Mailing-List: contact general-help@incubator.apache.org; run by ezmlm
Precedence: bulk
Reply-To: general@incubator.apache.org
Received-SPF: pass (nike.apache.org: domain of dlk@us.ibm.com designates
 32.97.110.151 as permitted sender)
In-Reply-To: <46F1D846.6020806@wstoddard.com>
Subject: Re: [Fwd: Re: Incubator Proposal: SPL]
To: akarasulu@apache.org
Cc: general@incubator.apache.org, fhanik@apache.org,
        W G Stoddard <stoddard@us.ibm.com>, Mark.Carlson@Sun.COM
Message-ID: 
 <OFAA4E60F5.E065B1C9-ON8525735C.0042E92F-8525735C.00460913@us.ibm.com>
From: David L Kaminsky <dlk@us.ibm.com>
Date: Thu, 20 Sep 2007 08:44:58 -0400
MIME-Version: 1.0
Content-type: multipart/alternative;
	Boundary="0__=0ABBF9CFDFD16FBF8f9e8a93df938690918c0ABBF9CFDFD16FBF"
Content-Disposition: inline

--0__=0ABBF9CFDFD16FBF8f9e8a93df938690918c0ABBF9CFDFD16FBF
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: quoted-printable


Hey Alex,

I looked at the access control for Triplesec, and it looks somewhat lik=
e
XACML from Oasis:
  http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=3Dxacml

Here are my general thoughts on the overlap between SPL and access cont=
rol
languages:

1. It is possible to express access control policies in SPL (using if-t=
hen
syntax), but it's much more natural to express access control policies
using domain-specific syntax.  For example, XACML has a pretty direct
encoding of "Nurses can access medical records" ("nurses" is the role, =
"can
access" is the access, and "medical records" is the subject), so it's
natural to express such policies in XACML.  The SPL syntax wouldn't be
nearly as clean.

2. It is also possible to express IT management policies (e.g., "backup=
 the
database when data have changed 10%") using some access control languag=
es,
but you really have to misuse some of their concepts (typically
"obligations"), and the expressions would get really hairy.  In practic=
e,
people wouldn't really want to do it.

At the end of the day, the discussion can end up looking a lot like
discussions of programming languages.  IMO, despite the overlap in some=

areas, there's a good reason that people still write in all of C, C++,
Java, Perl, FORTRAN, etc. -- people choose the language that best suits=
 a
particular need.

I don't think we'll need quite the same breadth of policy languages, bu=
t I
also don't think we'll get down to one.

David


>
>
> -------- Original Message --------
> Subject:    Re: Incubator Proposal: SPL
> Date:    Tue, 18 Sep 2007 16:36:03 -0400
> From:    Alex Karasulu <akarasulu@apache.org>
> Reply-To:    general@incubator.apache.org
> To:    general@incubator.apache.org, fhanik@apache.org
> References:    <NBBBJGEAGJAKLIDBKJOPMEEOAGAD.noel@devtech.com>
> <46EEC902.8010908@apache.org>
>
>
>
> Hi all,
>
> Over at Directory we have an initial attempt at an identity solution =
in
> place called Triplesec.
> It does the usual AAA with some additional things like mobile keyfobs=

> however it's authorization
> policy management features might benefit from this project or there m=
ay
be
> some overlap.  Here's
> a link btw for some additional information on tsec:
>
> http://directory.apache.org/triplesec
>
> Specifically the following information refers to the authorization po=
licy
> store and an API to access
> the information therein which can be stored in LDAP or in an LDIF fil=
e
> (exported from LDAP).
>
> http://directory.apache.org/triplesec/guardian-api-users-guide.html
>
http://directory.apache.org/triplesec/authorization-using-guardian-api.=
html
>
http://directory.apache.org/triplesec/administration-tool-users-guide.h=
tml
>
> So the big question is there much overlap here?  An initial glance te=
lls
me
> there might not be
> but I may be wrong.  Thoughts?
>
> Alex
>
> On 9/17/07, Filip at Apache <fhanik@apache.org> wrote:
> >
> > Noel J. Bergman wrote:
> > >> We proposed to develop a policy-based management infrastructure =
that
> > >> automates administrative tasks by executing policies
> > >>
> > >
> > > Sounds good.  I will be curious to see the reaction from the HTTP=

Server
> > > folks, but this sort of thing is very much needed in real-world
> > deployments
> > > of app servers.
> > >
> > >
> > >> The initial goals are to develop an SPL evaluation engine and
> > >> bindings to the APIs for [...]
> > >>
> > >
> > > What about Tomcat?
> > >
> > I'd be happy to help out with this piece, should the vote to incuba=
tion
> > go through
> >
> > Filip
> > >
> > >> Nominated Mentors
> > >> -    Bill Stoddard(stoddard@apache.org)
> > >>
> > >
> > > Glad to see that Bill will have cycles for this.  :-)
> > >
> > > Would you please take a look at lokahi (
> > http://incubator.apache.org/lokahi)
> > > and comment on any synergies that you see?
> > >
> > >       --- Noel
> > >
> > >
> > >
> > > -----------------------------------------------------------------=
----
> > > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > > For additional commands, e-mail: general-help@incubator.apache.or=
g
> > >
> > >
> > >
> > >
> >
> >
> >
> > -------------------------------------------------------------------=
--
> > To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> > For additional commands, e-mail: general-help@incubator.apache.org
> >
> >
>=

--0__=0ABBF9CFDFD16FBF8f9e8a93df938690918c0ABBF9CFDFD16FBF--