Ticket #113 (closed defect: fixed)

Opened 6 years ago

Last modified 5 years ago

Pre-create kowari models (users, grants, revokes, etc.)

Reported by: pradeep Assigned to: pradeep
Priority: unassigned Milestone:
Component: topaz Version: 0.5-SNAPSHOT
Keywords: Cc:
Blocking: Blocked By:

Dependency Graph

Change History

08/11/06 00:47:40 changed by ronald

Why?

08/11/06 16:30:06 changed by pradeep

  • owner changed from somebody to pradeep.
  • status changed from new to assigned.

08/11/06 16:34:39 changed by pradeep

  • milestone changed from TBD to august25.

08/12/06 05:44:20 changed by pradeep

One reason has been identified in the xacml policy evals. (If there are other reasons, please add).

Bootstrap problem in xacml policy eval:

  • Models get created within impl classes now triggered by soap-client requests(users service for users, permissions service for grants and revokes etc.)
  • xacml policies on other services (eg. annotations) will deny access due to itql query failure. (Query failure results in an indeterminate status by itql query function and that in turn results in the PDP returning an indeterminate status irrespective of any combining algorithm. A deny biased PEP will deny access on an indeterminate request evaluation.)
  • mainly affects continuum builds for now.

Proposed solutions:

1. make xacml-itql query function return an empty bag instead of indeterminate

  • this is very tempting; but very very wrong.
  • there is no way to distinguish between empty-sets and errors
  • if a rule that checks for an empty-set, may make a wrong policy decision

2. add an extra query to check for the existence of models

  • always succeeds after boot-strap; so wasted cycles in normal operation

3. add a create ${model}; statement to queries in boot-strap

  • should work; except for the following reasons:
    • bug #112 (itql session lock-up) kicks in
    • boot-strap is checked only if no other rules are applicable
    • this means it needs to be added to every single rule
    • create ${model}; is cheap, however tacking it on to every single rule definitely adds up.

4. do what this ticket suggests

  • add a web-app-context init listener that will
  • create the kowari models that we depend on
  • do any other initialization tasks

5. Apps should initialize topaz before use. ie. create an admin user and assign permissions. Add this to continuum integration tests. (ie. add to #94)

08/16/06 21:53:50 changed by pradeep

(In [466]) Set up policies such that it avoids the boot-strap and the nested kowari txn dead-locks for test-pdp. For standard-pdp the boot-strap issue is very much there.

The standard-pdp expects that kowari store contains the models users,grants,revokes and ri. We have to find a way to pre-create these. See #113 for details.

08/24/06 14:24:25 changed by pradeep

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [498]) Added a bootstrap init common for all web-apps. Currently it initializes all ITQL models that we use. The models are defined in topaz-common-config.

Closes #113.

10/29/07 21:12:47 changed by

  • milestone deleted.

Milestone august25 deleted