W3C home > Mailing lists > Public > public-ws-policy@w3.org > October 2006

RE: WS-Policy reference indirection

From: Paul Cotton <Paul.Cotton@microsoft.com>
Date: Wed, 4 Oct 2006 10:44:40 -0700
To: Paul Denning <pauld@mitre.org>
CC: Daniel Roth <Daniel.Roth@microsoft.com>, "public-ws-policy@w3.org" <public-ws-policy@w3.org>
Message-ID: <4D66CCFC0B64BA4BBD79D55F6EBC225719C5333A1B@NA-EXMSG-C103.redmond.corp.microsoft.com>

The WS-Policy WG has marked issue 3719 [1] as FIXED with the explanation provided in this thread.  We do not believe that any changes are required to the Framework or Attachments document.

If you disagree with this disposition of Issue 3719, please let us know ASAP by replying to this message and giving us your reasons.

/paulc
Speaking for the WS-Policy WG

[0] http://www.w3.org/Bugs/Public/show_bug.cgi?id=3719

Paul Cotton, Microsoft Canada
17 Eleanor Drive, Ottawa, Ontario K2E 6A3
Tel: (613) 225-5445 Fax: (425) 936-7329
mailto:Paul.Cotton@microsoft.com





> -----Original Message-----
> From: public-ws-policy-request@w3.org [mailto:public-ws-policy-
> request@w3.org] On Behalf Of Daniel Roth
> Sent: September 29, 2006 5:23 PM
> To: Paul Denning; public-ws-policy@w3.org
> Subject: RE: WS-Policy reference indirection
>
>
> Paul, is this solution sufficient for your scenario?
>
> Daniel Roth
>
> -----Original Message-----
> From: Daniel Roth
> Sent: Monday, September 25, 2006 9:31 AM
> To: 'Paul Denning'; public-ws-policy@w3.org
> Subject: RE: WS-Policy reference indirection
>
> > And if I want to change the policy, and the new policy has a new URI,
> > I would need to update links in both WSDL and the tModel.
>
> You can solve this problem by having your policy references point to a URI
> that references the "current" policy.  Section 4.3.4 of the Policy
> Framework states: "The IRI included in the retrieved policy expression, if
> any, MAY be different than the IRI used to retrieve the policy
> expression."
>
> For example, you could have policy reference like this:
>
> <wsp:PolicyReference URI="urn:currentPolicy" />
>
> That points to a policy like this:
>
> <wsp:Policy Name="urn:myUpdatedPolicy" >
> ...
> </wsp:Policy>
>
> How you resolve external policy references is implementation specific,
> which allows you to version the policy independently of the URI used to
> reference the policy.
>
> I hope this helps.
>
> Daniel Roth
>
> -----Original Message-----
> From: public-ws-policy-request@w3.org [mailto:public-ws-policy-
> request@w3.org] On Behalf Of Paul Denning
> Sent: Friday, September 22, 2006 2:53 PM
> To: Daniel Roth; public-ws-policy@w3.org
> Subject: RE: WS-Policy reference indirection
>
>
> At 05:06 PM 2006-09-22, Daniel Roth wrote:
> >Hi Paul,
> >
> > > What if [P1] and [P2] conflict?
> >
> >Then someone is in effect "lying" about the policy for that
> >endpoint.  It is the responsibility of the policy provider to make
> >sure that the policies are consistent.
>
> Thanks for your reply.
> Right it is the responsibility of the policy provider, so to make
> his/her job easier, it would be nice to update one rather than two links.
>
>
> > > Perhaps an approach that would work is for the WSDL policy reference
> > > to point to a UDDI tModel, then the UDDI tModel points to the actual
> > > policy document, say [P1].
> >
> >Policy references point to policies, not tModels.
>
> Which is the point of this issue.  Another level of indirection
> should be allowed by the spec.
>
> >You can have your WSDL and your tModel both point to the same policy.
>
> And if I want to change the policy, and the new policy has a new URI,
> I would need to update links in both WSDL and the tModel.
> If my WSDL always points to my tModel, then I can change one link (in
> the tModel) to point to the new policy.
>
> >However, this won't have the effect that I think you are implying.
> >
> >Section 3.1 of the Policy Attachment spec states that you should
> >merge multiple policies attached to the same policy subject using
> >different attachment mechanisms [1].  The merge operation is
> >actually a cross product of the policy alternatives, and P1 x P1 !=
> >P1.  When attaching multiple policies to the same subject, these
> >policies should be orthogonal to each other to make sure that the
> >merge results are reasonable.
>
> If I make a mistake when updating the two pointers (WSDL, tModel),
> they would point to different policies, and the cross product would
> not be the intended policy.  To avoid this, its better to update one
> rather than two links.
>
> Perhaps another issue is lurking here:
> [1] states "Such calculated Policy Expressions have no meaningful URI
> of their own. "
> Section 6, security considerations, perhaps should say something
> about this lack of a meaningful URI for the effective policy, so that
> audit logs can note when the policy is based on a merge operation of
> multiple individual policy expressions.  If something goes wrong
> because the effective policy after the merge is not as expected, you
> want your audit logs to help you find the source of the problem.
>
> Paul
>
>
> >I hope this helps.
> >
> >Daniel Roth
> >
> >[1] http://www.w3.org/Submission/WS-PolicyAttachment/#EffectivePolicy
> >NOTE: This is a link to the submitted draft.  In the editors draft
> >it looks like the terminology work has cut off some of the text for
> >paragraph 2 in section 3.1.
> >
> >-----Original Message-----
> >From: public-ws-policy-request@w3.org
> >[mailto:public-ws-policy-request@w3.org] On Behalf Of Paul Denning
> >Sent: Wednesday, August 23, 2006 8:49 AM
> >To: public-ws-policy@w3.org
> >Subject: WS-Policy reference indirection
> >
> >
> >Lets say my policy subject is an endpoint [e].
> >
> >Lets assume two different policy files exist, [P1] and [P2].
> >
> >I may have a WSDL file for endpoint [e] with an attached policy [1]
> >that references [P1].
> >
> >I may also have a UDDI entry for [e] with an attached policy [2] that
> >references [P2].
> >
> >So, both [P1] and [P2] are associated with [e].
> >
> >What if [P1] and [P2] conflict?
> >
> >For example,
> >[P1] = endpoint available only Mon-Fri
> >[P2] = endpoint available only on Sat and Sun
> >
> >[1]  http://www.w3.org/Submission/WS-
> PolicyAttachment/#EndpointPolicySubject
> >[2]
> >http://www.w3.org/Submission/WS-
> PolicyAttachment/#EndpointPolicySubjectUDDI
> >[3]
> >http://www.w3.org/Submission/2006/SUBM-WS-Policy-
> 20060425/#Policy_Inclusion
> >
> >It would be nice to avoid this situation.
> >
> >Perhaps an approach that would work is for the WSDL policy reference
> >to point to a UDDI tModel, then the UDDI tModel points to the actual
> >policy document, say [P1].
> >
> >However, I don't think [3] allows this extra layer of indirection
> >where WSDL points to UDDI which points to Policy.  I think [3] only
> >allows WSDL to point to Policy.
> >
> >Is my reading correct?
> >
> >Do you agree that the specs should support this extra layer of
> >indirection to avoid potential policy conflicts and reduce the burden
> >of synchronizing the WSDL and UDDI policy references?
> >
> >Paul
>
>
>
Received on Wednesday, 4 October 2006 17:44:49 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:20:42 GMT