You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openaz.apache.org by Okke Harsta <oh...@zilverline.com> on 2015/09/09 20:41:14 UTC
PIP engines
Hi,
We want to ‘enrich’ attributes by using PIPEngines and I have a question about that:
1) PIPEngine#attributesRequired is never called during the decide process and I thought this was the hook to ensure that a PIPEngine is not called when the required attributes are not in the Request. Is this a bug or intentional design?
2) How do I make sure that a PIPEngine is only called upon for a certain Policy as our PIP does expensive calls and is only needed when for example a certain Policy matches the Request
Thanks,
Okke
Re: PIP engines
Posted by "DRAGOSH, PAMELA L (PAM)" <pd...@research.att.com>.
Okke,
1. That¹s intentional design, the attributesRequired was intended for use
within the PAP Admin Console during Policy Creation and PIP Definition. It
was brought in late in the development after the PDP was developed.
2. The design of XACML is that a PIPEngine is called to provide a specific
attribute, that only happens when the attribute is required to evaluate a
PolicySet/Policy/Rule. As long as the PDP (or another PIPEngine) does not
need the attribute, it won¹t get called. The PDP will first look in the
request for the attribute, then go through each PIP engine asking for the
attribute. The PIP Engine should return immediately if it doesn¹t provide
that attribute, thus avoiding that expensive call. Make sure you write
that Policy correctly. Also beware in the case of another PIP requiring
the attribute being provided by that expensive PIP, in order to provide
its own attribute.
Pam
On 9/9/15, 2:41 PM, "Okke Harsta" <oh...@zilverline.com> wrote:
>Hi,
>
>We want to Œenrich¹ attributes by using PIPEngines and I have a question
>about that:
>
>1) PIPEngine#attributesRequired is never called during the decide process
>and I thought this was the hook to ensure that a PIPEngine is not called
>when the required attributes are not in the Request. Is this a bug or
>intentional design?
>2) How do I make sure that a PIPEngine is only called upon for a certain
>Policy as our PIP does expensive calls and is only needed when for
>example a certain Policy matches the Request
>
>Thanks,
>Okke
>