[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Final submission - 3 week rule for RAD
I'm sending attached version of IDL code. The only differences between this
code and corbamed/99-03-02.txt are the following:
1. Interface PolicyEvaluatorLocatorAdmin renamed into
PolicyEvaluatorLocatorPatternAdmin, and names of all operations that have
ResourceNamePattern in its argument were appended with suffix "_by_pattern".
2. A new version of interface PolicyEvaluatorLocatorAdmin has the same
operations except:
- operations [un]register_resource_name_pattern is removed,
- signatures of all operations are adjusted to reflect the fact that
they all deal only with regular resource names, i.e. no patterns.
3. A new interface PolicyEvaluatorLocatorBasicAdmin with set/get default
evaluators/combinator is added.
4. New read-only attributes are added to interface PolicyEvaluatorLocator:
readonly attribute PolicyEvaluatorLocatorPatternAdmin pattern_admin;
readonly attribute PolicyEvaluatorLocatorBasicAdmin basic_admin;
These changes give us the benefit of being able to specify two conformance
levels:
No patterns: Implementation of PolicyEvaluatorLocatorAdmin interface,
i.e. no patterns in resource names.
Patterns: Implementation of PolicyEvaluatorLocatorPatternAdmin
interface, i.e. support of patterns.
Both conformance levels are supposed to implement interface
PolicyEvaluatorLocatorBasicAdmin.
Your thoughts?
IF no submitters respond by Friday, I assume all submitters are happy with the
proposed changes and the changes are approved for the revised submission text.
Konstantin
> Hi,
>
> Just a note to say that the final submission is due on April 26th. Based
> on re-thinking a couple of things and convincing myself that part of what
> we specified for support for GRE's in resouce names is broken :-) I'd like
> to propose some changes.
>
> First, address the issues raised at the OMG meeting by taking the
> suggestions that Konstantin out lined in his earlier mail.
>
> Second, add a conformance levels to the specification for an implementation
> that does not support GRE's in ResourceNames. (I'd even consider a
> conformance levels for subsets of the interfaces if anyone wants to propose
> that).
>
> I am with a customer next week so a conference call will be difficult
> unless we do it off hours. Can we progress this via e-mail?
>
> Carol
>
> P.S. Does anyone know how to contact Bob Blakeley or who the new IBM
> contact person is?
>
>
> _________________________________________________________
> Carol Burt 2AB, Inc.
> cburt@2ab.com Integration Architects
> 205-621-7455 www.2ab.com
> Member, OMG Architecture Board OMG Domain Member
> _________________________________________________________
> "Distributed Solutions for Distributed Business (SM)"
//File: DfResourceAccessDecision.idl
//
#ifndef _DF_RESOURCE_ACCESS_DECISION_IDL_
#define _DF_RESOURCE_ACCESS_DECISION_IDL_
#include "Security.idl"
#pragma prefix "omg.org"
module DfResourceAccessDecision {
//*********************************************************
// Basic Types
//*********************************************************
typedef sequence<boolean> BooleanList;
typedef Security::AttributeList AttributeList;
interface DynamicAttributeService;
interface DecisionCombinator;
interface PolicyEvaluator;
interface PolicyEvaluatorLocator;
interface PolicyEvaluatorLocatorAdmin;
interface PolicyEvaluatorAdmin;
//*********************************************************
// Types that identify a secured resource
//*********************************************************
struct ResourceNameComponent {
string name_string;
string value_string;
};
typedef sequence<ResourceNameComponent> ResourceNameComponentList;
typedef string ResourceNamingAuthority;
struct ResourceName {
ResourceNamingAuthority resource_naming_authority;
ResourceNameComponentList resource_name_component_list;
};
typedef ResourceName ResourceNamePattern;
typedef string Operation;
typedef sequence<Operation> OperationList;
//****************************************************
// Types associated with evaluating Access Policy
//****************************************************
typedef string PolicyName;
typedef sequence<PolicyName> PolicyNameList;
const PolicyName NO_ACCESS_POLICY = "NO_ACCESS_POLICY";
struct NamedPolicyEvaluator {
string evaluator_name;
PolicyEvaluator policy_evaluator;
