Hi all, Please find attached: - zip archive with 2 files: 1. my marks on David Frankel's comments showing what comments were accomodated in the second document. 2. corbamed/99-04-04.doc with changes addressing some of David's comments. - a file with IDL code for RAD synchronized with changes made to IDL code in corbamed/99-04-04.doc. Carol, you will need: 1. to look through David's comments and see - if you are happy with my changes` (I marked all David's comments that I addressed) - what else you can address before AB's meeting on Thursday 2. Create errata to accompany corbamed/99-04-04 3. Get new doc numbers for corbamed/99-04-04.doc with changes, for erata, and for updated IDL Carol, please say thanks to David Franklin for his detailed comments and good luck to you! Konstantin P.S.
comments-on-dfrankel-comments-and-changes-to-corbamed_99-04-04.zip
//File: DfResourceAccessDecision.idl
//
#ifndef _DF_RESOURCE_ACCESS_DECISION_IDL_
#define _DF_RESOURCE_ACCESS_DECISION_IDL_
#include "Security.idl"
#pragma prefix "omg.org"
module DfResourceAccessDecision {
//*********************************************************
// Basic Types
//*********************************************************
typedef sequence<boolean> BooleanList;
typedef Security::AttributeList AttributeList;
interface DynamicAttributeService;
interface DecisionCombinator;
interface PolicyEvaluator;
interface PolicyEvaluatorLocatorBasicAdmin;
interface PolicyEvaluatorLocatorNameAdmin;
interface PolicyEvaluatorLocatorPatternAdmin;
interface PolicyEvaluatorAdmin;
//*********************************************************
// Types that identify a secured resource
//*********************************************************
struct ResourceNameComponent {
string name_string;
string value_string;
};
typedef sequence<ResourceNameComponent> ResourceNameComponentList;
typedef string ResourceNamingAuthority;
struct ResourceName {
ResourceNamingAuthority resource_naming_authority;
ResourceNameComponentList resource_name_component_list;
};
typedef ResourceName ResourceNamePattern;
typedef string Operation;
typedef sequence<Operation> OperationList;
//****************************************************
// Types associated with evaluating Access Policy
//****************************************************
typedef string PolicyName;
typedef sequence<PolicyName> PolicyNameList;
const PolicyName NO_ACCESS_POLICY = "NO_ACCESS_POLICY";
struct NamedPolicyEvaluator {
string evaluator_name;
PolicyEvaluator policy_evaluator;
};
typedef sequence<NamedPolicyEvaluator> PolicyEvaluatorList;
struct PolicyDecisionEvaluators {
PolicyEvaluatorList policy_evaluator_list;
DecisionCombinator decision_combinator;
};
//****************************************************
// Types used to request an Access Decision
//****************************************************
struct AccessDefinition {
ResourceName resource_name;
Operation operation;
};
typedef sequence<AccessDefinition> AccessDefinitionList;
enum DecisionResult {ACCESS_DECISION_ALLOWED,
ACCESS_DECISION_NOT_ALLOWED,
ACCESS_DECISION_UNKNOWN
};
//********************************************************
//* Exception Data types
//********************************************************
struct ExceptionData {
short error_code;
string reason;
};
enum InternalErrorType {Fatal, NotFatal};
//*********************************************************
// Exception thrown by the Access Decision Object
//*********************************************************
exception InternalError{InternalErrorType et;};
//*********************************************************
// Exception thrown by Internal non-admin interfaces
//*********************************************************
exception ComponentError{
ExceptionData ed;
InternalErrorType et;
};
//*********************************************************
// Exceptions thrown by Admin Interfaces
//*********************************************************
exception PatternConflict {ExceptionData ed;};
exception PatternDuplicate {ExceptionData ed;};
exception PatternNotRegistered {ExceptionData ed;};
exception PatternInUse {ExceptionData ed;};
exception InputFormatError {ExceptionData ed;};
exception ResourceNameNotFound {ExceptionData ed;};
exception NoAssociation {ExceptionData ed;};
exception InvalidPolicy {ExceptionData ed;};
exception DuplicateEvaluatorName {ExceptionData ed;};
exception InvalidResourceName {};
exception InvalidResourceNamePattern {};
exception InvalidPolicyEvaluatorList {
ExceptionData ed;
NamedPolicyEvaluator first_invalid_element;
};
exception InvalidPolicyNameList {
ExceptionData ed;
PolicyName first_invalid_element;
};
//****************************************************
// interface AccessDecision
//****************************************************
interface AccessDecision {
boolean access_allowed(
in ResourceName resource_name,
in Operation operation,
in AttributeList attribute_list
)
raises (InternalError);
BooleanList multiple_access_allowed(
in AccessDefinitionList access_requests,
in AttributeList attribute_list
)
raises (InternalError);
};
//******************************************************
// interface DynamicAttributeService
//******************************************************
interface DynamicAttributeService {
AttributeList get_dynamic_attributes(
in AttributeList attribute_list,
in ResourceName resource_name,
in Operation operation
)
raises (ComponentError);
};
//******************************************************
// interface PolicyEvaluatorLocator
//******************************************************
interface PolicyEvaluatorLocator {
readonly attribute PolicyEvaluatorLocatorBasicAdmin
basic_admin;
readonly attribute PolicyEvaluatorLocatorNameAdmin
