Obligations Support #1260
Comments
strantalis
added
enhancement
|
@strantalis Is this a good place for clarifying questions as I'm working on the CLI command docs in Scenario: I encrypt a TDF with an attribute Is the expected behavior that the obligation on the TDF (not derived via association to an attribute value within platform policy, but actually added directly on a TDF) must be found in platform policy for access? Or would we expect the entitlement decision alone to be sufficient for access if the obligation doesn't exist in the platform policy? This has ramifications on safe and unsafe create/update behaviors as well as policy import/export since we're supporting both derived obligations via mappings to attributes and adding obligations directly to TDFs. Note that if the expected behavior is that nonexistent obligations on a TDF will be ignored, and the FQN is the same structure as any other attribute, there's no way to tell from TDF attributes alone that you're considering an obligation and not a regular entitle-able attribute. It would have to have a different FQN structure to be able to be known from the TDF manifest/GetDecisions request as an obligation, like if I added |
In other words, I'm wondering if this CLI documentation statement would be true or need further updates |
|
What do you think about the attribute enum having values for data (data attribute), obligation_environment (obligation attribute scoped to environment), obligation_subject (obligation attribute scoped to subjects)? Then we don't need scope in the derived data policy and allows for an obligation attribute to be added directory to the data policy and have the system understand the enforcement scope |
Thanks - that's an interesting idea @ttschampel . I could definitely be missing something, but I am not sure if that gives us the answer around expected access decisions when an obligation is on a TDF as data policy (not derived) and not found (related to I believe I've heard:
But I'm wondering if we should be expected to support a 5th special case as Regarding your enum question, at first impression, it seems like keeping the obligation subject/environment scope tied to the obligation entitlement/satisfaction conditions (and/or + in/not_in/contains) would be preferable for long-term flexibility. As long as the entity type scope is provided along with the fulfillment conditions to the resolution logic run by Auth Service, it'll be available for derived and with-TDF-data obligations alike. However, I don't think we know all the use cases of obligations yet across varied platform consumers and how subject and environment might both be relevant to some obligations. Derived obligations to data attributes are many : many
Do we know if we have many : one or one : one for obligation entitlement/satisfaction conditions to obligations? It seems like the immediate use cases for obligations I've heard about so far have usually been environment-scoped as they're environment driven, like how watermark never seems like it would be subject-fulfilled, only by a PEP as environmental entity. I haven't heard about a need for subject entitlement to satisfy obligation entitlements, but could see them useful as a bypassing mechanism in automations or security scan/test jobs. If only the obligation satisfaction conditions are scoped not the obligations themselves, the auth service condition resolution logic would still have a scope alongside a condition to evaluate, but we wouldn't be closing the door down the road to fulfillment of a single obligation by either an environmental entity condition or a subject entity condition. |
|
Sorry, my comments were not directed at your question but was a general comment to where to put scope. With regard to your question: I think obligations attributes should be treated like data attributes with regard to a platform not having knowledge of an attribute. If a TDF shows up with a data attribute the platform doesn't know about you get a DENY. I think this should be true for obligations as well. In the CLI flow it would be nice to notify a user if they are deleting an attribute / attribute value that is referenced by a derived obligations present could be cascade deleted. I'm also ok with it failing b/c of the FK reference and forcing the user to submit derived obligation mapping delete commands first. My comment was target at this scenario:
My possible solution: Add those new enums so the platform knows its an obligation and is scoped to a certain entity category. This also removes the need to additionally define the scope in derived obligation mappings |
With the approval of ADR #874. The platform needs to introduce the functionality needed to support
obligations. This can be broken down into the following three work areas.Policy API
In the ADR it was decided to re-use the existing
attributemessage but add a new field that would distinguish it between adataattribute and anobligationtype attribute.It also requires a new mapping structure to derive
resource(tdf policy) attributes -> obligations. The output of this mapping should describe thescopeof the obligation. Whether it should apply to asubjectorenvironmententity.Example Mapping
{cls:topsecret} -> {drm:watermark, scope:environment}This will require the following
Authorization Service
In the authorization service we need to take the derived obligations and enforce them based on the scope
environmentorsubject.OTDFCTL Updates
Because we are leveraging attributes in the platform we need to expose obligations in a way that is understandable to the policy administrator. This could either be a flag
--categoryor a new policy sub commandotdfctl policy obligation create.Acceptance Criteria
The text was updated successfully, but these errors were encountered: