Re: PatternConflict exception

[blakley@us.ibm.com]

Konstantin's view is correct.  I've provided Carol with text which says
that the list of evaluators returned
when more than one pattern matches the name provided via input argument is
the union of the evaluators
on the lists of all the matched patterns.

Which combinator is returned in this case (only one will be returned) is up
to the implementation.

We already did make a decision on this, during the Tue. call, and the
results are the text I provided to Carol
and have summarized here.

--bob

Bob Blakley
IBM Lead Security Architect
Voice: +1 (512) 838-8133
Fax:    +1 (512) 838-0156
Post:    11400 Burnet Road, Mail Stop 9134, Austin, TX 78758 USA
Internet: blakley@us.ibm.com



Konstantin Beznosov <beznosov@baptisthealth.net> on 02/25/99 10:56:55 AM

Please respond to Konstantin Beznosov <beznosov@baptisthealth.net>

To:   Robert Burt <bburt@2ab.com>
cc:   hrac-rfp@cs.fiu.edu (bcc: Bob Blakley/Austin/IBM)
Subject:  Re: PatternConflict exception





Bob and others,

As far as I understand the semantics of add/delete/set_evalautors() and
get_policy_decision_evaluators() from last submitters meeting (I've not
checked
if it is reflected in the current submission text), if a resource name
matches
more than one pattern then  get_policy_decision_evaluators() is supposed to
return a union of evaluators that are registered with all patterns which
the
resource name matches. And, it is NOT an implementation-dependent thing.
Please
Bob Blakley, John and Carol correct me if I misunderstood this.
If my understanding is correct, then add/set_evaluators() can NOT rise
PatternConflict exception.

Let's make a decision on it today or tomorrow.


> It is my impression that the patterns can either be edited for
consistency
> at registration time or the EvaluatorLocator can make a decision on which
> of two conflicting patterns to use, or even to use both.  From the spec
the
> above seems to be an implementation decsision.  I personally would think
> that an implentation could have better performance if it did the conflict
> check at registration time, but that would be an implemenation decision.
>
> So what is a conflict, well if I have the following two patterns:
>
> A*
> AB*
>
> Then a resource name "ABigPile" could be matched by either pattern. An
> implemenationa might choose to not make this a conflict and have AB* take
> precedence or it could consider it to be a conflict.
>
> Bottom line, it appears to be an implementation decision and it should
have
> a way of indicating the fact that it considers something to be a
conflict.
>
>
> Bob
>
>
> At 10:36 AM 2/25/99 -0500, you wrote:
> >Carol or Bob,
> >
> >Quick question on semantics of exception PatternConflict. The current
> >description of the exception is as follows:
> >
> >"The PatternConflict exception is thrown by the
> >PolicyEvaluatorLocatorAdmin when an register_resource_name_pattern()
> >detects a pattern that conflicts
> with
> >an existing registered pattern."
> >
> >What kind of conflict do you have in mind, which could happen that will
> >cause this exception to be raised?
> >
> >Thanks
> >Konstantin
> >


----------------
Broadcast message to hrac-rfp from Konstantin Beznosov
<beznosov@baptisthealth.net>.
Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.



----------------
Broadcast message to hrac-rfp from blakley@us.ibm.com.
Go to http://cadse.cs.fiu.edu/omg/hrac-rfp to browse the mail list archive.