name_admin;
readonly attribute PolicyEvaluatorLocatorPatternAdmin
pattern_admin;
PolicyDecisionEvaluators get_policy_decision_evaluators(
in ResourceName resource_name
)
raises (ComponentError);
};
//********************************************************
// interface DecisionCombinator
//********************************************************
interface DecisionCombinator{
boolean combine_decisions(
in ResourceName resource_name,
in Operation operation,
in AttributeList attribute_list,
in PolicyEvaluatorList policy_evaluator_list
)
raises (ComponentError);
};
//******************************************************
// interface PolicyEvaluator
//******************************************************
interface PolicyEvaluator {
readonly attribute PolicyEvaluatorAdmin pe_admin;
DecisionResult evaluate(
in ResourceName resource_name,
in Operation operation,
in AttributeList attribute_list
)
raises (ComponentError);
};
//******************************************************
//
// Management Interfaces
//
//******************************************************
// interface AccessDecisionAdmin
//******************************************************
interface AccessDecisionAdmin {
PolicyEvaluatorLocator get_policy_evaluator_locator();
void set_policy_evaluator_locator (
in PolicyEvaluatorLocator policy_evaluator_locator
);
DynamicAttributeService get_dynamic_attribute_service();
void set_dynamic_attribute_service(
in DynamicAttributeService dynamic_attribute_service
);
};
//*******************************************************
// interface PolicyEvaluatorLocatorBasicAdmin
//*******************************************************
interface PolicyEvaluatorLocatorBasicAdmin {
PolicyEvaluatorList set_default_evaluators(
in PolicyEvaluatorList policy_evaluator_list
)
raises (DuplicateEvaluatorName, InvalidPolicyEvaluatorList);
PolicyEvaluatorList get_default_evaluators();
DecisionCombinator get_default_combinator ();
void set_default_combinator (
in DecisionCombinator decision_combinator
);
};
//*******************************************************
// interface PolicyEvaluatorLocatorNameAdmin
//*******************************************************
interface PolicyEvaluatorLocatorNameAdmin {
PolicyEvaluatorList get_evaluators(
in ResourceName resource_name
)
raises (InvalidResourceName);
void set_evaluators (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceName resource_name
)
raises (InvalidPolicyEvaluatorList,
InvalidResourceName,
DuplicateEvaluatorName);
void add_evaluators (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceName resource_name
)
raises (InvalidResourceName,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
void delete_evaluators (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceName resource_name
)
raises (InvalidResourceName,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
DecisionCombinator get_combinator (
in ResourceName resource_name
)
raises (InvalidResourceName);
void set_combinator (
in DecisionCombinator decision_combinator,
in ResourceName resource_name
)
raises (InvalidResourceName);
void delete_combinator (
in ResourceName resource_name
)
raises (InvalidResourceName);
};
//*******************************************************
// interface PolicyEvaluatorLocatorPatternAdmin
//*******************************************************
interface PolicyEvaluatorLocatorPatternAdmin {
void register_resource_name_pattern(
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternDuplicate,
PatternConflict);
void unregister_resource_name_pattern(
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered,
PatternInUse);
PolicyEvaluatorList get_evaluators_by_pattern(
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
void set_evaluators_by_pattern (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceNamePattern pattern
)
raises (InvalidPolicyEvaluatorList,
InputFormatError,
PatternNotRegistered,
DuplicateEvaluatorName);
PolicyEvaluatorList set_default_evaluators(
in PolicyEvaluatorList policy_evaluator_list
)
raises (DuplicateEvaluatorName, InvalidPolicyEvaluatorList);
void add_evaluators_by_pattern (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
void delete_evaluators_by_pattern (
in PolicyEvaluatorList policy_evaluator_list,
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered,
InvalidPolicyEvaluatorList,
DuplicateEvaluatorName);
DecisionCombinator get_combinator_by_pattern (
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
void set_combinator_by_pattern (
in DecisionCombinator decision_combinator,
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
void delete_combinator_by_pattern (
in ResourceNamePattern pattern
)
raises (InvalidResourceNamePattern,
PatternNotRegistered);
DecisionCombinator get_default_combinator ();
void set_default_combinator(
in DecisionCombinator decision_combinator
);
};
//*******************************************************
// interface PolicyEvaluatorAdmin
//*******************************************************
interface PolicyEvaluatorAdmin {
void set_policies(
in PolicyNameList policy_names,
in ResourceName resource_name
)
raises (InvalidResourceName,
ResourceNameNotFound,
InvalidPolicyNameList);
void add_policies(
in PolicyNameList policy_names,
in ResourceName resource_name
)
raises (InvalidResourceName,
ResourceNameNotFound,
InvalidPolicyNameList);
void delete_policies(
in PolicyNameList policy_names,
in ResourceName resource_name
)
raises (InvalidResourceName,
ResourceNameNotFound,
InvalidPolicyNameList,
NoAssociation);
PolicyNameList list_policies();
PolicyName set_default_policy(
in PolicyName policy_name
)
raises (InvalidPolicy);
};
};
#endif // _DF_RESOURCE_ACCESS_DECISION_IDL_