};
typedef sequence<NamedPolicyEvaluator> PolicyEvaluatorList;
struct PolicyDecisionEvaluators {
PolicyEvaluatorList policy_evaluator_list;
DecisionCombinator decision_combinator;
};
//****************************************************
// Types used to request an Access Decision
//****************************************************
struct AccessDefinition {
ResourceName resource_name;
Operation operation;
};
typedef sequence<AccessDefinition> AccessDefinitionList;
enum DecisionResult {ACCESS_DECISION_ALLOWED,
ACCESS_DECISION_NOT_ALLOWED,
ACCESS_DECISION_UNKNOWN
};
//********************************************************
//* Exception Data types
//********************************************************
struct ExceptionData {
short error_code;
string reason;
};
enum InternalErrorType {Fatal, NotFatal};
//*********************************************************
// Exception thrown by the Access Decision Object
//*********************************************************
exception InternalError{InternalErrorType ed;};
//*********************************************************
// Exception thrown by Internal non-admin interfaces
//*********************************************************
exception ComponentError{
ExceptionData ed;
InternalErrorType it;
};
//*********************************************************
// Exceptions thrown by Admin Interfaces
//*********************************************************
exception PatternConflict {ExceptionData ed;};
exception PatternDuplicate {ExceptionData ed;};
exception PatternNotRegistered {ExceptionData ed;};
exception PatternInUse {ExceptionData ed;};
exception InputFormatError {ExceptionData ed;};
exception ResourceNameNotFound {ExceptionData ed;};
exception NoAssociation {ExceptionData ed;};
exception InvalidPolicy {ExceptionData ed;};
exception DuplicateEvaluatorName {ExceptionData ed;};
exception InvalidResourceName {};
exception InvalidResourceNamePattern {};
exception InvalidPolicyEvaluatorList {
ExceptionData ed;
NamedPolicyEvaluator first_invalid_element;
};
exception InvalidPolicyNameList {
ExceptionData ed;
PolicyName first_invalid_element;
};
//****************************************************
// interface AccessDecision
//****************************************************
interface AccessDecision {
boolean access_allowed(
in ResourceName resource_name,
in Operation operation,
in AttributeList attribute_list
)
raises (InternalError);
BooleanList multiple_access_allowed(
in AccessDefinitionList access_requests,
in AttributeList attribute_list
)
raises (InternalError);
};
//******************************************************
// interface DynamicAttributeService
//******************************************************
interface DynamicAttributeService {
AttributeList get_dynamic_attributes(
in AttributeList attribute_list,
in ResourceName resource_name,
in Operation operation
)
raises (ComponentError);
};
//******************************************************
// interface PolicyEvaluatorLocator
//******************************************************
interface PolicyEvaluatorLocator {
readonly attribute PolicyEvaluatorLocatorBasicAdmin
basic_admin;
readonly attribute PolicyEvaluatorLocatorAdmin
name_admin;
readonly attribute PolicyEvaluatorLocatorPatternAdmin
pattern_admin;
PolicyDecisionEvaluators get_policy_decision_evaluators(
in ResourceName resource_name
)
raises (ComponentError);
};
//********************************************************
// interface DecisionCombinator
//********************************************************
interface DecisionCombinator{
boolean combine_decisions(
in ResourceName resource_name,
in Operation operation,
in AttributeList attribute_list,
in PolicyEvaluatorList policy_evaluator_list
)
raises (ComponentError);
};
//******************************************************
// interface PolicyEvaluator
//******************************************************
interface PolicyEvaluator {
readonly attribute PolicyEvaluatorAdmin pe_admin;
DecisionResult evaluate(
in ResourceName resource_name,
in Operation operation,
in AttributeList attribute_list
)
raises (ComponentError);
};
//******************************************************
//
// Management Interfaces
//
//******************************************************
// interface AccessDecisionAdmin
