Release notes for Access Decision Service
Information in this document refers to Access Decision Service (ADS) from Axiomatics AB.
Access Decision Service 1.9.0
New features and changed functionality in ADS 1.9.0
Simplified installation of ADS
This release introduces a simplified way to install and run ADS based on Docker. The new installation process makes it even quicker and easier to get ADS up and running.
Online documentation
The documentation for ADS has been converted to an online format, and is now available at https://docs.axiomatics.com. PDFs are no longer included in the distribution. The online distribution model will improve availability and ensure that users always have easy access to the latest version of the documentation.
Support for InfluxDB for metrics data processing
ADS now supports the time series database Influxdata InfluxDB OSS 2.x as a metrics backend.
Support for authentication using client credentials
ADS can now be configured to authenticate itself against Axiomatics Services Manager (ASM), and send client credentials when requesting a domain configuration file from ASM.
Using Azure Monitor Application Insights for tracing and metrics
When Azure Monitor Application Insights is used for monitoring and analytics, the Application Insights Java agent should be used for both tracing and metrics.
Note: The option of configuring Azure Monitor as a metrics backend in ADS is no longer recommended, and its use is deprecated. This configuration option will be removed in a future release.
Fixed issues in ADS 1.9.0
N/A
Known issues in ADS 1.9.0
N/A
Access Decision Service 1.8.0
New features and changed functionality in ADS 1.8.0
Metrics data collection and processing
ADS now collects the following metrics for requests, to provide performance data that can be useful to identify patterns and understand trends:
- Rate - the number of access requests ADS has served
- Errors - the number of failed access requests
- Duration - distribution of the amount of time each access request takes
- Rate of successful evaluations - the rate of successful access requests that evaluated to Permit, Deny, Indeterminate, or NotApplicable, respectively
The sampling rate for these metrics is configurable.
This data can be accessed by metrics backends using either a (client) pull or a (server) push model. The currently supported metrics backends are Prometheus and Azure Monitor.
Separation of event types in the audit log stream
The audit logs produced by ADS contain two types of events, evaluation events and administrative events. To simplify analysis of the log data, the log stream can now be configured to separate the two types of events, for output to console and/or file. Which type of event to include in the log output is controlled by the use of different loggers, so that the output contains either evaluation events only, administrative events only, both types together, or one output item for each type.
Domain format conversion removed
The domain format conversion feature introduced in version 1.6.4 has been removed.
Customers wanting to convert legacy XML-format (or version 1) authorization domain configuration files to YAML-format (or version 2) authorization domain configuration files are instead requested to contact Customer Support, who will assist with conversion services.
Fixed issues in ADS 1.8.0
Environment variable substitution not working
A change to the domain validation operation caused environment variable substitution to stop working. This has been fixed.
Known issues in ADS 1.8.0
N/A
Access Decision Service 1.7.0
New features and changed functionality in ADS 1.7.0
Tracing using OpenTelemetry
Tracing can now be enabled in ADS, providing the option to track key events that relate to access requests. The tracing functionality in ADS is based on OpenTelemetry (OT), relying on the OpenTelemetry Java agent to orchestrate the feature, but any agent that conforms to or implements the OpenTelemetry API version 1.3 could be used. For visualization and monitoring assistance, the tracing information produced by ADS can be published to other tools, for example, Jaeger or Prometheus.
For each request, the following spans are defined in the trace:
- A span for the whole request.
- A span per call to an attribute connector. Spans are also produced when a call to fetch an attribute may result in fetching it from the cache or involving an operation from the attribute connector itself.
If the access request includes a W3C trace context, ADS does not define a new trace. Instead, all spans are created within that context. If the access request contains a header with a correlation information, that information is attached to the span associated with the single request.
Logging enhanced with tracing information in MDC
Log entries emitted by ADS can be enhanced with trace and span identifiers as attributes in the Mapped Diagnostic Context (MDC). However, this requires that the OpenTelemetry Java agent that ADS relies on for the tracing functionality is enabled. When that is the case, the OpenTelemetry Java agent will inject information about the current span into the MDC copy of each logging event.
