IETF Logo Mail Archive

Re: [scim] Pagination for large ​multi-valued attributes

"Matt Peterson (mpeterso)" <Matt.Peterson@oneidentity.com> Wed, 07 February 2018 21:20 UTC

Return-Path: <Matt.Peterson@oneidentity.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13AA4128961 for <scim@ietfa.amsl.com>; Wed, 7 Feb 2018 13:20:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=oneidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LDh7ZGXW5UUv for <scim@ietfa.amsl.com>; Wed, 7 Feb 2018 13:20:01 -0800 (PST)
Received: from amersmtp4.quest.com (amersmtp4.quest.com [12.106.87.249]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3762112711D for <scim@ietf.org>; Wed, 7 Feb 2018 13:20:00 -0800 (PST)
Received: from amersmtp4.quest.com (127.0.0.1) id hfdmo20171s4 for <scim@ietf.org>; Wed, 7 Feb 2018 13:20:00 -0800 (envelope-from <Matt.Peterson@oneidentity.com>)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oneidentity.com; s=default; i=@oneidentity.com; h=Received: Received:Received:From:To:CC:Subject:Thread-Topic:Thread-Index: Date:Message-ID:References:In-Reply-To:Accept-Language: Content-Language:Content-Type:Content-Transfer-Encoding: MIME-Version; bh=iItAzf279CJhlyYehxHScMnSZZOvuRlZYsZ9MDLqKjM=; b=b/MO8oFgEos6QfVCWtgCztvDcg0HxfXDT+sYfXCdMBdAA0I60eJZ8eu/6Ey8ZV lI7/OuL23klP0w0KYxQcYMYr789tHhnV/Hlab2gBhuQMVuyOyYUea11JdJTA8kce E5U4H4nTo4goBcXdmVkb8+UPLW6RuWzUUwnqQVuxI26RE=
Received: from alvetxw02.prod.quest.corp ([10.1.100.92]) by amersmtp4.quest.com ([10.1.100.249]) (SonicWALL 9.0.5.2075 ) with ESMTPS (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256/256) id o201802072119590411408-82; Wed, 07 Feb 2018 13:19:59 -0800
Received: from ALVHTXW01.prod.quest.corp (10.1.135.17) by ALVETXW02.alvetxw02.prod.quest.corp (10.1.100.92) with Microsoft SMTP Server (TLS) id 14.3.279.2; Wed, 7 Feb 2018 13:19:59 -0800
Received: from ALVMBXW01.prod.quest.corp ([fe80::cc5a:be3d:40e:3012]) by ALVHTXW01.prod.quest.corp ([::1]) with mapi id 14.03.0279.002; Wed, 7 Feb 2018 13:19:59 -0800
From: "Matt Peterson (mpeterso)" <Matt.Peterson@oneidentity.com>
To: Aleksey Chernoraenko <achernoraenko@gmail.com>
CC: "scim@ietf.org" <scim@ietf.org>
Thread-Topic: [scim] Pagination for large ​multi-valued attributes
Thread-Index: AQHToDL1fomR8UCSo0u93DiivwVO4KOZTAng
Date: Wed, 07 Feb 2018 21:19:58 +0000
Message-ID: <7F2B7AC6C3EEDC4A9C067A7852FA8A2D4AA18A89@ALVMBXW01.prod.quest.corp>
References: <CAKCnT7yU5-8Gn2B6Mu=SGoDtAkgSvgSOotXhdAqp7TUa0g_Zxg@mail.gmail.com> <BN6PR04MB0339DA4DEAD2F499398CE612E2FC0@BN6PR04MB0339.namprd04.prod.outlook.com> <EA06C217-656D-4127-82DA-8398C9076366@oracle.com>
In-Reply-To: <EA06C217-656D-4127-82DA-8398C9076366@oracle.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.1.104.155]
x-c2processedorg: 0b7fb32a-9e41-4a01-8d60-ef67dd9ea696
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Mlf-CnxnMgmt-Allow: 10.1.100.92
X-Mlf-Version: 9.0.5.2075
X-Mlf-License: BSVKCAPE_
X-Mlf-UniqueId: o201802072119590411408
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/oZ3DcI15AOvA519rH5sRtJOJV2A>
Subject: Re: [scim] Pagination for large ​multi-valued attributes
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 21:20:04 -0000

Aleskey,

I wish there were a better answer to your question than the one from Kelly.  Representing group memberships as multi-valued attributes is a material flaw in SCIM.

I think that the “GetAll” scenario is much more common that the SCIM authors anticipated.   I would be very supportive of a draft proposing a better representation for group membership.  There are several well design patterns that could be followed.  

Is there anyone out there that thinks this is a problem worth addressing with a draft?  

--
Matt

From: Phil Hunt [mailto:phil.hunt@oracle.com] 
Sent: Wednesday, February 7, 2018 9:44 AM
To: Kelly Grizzle <kelly.grizzle@sailpoint.com>
Cc: Aleksey Chernoraenko <achernoraenko@gmail.com>; scim@ietf.org
Subject: Re: [scim] Pagination for large ​multi-valued attributes

+1

There is also a practical problem of consistency. Paging in scim is subject to change between requests. 

The group discussed supporting paging with a result set for consistency, but the scale of intended scim usage would become challenging and expensive for most implementers. It also opens the door to DoS attacks because of the resources such calls would consume. 

Then there is the why question. Enumerating large groups raises privacy concerns. This type of action is usually quite limited to things like audit systems. In these cases, because paging is not consistent, it is much better to eat the whole elephant and get all values in one call. 

Phil

On Feb 7, 2018, at 8:27 AM, Kelly Grizzle <mailto:kelly.grizzle@sailpoint.com> wrote:
Hi Alexei – No there is a not a draft or plan to address this currently.  It has been discussed, and the working group decided for now that service providers can use a “returned” value of “request” for large attributes such as this.  This prevents the full value from being returned on most calls, but does not give a great solution if you want to retrieve the full list.
 
Also, this is one of the problems that the PATCH operation is trying to address.  This allows clients to update large attributes (adding or removing values) without having to read the entire attribute.
 
--Kelly
 
From: scim [mailto:scim-bounces@ietf.org] On Behalf Of Aleksey Chernoraenko
Sent: Tuesday, February 6, 2018 2:06 PM
To: mailto:scim@ietf.org
Subject: [scim] Pagination for large ​multi-valued attributes
 
​​
Hello,

SCIM defines "startIndex" and "count" pagination query parameters that allow to control the amount of returned resources.

SCIM protocol seems to represent pagination only for top level resources (e.g. /Users?startIndex=2&count=10) and does not address pagination for multi-valued attributes, like group membership.

Are there any plans/draft or recommendations how to handle such use cases?

---
Thank you,
Alexei
_______________________________________________
scim mailing list
mailto:scim@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_scim&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PZh8Bv7qIrMUB65eapI_JnE&r=na5FVzBTWmanqWNy4DpctyXPpuYqPkAI1aLcLN4KZNA&m=85am0fsWIUdt_GtySTbIxdrAiBPR9Uj7m4NCxKasMoU&s=gBOvAbkEpQlYlLgz-Xn119F9mavBadvf5oNyg6fICXI&e=

v2.23.0 | Report a Bug | By Email