[Date Prev][Date Next] [Chronological] [Thread] [Top]
Inheriting / Cacheing / Replicating policy from superior administrative areas

To: <ietf-ldup@imc.org>, <ietf-ldapext@netscape.com>
Subject: Inheriting / Cacheing / Replicating policy from superior administrative areas
From: "Ed Reed" <eer@OnCallDBA.COM>
Date: Wed, 21 Feb 2001 10:16:58 -0700
Content-disposition: inline
Preamble

At the San Diego IETF in December a bar boff (1 round = $89 or so USD) was convened to consider how to deal with inheritance of policy down through a tree from superior to subordinate contexts.  The topic came up because it's an issue for access control policy, which many of us would like to see be able to be inheritable from parents to children, so that an access granted to a parent or superior organizational unit, for instance, could be interpreted correctly as being implicitly granted to all the subordinate entries of that parent.  Other policy information could benefit from such inheritance, and the general case is that policy set at the root of an enterprise (for instance) administrative area is applied to the whole of the administrative area, even if the administrative area is partitioned and distributed among several servers (or groups of servers) throughout the enterprise.  Real world examples include Novell NDS trees, Microsoft ADS Forests, and probably things like !
the directory information tree in X.500 for a country, a governmental agency or any other sort of large organization.

Since this discussion grew out of the LDAPSubentry internet draft discussion about inheritance, I've copied both the ldup and ldapext distribution lists.

The requirement

To support the kind of top-down policy inheritance described above, servers holding subordinate partitions of the administrative area (in other words, simple subtrees rooted below the root of the administrative area where the policy is set) need to be informed of the policy that they are supposed to inherit from above.

Note that I've not said anything about how the policy is represented yet.  It may be via attributes on the root of the administrative area, or it may be via subentries located immediately subordinate to the root of the administrative area, or by some other means.  In fact, for the general case that includes the full X.500 subentry definition with subtree specifications in the subentry, it's only necessary that the policy subentry applies to the entry and its attributes being governed (I think - David?  Helmut?  Richard?  Others?)

So the question is how to make the subordinate partition of the namespace, that does not necessarily coreside on a server where the administrative  area is rooted and where the inheritable governing policy is asserted, how does that subordinate namespace "know" about the inherited policy so that it can enforce it?

Possible approaches

There are several ways this has been approached in the past, and one can imagine many others.

1) the inheritable policy could be asserted when the superior/subordinate references are being administratively set to glue the two namespaces together, either manually by the administrators or programmatically via some hierarchical operational binding protocol, for instance.  I think this is how X.500 implementation generally handle it.

2) a specialized form of replication that knows of the need to maintain cached information aggregated from superior administrative areas in the directory information tree takes responsibility to identify inheritable information and to maintain copies of it on or near subordinate partition roots.  This makes the information available locally to the subordinate namespace in a "read-only" fashion that facilitates decision making and makes the specialized replication scheme responsible for propagating policy changes to all the subordinates when needed.  This is how Novell's NDS does it.  

3) servers holding subordinate partitions of an administrative area can "opportunistically cache" policy information locally.  In this scenario, the access control policy engine (probably, as the direct consumer of the inherited policy information in one example) knows that policy information may be defined in superior areas of the directory information tree that it needs to know about, and so it "walks the tree" until it finds what is clearly the "top" of the authoritative administrative area within which it is supposed to operate.  (I say it this way to highlight that the subordinate may well know its not supposed to walk the tree all the way to "dc=com", for instance, if the root of the organizations administrative area is "dc=oncalldba, dc=com", for instance)  At any rate, the policy engine walks the tree "as far as its supposed to go" accumulating policy information that applies to it and cacheing it locally for future use.  The walk would take place at server startup t!
ime, or when the partition is placed "in service" (if it ever goes off line), or on scheduled "has anything changed I need to know about" walkabouts.  Each policy engine would be responsible for its own cache of information and its own walkabouts (I like that term for this...)

4) whenever policy is defined at an administrative point that applies to subordinate entries, a process (either client or server-based, or some combination of both) performs the inverse to the walkabout described in #3 above - that is, it descends the tree depositing policy information (or changing policy information it finds there) on subordinate entries (either on partition roots or on each leaf entry itself) as it goes.  This approach has the benefit of "pushing" changes from the point of administrative action to all the areas subject to the policy change, rather than relying on the "opportunistic cache" of #3.  With some care, it need not be any more bandwidth consuming than the specialized replication scheme described in #2 above.  And is more dynamic than the static configuration of #1 above.  I think this is generally how Microsoft handles inheritable policy for access controls.  (and yes, in professional contexts of previous lives I've dinged them for how they do it,!
 but that was nit picking over implementation approaches of what to decorate, not over the general concept of how to propagate changes).

["Ed"itorial note - this note alread covers more than we discussed at the bar boff]

There are probably other approaches.  In fact, we came up with one more at the bar boff.

5) each server holding a subordinate partition of an administrative area could also hold a "sparse replica" of the otherwise non-resident superior administrative areas which hold policy information relevant to the partition it does hold.  This approach would allow LDUP to be responsible for propagating changes to policy "as written" to subordinate servers that need it, avoids creating specialized mechanisms that need to know how to aggregate policy information through multiple tiers of administrative area roots (something both #2 and #4 require, and something I for one really, really, really don't want to try to generalize for a standard), leaves interpretation of superior policy entirely up to the local policy decision functions (where it belongs) and "only" requires read-only replicas of the superior administrative root entry and its subentries.  Being "read-only" replicas, the LDUP house keeping is kept to a minimum (because there will never be changes flowing from the su!
bordinate copy to the administrative area root "master" replica).  There will be replication traffic, which can be scheduled or event driven.  The sparse replica replication agreements can be set via administrators to control how or what subentries are replicated (maybe only those flagged "inheritable").  As a read-only replica, it can be configured via transitive synch to take its changes from another read-only replica so you don't HAVE to have the situation where every server in the enterprise is banging away at the root-most master server for policy information, so we should be able to manage the network traffic scaling issues in large trees (though its true that using transitive synch lengthens the time it takes for changes to propagate to all servers).  And, if you don't need it, don't use it.  

The cool thing is that this approach works for any number of inheritable policy information, including schema, password policy, etc. as well as for access control information.

Anyway, that's the idea we came up with.  Discussion is invited, if only to cause a change in subject on the mailing list ;-)

Does this need to be an RFC?  If the chairs think so, let me know whether to submit it as an internet draft under the ldup group name or as an individual submission.

Thanks,
Ed

=================
Ed Reed
Reed-Matthews, Inc.
+1 801 796 7065
http://www.Reed-Matthews.COM
Prev by Date: Re: application defined permissions
Next by Date: Re: application defined permissions
Index(es):
- Chronological
- Thread