Support for conditional requests when polling a domain name using HTTP(S)
ADS now supports conditional requests when polling a domain name from an authorization domain server using GET on an HTTP(S) endpoint. This means that ADS will recognize an "ETag" header if present in the response from the server, and consequently include an "If-None-Match" header field in its future requests, as well as correctly handle the "304 (Not Modified)" status code and header information the authorization domain server will use in its response if the representation has not changed since the previous request.
The implementation is compliant with IETF RFC 7232, §3.2, which delineates the name and semantics of the header information that clients must use for an "If-None-Match" header field, and IETF RFC 7232, §4.1, which describes the definition of the "304 (Not Modified)" status code and header information.
Version information published by ADS
Users can now access version information published by ADS in two ways: By looking at the log, as ADS will log information about the application and the operating system during start-up, or by querying an administration endpoint. The information presented is the same for both methods. Refer to the ADS User's Guide for more information.
Check command will detect mismatch between declared and provided attributes
The check command functionality has been extended with another validation item. It will now also detect any mismatch between declared and provided attributes in the domain configuration.
Configuration to stop ADS from starting if a declared attribute is not provided
There is an optional property, failOnDeclaredAttributeNotProvided, that can be used to configure ADS not to start or reconfigure with a domain that does not provide an attribute that has been declared in the configuration.
Concise format default for audit logging output
A concise format is now the default for the audit logging output. To improve processing efficiency, information not essential to auditing is excluded from the evaluation events. If the full, or verbose, logging information is required, this can be set via an audit mode property in the deployment configuration file.
Fixed issues in ADS 1.7.0
XACML function string-regexp-match conforms to the specification
Previously, the string-regexp-match function returned incorrect results for some regular expressions that use the alternation operator. This has been fixed and the function now conforms to the XACML 3.0 specification.
MDP requests not failing fast if one access decision fails
When the authorization engine receives an MDP (Multiple Decision Profile) request, the execution is parallelized.
Previously, if an individual access decision failed, perhaps by an exception raised by an attribute connector, the engine did not abort the execution or fail fast, allowing other parallel processes to continue to execute. This could result in unnecessary resource use.
This has been fixed. Now, if one individual access decision fails, the engine fails fast and cancels all active parallel processes so as to not consume unnecessary resources.
Known issues in ADS 1.7.0
Running an ADS command may create audit log output
Running an ADS command may create audit log output depending on the configuration that is being used. This is because running any command starts a JVM with the full functionality of the current configuration enabled. This is unavoidable due to the design of the commands. As a consequence, it is not possible to avoid producing audit logs for operations that are triggered by running a command, if audit logging is enabled in the configuration.
Warning of illegal reflective access operation when running ADS on Java 11
Running ADS on Java 11 may trigger warnings concerning illegal reflective access operations. These warnings are not a consequence of any malfunctioning, and can therefore be ignored and do not need to be reported.
Domain conversion command may produce invalid domains
Running the authorization domain format conversion command may result in invalid domain configuration files. Use of the command is deprecated and the functionality will be removed in a later release of ADS.
Access Decision Service 1.6.4
New features and changed functionality in ADS 1.6.4
Runtime updating of domain configurations
There is now an optional property, domainRefreshInterval, that can be used to configure ADS to update the domain configuration during runtime by polling its source at regular intervals. This allows for updating of policies or attribute connectors without having to stop and redeploy ADS.
Note: The refresh feature only reloads the domain if it has been modified. When that happens, ADS clears the attribute cache and creates new instances of the attribute connectors.
Authorization domain format conversion
A conversion command has been added that will convert an XML-format authorization domain configuration file to a YAML-format authorization domain configuration file.
ADS can send user credentials for retrieval of domains
ADS can now present user credentials when requesting a domain configuration file from remote locations that support Basic Authentication.
Connection pooling enabled by default for LDAP
Previously, connection pooling was only enabled for unencrypted connections, that is plain text connections. Now connection pooling is enabled by default for both LDAP and LDAPS connections.
As part of the update, the property com.sun.jndi.ldap.connect.pool.protocol has been superseded by the property com.axiomatics.jndi.ldap.connect.pool.protocol. Existing configurations using this property should be updated to reflect this.
Attribute connectors no longer included in ADS distribution
Standard attribute connectors for connection to SQL and LDAP data sources are no longer included in the ADS distribution. Instead, each attribute connector must be downloaded and installed separately.
