Issue: PolicyEvaluator::multiple_evaluate()

[Konstantin Beznosov <Konstantin_Beznosov@writeme.com>]

Hi all,

It looks as I ran into a new issue with the interface definitions that
the current version of HRAC has.

Issue:
It occurred to me that PolicyEvaluator::multiple_evaluate() has wrong
signature. Security Attributes in the method are passed as an argument.
Another argument is a list of access requests, each item of which is a
pair: resource name and operation on it. I believe that security
attributes should not be the same for all items in the list, but they
should be a third item in the triple {resource name, operation,
attributes}. 

The reason I think so is because of the way we treat security
attributes. We provide AttributeList
DynamicAttributeService::get_dynamic_attributes(resource name,
operation, attributes). This means that the new attributes might be
specific to a particular resource name and/or operation. Thus, we should
provide a different set of attributes to every access request element in
PolicyEvaluator::multiple_evaluate().

Proposed Resolution:
If my concern is appropriate, then how to resolve the issue? The strait
forward way would be just to redefine AccessDefinition as follows:

struct AccessDefinition {
  ResourceName resource_name;
  string operation;
  AttributeList attributes;
};

and to re-define PolicyEvaluator::multiple_evaluate as follows:

DecisionResultList multiple_evaluate(
  in AccessDefinitionList access_requests,
);
----------------
Broadcast message to hrac-rfp from Konstantin Beznosov <Konstantin_Beznosov@writeme.com>.
Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.