IETF Logo Mail Archive

Re: [scim] Pagination for large ​multi-valued attributes

Phil Hunt <phil.hunt@oracle.com> Wed, 07 February 2018 16:44 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5F4C124F57 for <scim@ietfa.amsl.com>; Wed, 7 Feb 2018 08:44:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.029
X-Spam-Level:
X-Spam-Status: No, score=-2.029 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l2HT_s6TYNSQ for <scim@ietfa.amsl.com>; Wed, 7 Feb 2018 08:44:24 -0800 (PST)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F118912D7FB for <scim@ietf.org>; Wed, 7 Feb 2018 08:44:23 -0800 (PST)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w17GfsUL081162; Wed, 7 Feb 2018 16:44:22 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2017-10-26; bh=kNDFeX7KFtn7ymOKTclEjmmnF3ZeFcxxIqsqhHL/HpY=; b=Y+iJSEtl7nb14oiwFTWfFEecYGoU5xcemeSEAPi8ztAPzVt97TN8o9OXjk18s5U3gvCZ KPd052jA9VbMkafAzpkz5DsG1FI3XOvJEYBULYdcbmNjbxV0UtKPXSE2p1S0I87r+a7O 9ekUOvHiggSzGIocJ0T8n44W3T3mgTY8G6MmPfU8w4CV/C/uH7KBvfHeyV03mP9M/X0L A7Kg7aU08vOJB2twDf5Je4yXxRWJG4XxOCx7asGfFcBAcybmfRn9IVpI67ZrftEY1Ami pjlRRdAo1xJQEBEFA0CiED7TKm7Heh28R9qWyNCCmM2eBhCX/guzcBQzlwSCwac/euWv jg==
Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp2120.oracle.com with ESMTP id 2g04h38cdm-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 07 Feb 2018 16:44:22 +0000
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w17GiLxA024953 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 7 Feb 2018 16:44:21 GMT
Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w17GiKo4027790; Wed, 7 Feb 2018 16:44:20 GMT
Received: from [10.0.26.242] (/206.116.109.185) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 07 Feb 2018 08:44:20 -0800
Content-Type: multipart/alternative; boundary="Apple-Mail-AC1FE571-1BAB-4C92-BB4B-B1D0FF88F075"
Mime-Version: 1.0 (1.0)
From: Phil Hunt <phil.hunt@oracle.com>
X-Mailer: iPhone Mail (15D60)
In-Reply-To: <BN6PR04MB0339DA4DEAD2F499398CE612E2FC0@BN6PR04MB0339.namprd04.prod.outlook.com>
Date: Wed, 07 Feb 2018 08:44:18 -0800
Cc: Aleksey Chernoraenko <achernoraenko@gmail.com>, "scim@ietf.org" <scim@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <EA06C217-656D-4127-82DA-8398C9076366@oracle.com>
References: <CAKCnT7yU5-8Gn2B6Mu=SGoDtAkgSvgSOotXhdAqp7TUa0g_Zxg@mail.gmail.com> <BN6PR04MB0339DA4DEAD2F499398CE612E2FC0@BN6PR04MB0339.namprd04.prod.outlook.com>
To: Kelly Grizzle <kelly.grizzle@sailpoint.com>
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8798 signatures=668663
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802070211
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/1EqV1dAzsOMy648NlAcMToOMUM0>
Subject: Re: [scim] Pagination for large ​multi-valued attributes
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 16:44:27 -0000

+1

There is also a practical problem of consistency. Paging in scim is subject to change between requests. 

The group discussed supporting paging with a result set for consistency, but the scale of intended scim usage would become challenging and expensive for most implementers. It also opens the door to DoS attacks because of the resources such calls would consume. 

Then there is the why question. Enumerating large groups raises privacy concerns. This type of action is usually quite limited to things like audit systems. In these cases, because paging is not consistent, it is much better to eat the whole elephant and get all values in one call. 

Phil

> On Feb 7, 2018, at 8:27 AM, Kelly Grizzle <kelly.grizzle@sailpoint.com> wrote:
> 
> Hi Alexei – No there is a not a draft or plan to address this currently.  It has been discussed, and the working group decided for now that service providers can use a “returned” value of “request” for large attributes such as this.  This prevents the full value from being returned on most calls, but does not give a great solution if you want to retrieve the full list.
>  
> Also, this is one of the problems that the PATCH operation is trying to address.  This allows clients to update large attributes (adding or removing values) without having to read the entire attribute.
>  
> --Kelly
>  
> From: scim [mailto:scim-bounces@ietf.org] On Behalf Of Aleksey Chernoraenko
> Sent: Tuesday, February 6, 2018 2:06 PM
> To: scim@ietf.org
> Subject: [scim] Pagination for large ​multi-valued attributes
>  
> ​​
> Hello,
> 
> SCIM defines "startIndex" and "count" pagination query parameters that allow to control the amount of returned resources.
> 
> SCIM protocol seems to represent pagination only for top level resources (e.g. /Users?startIndex=2&count=10) and does not address pagination for multi-valued attributes, like group membership.
> 
> Are there any plans/draft or recommendations how to handle such use cases?
> 
> ---
> Thank you,
> Alexei
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=85am0fsWIUdt_GtySTbIxdrAiBPR9Uj7m4NCxKasMoU&s=gBOvAbkEpQlYlLgz-Xn119F9mavBadvf5oNyg6fICXI&e=

v2.23.0 | Report a Bug | By Email