License expiration warning configurable
A configuration property has been added to let you override the default 30 day duration for when the warning of an impending license expiration is triggered.
Fixed issues in ADS 1.6.4
Invalid PolicyIdentifierList field in response
Previously, the PolicyIdentifierList field that may appear in XACML JSON profile 1.1 responses was invalid. This has been fixed. The values of the PolicyIdentifierList field in an XACML JSON profile 1.1 response now comply with the JSON Profile of XACML 3.0 Version 1.1 specification.
Known issues in ADS 1.6.4
N/A
Access Decision Service 1.5.0
New features and changed functionality in ADS 1.5.0
Support for metadata in the domain document
ADS now supports storing metadata in the domain document for tooling and domain management workflow processes.
Sensitive data provided through environment variables
ADS now allows for sensitive data in attribute connector configurations, such as user names and passwords, to be provided through environment variables.
Fixed issues in ADS 1.5.0
Number of connections opened when using connection pooling
On startup, ADS incorrectly opened twice the number of database connections per instance as the value specified by the minimumSize key of the connectionPool property. This has been fixed.
Non-UTC time zones in a request incorrectly reported in the audit log
Time attribute values with non-UTC time zones received in a request were incorrectly reported in the audit log; the values were converted to UTC time and lost the supplied time-zone information. This has been fixed, the time-zone information is now retained in the audit log. The issue did not affect the authorization responses, just the way the requests were reported in the audit log.
Loss of non-UTC time-zone information when using a JSON format request
Time attribute values with non-UTC time zones received in a JSON request were converted to UTC time and lost the supplied time-zone information. Depending on the policy, this could affect correctness of the authorization response. The issue has been fixed, the time-zone information is now retained during the authorization process. The problem did not affect XML format requests.
Known issues in ADS 1.5.0
N/A
Access Decision Service 1.4.0
New features and changed functionality in Access Decision Service 1.4.0
New authorization domain document format
This release introduces a new YAML document format for the representation of authorization domains. The new document format has a number of benefits, for example:
- The document is human-readable, which makes it easy to analyze and maintain.
- Specialized software tools are not required to create the document; editing can be done using a regular text editor.
- The document structure follows a concise syntax, and it is easy to embed other text-format data inline in the domain configuration.
- The format is well-suited to source control.
ADS starts with Table or SQL attribute connector even if database is down
ADS would not start if a Table or SQL attribute connector was used in the policy and the source database was down during the start-up of the application. The initialization functionality has been changed so that transient database connection issues will not cause ADS to fail on start-up.
Fixed issues in Access Decision Service 1.4.0
ADS could fail to start due to dependency conflicts with attribute connectors
ADS could fail to start when the ADS application .jar file is not the first one in the classpath when used along with attribute connector .jar files. This has been fixed.
Known issues in Access Decision Service 1.4.0
N/A
Access Decision Service 1.3.0
New features and changed functionality in Access Decision Service 1.3.0
Support for legacy PDP SOAP endpoint
To make migration easier, clients using the legacy PDP SOAP endpoint can now point directly to ADS.
License file retrieval from classpath
Support for license file retrieval from the classpath has been added.
Fixed issues in Access Decision Service 1.3.0
ADS failed to start with ARQ capabilities enabled in domain configuration
ADS failed to start when the deployment configuration file pointed to a legacy domain configuration that was exported with the ARQ RAW or ARQ SQL capabilities enabled. This has been fixed.
Known issues in Access Decision Service 1.3.0
Legacy PDP SOAP endpoint limitation
There is the possibility of a log warning unrelated to Access Decision Service. If ADS is configured to use Basic authentication, and the legacy PDP SOAP endpoint is used, a request to ADS sent without user credentials will cause ADS to return HTTP error code 500 (Server error). In this case, ADS logs at WARN level has a stacktrace about a NullPointerException. This log message can be ignored, it is due to a third-party library and has no relevance for the functionality of Access Decision Service.
Access Decision Service 1.2.0
New features and changed functionality in Access Decision Service 1.2.0
JSON Profile of XACML 3.0 Version 1.1 conformance
This release of Access Decision Service conforms with the JSON Profile of XACML 3.0 Version 1.1.
