does not make sense that someone is able to get subpolicies, without "context".
I am very interested in your opinion.
Regards,
Florian
Author
