RE: WS-Policy reference indirection

> And if I want to change the policy, and the new policy has a new URI,
> I would need to update links in both WSDL and the tModel.

You can solve this problem by having your policy references point to a URI that references the "current" policy.  Section 4.3.4 of the Policy Framework states: "The IRI included in the retrieved policy expression, if any, MAY be different than the IRI used to retrieve the policy expression."

For example, you could have policy reference like this:

<wsp:PolicyReference URI="urn:currentPolicy" />

That points to a policy like this:

<wsp:Policy Name="urn:myUpdatedPolicy" >
...
</wsp:Policy>

How you resolve external policy references is implementation specific, which allows you to version the policy independently of the URI used to reference the policy.

I hope this helps.

Daniel Roth

-----Original Message-----
From: public-ws-policy-request@w3.org [mailto:public-ws-policy-request@w3.org] On Behalf Of Paul Denning
Sent: Friday, September 22, 2006 2:53 PM
To: Daniel Roth; public-ws-policy@w3.org
Subject: RE: WS-Policy reference indirection


At 05:06 PM 2006-09-22, Daniel Roth wrote:
>Hi Paul,
>
> > What if [P1] and [P2] conflict?
>
>Then someone is in effect "lying" about the policy for that
>endpoint.  It is the responsibility of the policy provider to make
>sure that the policies are consistent.

Thanks for your reply.
Right it is the responsibility of the policy provider, so to make
his/her job easier, it would be nice to update one rather than two links.


> > Perhaps an approach that would work is for the WSDL policy reference
> > to point to a UDDI tModel, then the UDDI tModel points to the actual
> > policy document, say [P1].
>
>Policy references point to policies, not tModels.

Which is the point of this issue.  Another level of indirection
should be allowed by the spec.

>You can have your WSDL and your tModel both point to the same policy.

And if I want to change the policy, and the new policy has a new URI,
I would need to update links in both WSDL and the tModel.
If my WSDL always points to my tModel, then I can change one link (in
the tModel) to point to the new policy.

>However, this won't have the effect that I think you are implying.
>
>Section 3.1 of the Policy Attachment spec states that you should
>merge multiple policies attached to the same policy subject using
>different attachment mechanisms [1].  The merge operation is
>actually a cross product of the policy alternatives, and P1 x P1 !=
>P1.  When attaching multiple policies to the same subject, these
>policies should be orthogonal to each other to make sure that the
>merge results are reasonable.

If I make a mistake when updating the two pointers (WSDL, tModel),
they would point to different policies, and the cross product would
not be the intended policy.  To avoid this, its better to update one
rather than two links.

Perhaps another issue is lurking here:
[1] states "Such calculated Policy Expressions have no meaningful URI
of their own. "
Section 6, security considerations, perhaps should say something
about this lack of a meaningful URI for the effective policy, so that
audit logs can note when the policy is based on a merge operation of
multiple individual policy expressions.  If something goes wrong
because the effective policy after the merge is not as expected, you
want your audit logs to help you find the source of the problem.

Paul


>I hope this helps.
>
>Daniel Roth
>
>[1] http://www.w3.org/Submission/WS-PolicyAttachment/#EffectivePolicy
>NOTE: This is a link to the submitted draft.  In the editors draft
>it looks like the terminology work has cut off some of the text for
>paragraph 2 in section 3.1.
>
>-----Original Message-----
>From: public-ws-policy-request@w3.org
>[mailto:public-ws-policy-request@w3.org] On Behalf Of Paul Denning
>Sent: Wednesday, August 23, 2006 8:49 AM
>To: public-ws-policy@w3.org
>Subject: WS-Policy reference indirection
>
>
>Lets say my policy subject is an endpoint [e].
>
>Lets assume two different policy files exist, [P1] and [P2].
>
>I may have a WSDL file for endpoint [e] with an attached policy [1]
>that references [P1].
>
>I may also have a UDDI entry for [e] with an attached policy [2] that
>references [P2].
>
>So, both [P1] and [P2] are associated with [e].
>
>What if [P1] and [P2] conflict?
>
>For example,
>[P1] = endpoint available only Mon-Fri
>[P2] = endpoint available only on Sat and Sun
>
>[1]  http://www.w3.org/Submission/WS-PolicyAttachment/#EndpointPolicySubject
>[2]
>http://www.w3.org/Submission/WS-PolicyAttachment/#EndpointPolicySubjectUDDI
>[3]
>http://www.w3.org/Submission/2006/SUBM-WS-Policy-20060425/#Policy_Inclusion
>
>It would be nice to avoid this situation.
>
>Perhaps an approach that would work is for the WSDL policy reference
>to point to a UDDI tModel, then the UDDI tModel points to the actual
>policy document, say [P1].
>
>However, I don't think [3] allows this extra layer of indirection
>where WSDL points to UDDI which points to Policy.  I think [3] only
>allows WSDL to point to Policy.
>
>Is my reading correct?
>
>Do you agree that the specs should support this extra layer of
>indirection to avoid potential policy conflicts and reduce the burden
>of synchronizing the WSDL and UDDI policy references?
>
>Paul

Received on Monday, 25 September 2006 16:31:08 UTC