xacmlxacml3xacml2

Optimize way to Match Policies in the PDP in a Distributed Environment

Hi I have gone through many use cases regarding XACML , but i don't know what is the best way to load policies in the PDP. As per the PDP workflow defined by the OASIS i understood that when the incoming request will come to the PDP . PDP is responsible for matching the corresponding policies based on request.

Since PDP is going to match each and every policy , just think about a scenario where i have 10,000 policies stored in a distributed environment what will happen that time. It is going to consume more and more time in matching , that's not an efficient way of matching the policy.

I need some clarifications on this issues:

  1. How to distribute the policy on different servers ?

  2. If I distribute the policy on different servers then how my PDP will recognize and fetch the corresponding policy from the particular server?

  3. What is the best way by which PDP will recognize the exact policy to match with the incoming request?

Solution

  • Yes.. If there are 10,000 policies stored, there can be considerable time to match them..

    If you think about Horizontal scaling, You can still look for following...

    1. Caching all policies or Target elements
    2. Making target to be not complex (Just some String match)
    3. Parallel matching of policies with multiple threads.

    I agree that, for 10000 policies, we may need to look for Vertical scaling.. I assume, you have defined policies based on the applications. Application id can be the Target element of your policies. (It can be any thing that helps to create a policy collection). If I answer your questions

    1. Policies can distributed based on Target element (based the application). Therefore different servers has different policies based on the application id. Basically it is like one PDP for application. (Idea is to you want to group the policies based on some way.. that can distributed them in to separate PDPs)
    2. There can be a central PDP hub, Once request is received it, It would check for application id and route message to relevant PDP. Sometime, It does not want to be a PDP, some routers (such as ESB) which can look for some parameter in the request and send in to the relevant PDP.
    3. As mentioned.. It is better to have central server that route the requests

    Also, If you do not achieve parallel evaluation of distributed policies.. It also can be done with PDP hub... Say, you can distribute your policies in to 10 PDPs and there is PDP hub. Once request is received for PDP hub, It would send request to 10 PDPs.. and 10 PDP would evaluate policies parallel. Once response are received to PDP hub, It can aggregated he results of 10 PDP and send the final result to PEP.