wso2 Identity Server: Policies can not be retrieved from registry policy finder module

Question

I am using Identity Server 4.1.0. While editing policies, I have noticed that evaluation of correct XACML policies always lead to result 'Not Applicable'. This indicated that the server was not able to find a matching Target within policies.

After looking up the system logs, I came across the following faults: 1. Error while parsing the policy 2. Policies cannot be retrieved from the registry policy finder module

After looking at known issues, I have found that the PDP might return NotApplicable during load testing. Since I am currently the only user, I assume this issue is not causing the fault.

I have attached the descriptions. As I do not understand the cause of the faults, I need help in deciphering the fault descriptions to overcome the issue.

1.

TID[-1234] [IS] [2013-05-15 09:29:11,466] ERROR {org.wso2.carbon.identity.entitlement.policy.PolicyReader} - Error while parsing the policy org.wso2.balana.cond.FunctionBase.checkInputsNoBag(FunctionBase.java:419) org.wso2.balana.TargetMatch.getInstance(TargetMatch.java:243) org.wso2.balana.TargetMatch.getInstance(TargetMatch.java:169) org.wso2.balana.xacml3.AllOfSelection.getInstance(AllOfSelection.java:68) org.wso2.balana.xacml3.AnyOfSelection.getInstance(AnyOfSelection.java:79) org.wso2.balana.xacml3.Target.getInstance(Target.java:78) org.wso2.balana.TargetFactory.getTarget(TargetFactory.java:43) org.wso2.balana.Rule.getInstance(Rule.java:232) org.wso2.balana.Policy.(Policy.java:308) org.wso2.balana.Policy.getInstance(Policy.java:389) org.wso2.carbon.identity.entitlement.policy.PolicyReader.handleDocument(PolicyReader.java:163) org.wso2.carbon.identity.entitlement.policy.PolicyReader.getPolicy(PolicyReader.java:124) org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyReader.readPolicy(RegistryPolicyReader.java:195) org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyReader.readAllPolicies(RegistryPolicyReader.java:111) org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyFinderModule.getPolicies(RegistryPolicyFinderModule.java:90) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.init(CarbonPolicyFinder.java:160) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.init(CarbonPolicyFinder.java:75) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.findPolicy(CarbonPolicyFinder.java:203) org.wso2.balana.finder.PolicyFinder.findPolicy(PolicyFinder.java:169) org.wso2.balana.PDP.evaluateContext(PDP.java:243) org.wso2.balana.PDP.evaluate(PDP.java:199) org.wso2.balana.PDP.evaluate(PDP.java:157) org.wso2.balana.PDP.evaluate(PDP.java:119) org.wso2.carbon.identity.entitlement.pdp.EntitlementEngine.evaluate(EntitlementEngine.java:256) org.wso2.carbon.identity.entitlement.EntitlementService.getDecision(EntitlementService.java:54) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:597) org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212) org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117) org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40) org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110) org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231) javax.servlet.http.HttpServlet.service(HttpServlet.java:641) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90) org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111) org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:172) org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1001) org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653) java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) java.lang.Thread.run(Thread.java:662) 

2.

TID[-1234] [IS] [2013-05-15 09:29:11,467] ERROR {org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyFinderModule} - Policies can not be retrieved from registry policy finder module org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyReader.readPolicy(RegistryPolicyReader.java:197) org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyReader.readAllPolicies(RegistryPolicyReader.java:111) org.wso2.carbon.identity.entitlement.policy.finder.registry.RegistryPolicyFinderModule.getPolicies(RegistryPolicyFinderModule.java:90) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.init(CarbonPolicyFinder.java:160) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.init(CarbonPolicyFinder.java:75) org.wso2.carbon.identity.entitlement.policy.finder.CarbonPolicyFinder.findPolicy(CarbonPolicyFinder.java:203) org.wso2.balana.finder.PolicyFinder.findPolicy(PolicyFinder.java:169) org.wso2.balana.PDP.evaluateContext(PDP.java:243) org.wso2.balana.PDP.evaluate(PDP.java:199) org.wso2.balana.PDP.evaluate(PDP.java:157) org.wso2.balana.PDP.evaluate(PDP.java:119) org.wso2.carbon.identity.entitlement.pdp.EntitlementEngine.evaluate(EntitlementEngine.java:256) org.wso2.carbon.identity.entitlement.EntitlementService.getDecision(EntitlementService.java:54) sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) java.lang.reflect.Method.invoke(Method.java:597) org.apache.axis2.rpc.receivers.RPCUtil.invokeServiceClass(RPCUtil.java:212) org.apache.axis2.rpc.receivers.RPCMessageReceiver.invokeBusinessLogic(RPCMessageReceiver.java:117) org.apache.axis2.receivers.AbstractInOutMessageReceiver.invokeBusinessLogic(AbstractInOutMessageReceiver.java:40) org.apache.axis2.receivers.AbstractMessageReceiver.receive(AbstractMessageReceiver.java:110) org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180) org.apache.axis2.transport.http.HTTPTransportUtils.processHTTPPostRequest(HTTPTransportUtils.java:172) org.apache.axis2.transport.http.AxisServlet.doPost(AxisServlet.java:146) org.wso2.carbon.core.transports.CarbonServlet.doPost(CarbonServlet.java:231) javax.servlet.http.HttpServlet.service(HttpServlet.java:641) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) org.eclipse.equinox.http.servlet.internal.ServletRegistration.handleRequest(ServletRegistration.java:90) org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:111) org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:67) javax.servlet.http.HttpServlet.service(HttpServlet.java:722) org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61) org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243) org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210) org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225) org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123) org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472) org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168) org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98) org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:172) org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156) org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927) org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52) org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118) org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407) org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1001) org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:579) org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1653) java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) java.lang.Thread.run(Thread.java:662) 

EDIT May 21, added the active policies (they were promoted to the PDP)

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="DossierPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" Version="1.0">
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ObjectID_Dossier</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="EigenaarRules">
      <Target>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DossierEigenaar</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DatasetID_http://www.horecataxonomie.nl/0.92/report/horeca/entrypoints/rpt-hrt-entity.xsd</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                  <AttributeDesignator AttributeId="null" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
                  <AttributeDesignator AttributeId="null" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
                  <AttributeDesignator AttributeId="null" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
      </Target>
   </Rule>
</Policy>


<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="Basic2" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SomeotherStuff</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="Rule-1">
      <Target>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SomeotherStuff</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">wsTC</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
      </Target>
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
            <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Architect</AttributeValue>
            <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
         </Apply>
      </Condition>
   </Rule>
</Policy>

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="Basic" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">RiSourceApp</AttributeValue>
               <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="Rule-1">
      <Target>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">RiSourceApp</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
         <AnyOf>
            <AllOf>
               <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
                  <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
               </Match>
            </AllOf>
         </AnyOf>
      </Target>
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
            <Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"></Function>
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Architect</AttributeValue>
            <AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
         </Apply>
      </Condition>
   </Rule>
</Policy>

Answer 1

Did you enable the ploicy after editing [1]

[1] http://docs.wso2.org/wiki/display/IS410/Activating+and+Deactivating+an+XACML+Policy

Answer 2

If you could, Please send us the policy.. if exception is " 1. Error while parsing the policy ", there could be some thing related to policy... Also after IS 4.X.X, the policy must be move to PDP policy store (promote to PDP) to evaluate with actual PDP. i guess more design details are here [1]

[1] http://xacmlinfo.com/2013/01/11/xacml-engine-architecture-pdp/