//******************************************************
interface AccessDecisionAdmin {
PolicyEvaluatorLocator get_policy_evaluator_locator();
void set_policy_evaluator_locator (
in PolicyEvaluatorLocator policy_evaluator_locator
);
DynamicAttributeService get_dynamic_attribute_service();
void set_dynamic_attribute_service(
in DynamicAttributeService dynamic_attribute_service
);
};
//*******************************************************
// interface PolicyEvaluatorLocatorAdmin
//*******************************************************
interface PolicyEvaluatorLocatorBasicAdmin {
PolicyEvaluatorList set_default_evaluators(
in PolicyEvaluatorList policy_evaluator_list
)
raises (DuplicateEvaluatorName, InvalidPolicyEvaluatorList);
DecisionCombinator get_default_combinator ();
void set_default_combinator (
in DecisionCombinator decision_combinator
);
}
//*******************************************************
// interface PolicyEvaluatorLocatorAdmin
//*******************************************************
interface PolicyEvaluatorLocatorAdmin {
PolicyEvaluatorList get_evaluators(
in ResourceName resource_name
)
raises (InvalidResourceName);
void set_evaluators (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceName resource_name
)
raises (InvalidPolicyEvaluatorList,
InvalidResourceName,
DuplicateEvaluatorName);
void add_evaluators (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceName resource_name
)
raises (InvalidResourceName,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
void delete_evaluators (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceName resource_name
)
raises (InvalidResourceName,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
DecisionCombinator get_combinator (
in ResourceName resource_name
)
raises (InvalidResourceName);
void set_combinator (
in DecisionCombinator decision_combinator,
in ResourceName resource_name
)
raises (InvalidResourceName);
void delete_combinator (
in ResourceName resource_name
)
raises (InvalidResourceName);
};
//*******************************************************
// interface PolicyEvaluatorLocatorPatternAdmin
//*******************************************************
interface PolicyEvaluatorLocatorPatternAdmin {
void register_resource_name_pattern(
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternDuplicate,
PatternConflict);
void unregister_resource_name_pattern(
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered,
PatternInUse);
PolicyEvaluatorList get_evaluators_by_pattern(
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
void set_evaluators_by_pattern (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceNamePattern pattern
)
raises (InputFormatError,
PatternNotRegistered,
DuplicateEvaluatorName);
PolicyEvaluatorList set_default_evaluators(
in PolicyEvaluatorList policy_evaluator_list
)
raises (DuplicateEvaluatorName, InvalidPolicyEvaluatorList);
void add_evaluators_by_pattern (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
void delete_evaluators_by_pattern (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
DecisionCombinator get_combinator_by_pattern (
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
void set_combinator_by_pattern (
in DecisionCombinator decision_combinator,
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
void delete_combinator_by_pattern (
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
DecisionCombinator get_default_combinator ();
void set_default_combinator(
in DecisionCombinator decision_combinator
);
};
//*******************************************************
// interface PolicyEvaluatorAdmin
//*******************************************************
interface PolicyEvaluatorAdmin {
void set_policies(
in PolicyNameList policy_names,
in ResourceName resource_name
)
raises (InvalidResourceName,
ResourceNameNotFound,
InvalidPolicyNameList);
void add_policies(
in PolicyNameList policy_names,
in ResourceName resource_name
)
raises (InvalidResourceName,
ResourceNameNotFound,
InvalidPolicyNameList);
void delete_policies(
in PolicyNameList policy_names,
in ResourceName resource_name
)
raises (InvalidResourceName,
ResourceNameNotFound,
InvalidPolicyNameList,
NoAssociation);
PolicyNameList list_policies();
PolicyName set_default_policy(
in PolicyName policy_names
)
raises (InvalidPolicy);
};
};
#endif // _DF_RESOURCE_ACCESS_DECISION_IDL_