REST Profile of XACML 3.0 Version 1.1 conformance
This release of Access Decision Service conforms with the REST Profile of XACML 3.0 Version 1.1.
Legacy PDP support
To make migration easier, clients using the legacy PDP REST endpoint can now point directly to ADS.
configStrategy property removed
The property configStrategy has been removed. If this property is present in the deployment configuration file used to run ADS, the application will not start. The sample deployment configuration file supplied with ADS has been updated to reflect this change.
Fixed issues in Access Decision Service 1.2.0
N/A
Known issues in Access Decision Service 1.2.0
ADS may fail to start due to order of jar files
ADS may fail to start when the ADS application .jar file is not the first one in the classpath argument. Suggested workaround: When starting ADS, make sure the ADS application .jar file comes first in the classpath argument, followed by the other dependencies. This will be fixed in a future release.
Access Decision Service 1.1.3
New features and changed functionality in Access Decision Service 1.1.3
Extended Java support
Oracle 64-bit Java 11 and OpenJDK 64-bit Java 11 are now supported.
Authorization domain limitation removed
A previous limitation, that only authorization domain configuration files exported from ASM using the GUI would be be accepted, has been removed. Updates to the Developer Resources now makes it possible to use authorization domain configuration files retrieved programmatically using the Admin API.
Transaction ID correlation
There is an optional header, x-xacml-transaction-id, that can be used for correlation purposes. If audit logging is enabled in the deployment configuration file, the value of the x-xacml-transaction-id that is supplied in the header will appear in the audit log as a transaction ID element.
Concurrent evaluation of Multiple Decision Profile requests
Concurrent, or multi-threaded, evaluation of Multiple Decision Profile requests is now a configurable property.
File retrieval support
The license property in the deployment.yml file supports the following ways of retrieving files:
file:dir/file.xml - relative file on file system via URL
file:/dir/file.xml - absolute file on file system via URL
dir/file.xml - relative file on file system
/dir/file.xml - absolute file on file system
http://<host:port>/<path/to/file> - URL to the file
https://<host:port>/<path/to/file> - URL to the file
The authorization domain property in the deployment.yml file supports the following ways of retrieving files:
classpath:/file.xml - file on classpath
file:dir/file.xml - relative file on file system via URL
file:/dir/file.xml - absolute file on file system via URL
dir/file.xml - relative file on file system
/dir/file.xml - absolute file on file system
http://<host:port>/<path/to/file> - URL to the file
https://<host:port>/<path/to/file> - URL to the file
Fixed issues in Access Decision Service 1.1.3
N/A
Known issues in Access Decision Service 1.1.3
N/A
Access Decision Service 1.0.0
New features and changed functionality in Access Decision Service 1.0.0
File retrieval support
The authorization domain property in the deployment.yml file supports the following ways of retrieving files:
classpath:/file.xml - file on classpath
file:dir/file.xml - relative file on file system via URL
file:/dir/file.xml - absolute file on file system via URL
dir/file.xml - relative file on file system
/dir/file.xml - absolute file on file system
Attribute Connectors packaged separately
There are no default attribute connectors in ADS version 1.0.0. The LDAP, SQL, and Table Attribute Connectors are packaged as independent entities in a separate subfolder of the software deliverable. The attribute connectors must be extracted and installed separately for use.
Authorization endpoint
The authorization endpoint for ADS is /authorize.
Deprecated endpoints
The /asm-pdp/authorize endpoint is deprecated in ADS v1.0 and only available to provide compatibility with legacy PDP installations.
Fixed issues in Access Decision Service 1.0.0
N/A
Known issues in Access Decision Service 1.0.0
Authorization domains must be created using the ASM GUI
Authorization domain configuration files exported from Axiomatics Services Manager (ASM) using the Admin API cannot be used to configure the Access Decision Service. Only authorization configuration files exported from ASM using the GUI will be accepted.
Transaction ID not available
In the PDP web application included in the current Axiomatics Policy Server (APS) release, the client could specify a transaction ID together with the request.
The transaction ID would then be written to the audit log of the PDP. This functionality is not available in ADS 1.0.0 and the transaction ID will be ignored. The functionality will be available in a later version of ADS.