Skip to content
This repository has been archived by the owner on Feb 8, 2019. It is now read-only.

Add support for resource-location attributes #4

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Add support for resource-location attributes #4

wants to merge 3 commits into from

Conversation

phrinx
Copy link

@phrinx phrinx commented Mar 23, 2016

Related changes:

  • removed CategoryContainer(Action,Subject,Resource) string ids
  • Added support for PEP config defaults for resource, action, subject
  • renamed policy files to match test class name
  • removed orphaned config files

Add support for resource-location attributes
b888080 
Related changes:
- removed CategoryContainer(Action,Subject,Resource) string ids
- Added support for PEP config defaults for resource, action, subject
- renamed policy files to match test class name
- removed orphoned config files
@phrinx
Copy link
Author

phrinx commented Mar 30, 2016

Anyone?

@ajithreghu
Copy link

The changes look good. I would like to merge these in. Bear with me till I figure that out please.

@ajithreghu
Copy link

As I mentioned, the changes look good overall. However, there is one item that popped up.

The PepConfig properties - defaultSubjectId, defaultResourceId and defaultActionId were introduced with idea of catering to a use case where in the user may decide to go with non-standard attribute identifiers for subject-id, action-id and resource-id attributes. So let's say, instead of "urn:oasis:names:tc:xacml:1.0:subject:subject-id", one could use "my-namespace:my-subject-id". I am not entirely sure what the XACML standard has to say about this though. Regardless, of late I have been thinking that custom subject, action and resource mappers are probably the right solution for this.

Anyway, it looks like you have interpreted these properties as representing default attribute values rather than identifiers. I guess the existing implementation may have caused the confusion. But, if that wasn't the case, I am interested to know if you have come across use cases where configuring the default values has been useful.

@phrinx
Copy link
Author

phrinx commented Jun 1, 2016
edited
Loading

Thanks @ajithreghu for explaining the reasoning behind the attribute identifiers defaults. Yeah, I believe I was mostly confused by the defaults and decided to clean things up. However, If there are use cases out there where someone wants to use let's say an attribute keys for subject which is not following the XACML standard I'd agree this change is not ideal. Let me reverse some of these changes to keep the existing functionality so users can overwrite the default attribute identifiers.

Introduce APIs to set attribute identifiers
43082dc 
This mainly addresses a concern raised where someone may want to
set an attribute id (e.g. key of subject-id) which deviates
from what XACML defines in its specification.
@phrinx
Copy link
Author

phrinx commented Jun 9, 2016

@ajithreghu did you have a chance to look at the latest changes?

ajithreghu
ajithreghu reviewed Jun 14, 2016
View reviewed changes
openaz-pep/src/main/java/org/apache/openaz/pepapi/std/ActionMapper.java
Action a = (Action) o;
String id = a.getId();
Action action = (Action) o;
String id = action.getId();
if (id == null) {
id = getPepConfig().getDefaultActionId();
Copy link

@ajithreghu ajithreghu Jun 14, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The value returned by getDefaultActionId() is an identifier key but I believe it's treated as an identifier value, looking at the next few lines.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, when I changed this code, given the lack of documentation, my impression was that getPepConfig().getDefaultActionId() returns a default action id value and not the action id key (which IMO would make more sense).

@ajithreghu
Copy link

Just looked at the updates you made recently and added a comment. I guess it applies to all three mappers.

I have some other thoughts though. I believe the design of customizable/configurable attribute identifiers was not done intuitively to start with (my bad) and so all the confusion :( I guess API users or contributors will have a hard time with it and most likely use it incorrectly, just like you were mislead. So, what if we take this feature out and support only standard identifier names by default. However, in case the user wants custom attribute identifiers, they could still do it by providing custom Subject, Action and Resource mappers. This way the design is clean, simple and intuitive. What do you think ?

@phrinx
Copy link
Author

phrinx commented Jun 21, 2016
edited
Loading

@ajithreghu: I think I'd agree with your suggestion. I kind of regret to put all the changes along with introducing resource-location but I guess at the time I made the changes it made more sense to me that way. Let me make some more changes to take out this feature accordingly.

Removed support to for setting default ids
498427e 
This commit removes the rather 'confusing' feature of being able to override
the default key for subject, resource and action ids defined by XACML
spec.

Users who relied on feature can easily switch to use #addAttribute to achieve
the same.
@phrinx
Copy link
Author

phrinx commented Jun 24, 2016

Any further feedback/concerns with the most recent changes made?

@ajithreghu
Copy link

Thank you. I've merged your latest changes on to the wip branch. Also, I added a new test to demonstrate custom mapper registration to handle non-standard subject,action and resource identifiers.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@phrinx @ajithreghu