Wso2 Identity server: improve the performance of an AttributeFinderModule for attributes on resources

522 views Asked by At

my questions apply both to wso2 identity server 4.5 (IS) and to balana "standalone".

I successfully process XACML multiple requests sent to the entitlement service in IS (the web service interface to the PDP) as ruled in the "XACML v3.0 Multiple Decision Profile Version 1.0".

I have found in the web several examples of a custom "attribute finder" but in all those examples the implementation retrieves the attributes of the subject (e.g the role of the subject) and not of the resources. In my use case I would send to the PDP a xacml request with all the attributes of the subject and a list of resource ids. I have implemented an attribute finder to retrieve the attributes of the resources from an external system (for example a database or a web service). The first question is: is this approach not recommended for same reason?

The second question concerns the performance of this AttributeFinder implementation if the number of resources increases.

Let's suppose we have limited the list of the attributes of the resources that can be used in the policy definitions. For example a small number of attributes.

The method from org.wso2.balana.finder.AttributeFinderModule:

public EvaluationResult findAttribute(URI attributeType, URI attributeId,
            String issuer, URI category, EvaluationCtx context) 

have to return the value/values of a single attribute. So, if a policy evaluates more attributes for a resource this method is called more times for the same resource. I could avoid to call the external system multiple times for different attributes of the same resource if I read all the attributes of the resource at the first call of that method and save that data (e.g. on a thread local variable) that can be used for the subsequent calls.

So, if I have a multiple request and a policy on the attributes of the resources applies to that request, the method is called more times not only for every attribute of the same resource, but also for every resource. To improve the performance I would like to reduce the number of calls to the external system hence I would like to read at the first call of the method "findAttribute" the attributes for all the resources (or a subset if I have a very large set). To do that I need access in the "findAttribute" method to the list of all the resource id in the request. The EvaluationCtx I receive in the attribute finder is only one of those in the Set that is built from the multiple request. The full set is processed cyclically in the method org.wso2.balana.PDP.evaluate(EvaluationCtx) and is not available in the method "findAttribute".

I could for example extend the PDP class to publish in a thread local variable the full Set of EvaluationCtx (or the list of resources id) but this could work in a "balana standalone" and not in the wso2 Identity server. Any ideas?

Thank you. Stefano

1

There are 1 answers

3
Asela On BEST ANSWER

Yes.. You can use any category types.. it can be subject, resource or any thing.. But most of the time, policies are looking for user's attributes. I guess this is the reason for sample to be looked like that..

Yes.. that is a great suggestion. I created a jira as improvement. If you would like to contribute. You can provide a patch...

However, with Identity Server, there is separate interface to implement. It has been wrapped the Balana interface. Please find more details on it here. Actually with Identity server, it uses attribute caches to improve the performance. However if we could add your suggestion to Balana, It would help to improve more.