�cdocutils.nodes
document
q�)Åq�}q�(U nametypesq�}q�(X ���xacml 2.0q�NX ���simplified policy language (spl)q�NX ���xacml 1.0q�NX����simplifiedpolicylanguageq àX*���overview of authorization policy languagesq
NX
���eml-accessq�NX ���xacml 3.0q�NuU�substitution_defsq
}q�U�parse_messagesq�]q�U�current_sourceq�NU
decorationq�NU�autofootnote_startq�K�U�nameidsq�}q�(h�U xacml-2-0q�h�U�simplified-policy-language-splq�h�U xacml-1-0q�h U�simplifiedpolicylanguageq�h
U*overview-of-authorization-policy-languagesq�h�U
eml-accessq�h�U xacml-3-0q�uU�childrenq�]q�cdocutils.nodes
section
q�)Åq }q!(U rawsourceq"U�U�parentq#h�U�sourceq$Xv���/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/Authorization-technologies.txtq%U�tagnameq&U�sectionq'U
attributesq(}q)(U�dupnamesq*]U�classesq+]U�backrefsq,]U�idsq-]q.h�aU�namesq/]q0h
auU�lineq1K�U�documentq2h�h�]q3(cdocutils.nodes
title
q4)Åq5}q6(h"X*���Overview of Authorization Policy Languagesq7h#h h$h%h&U�titleq8h(}q9(h*]h+]h,]h-]h/]uh1K�h2h�h�]q:cdocutils.nodes
Text
q;X*���Overview of Authorization Policy Languagesq<ÖÅq=}q>(h"h7h#h5ubaubcdocutils.nodes
field_list
q?)Åq@}qA(h"U�h#h h$h%h&U
field_listqBh(}qC(h*]h+]h,]h-]h/]uh1K�h2h�h�]qD(cdocutils.nodes
field
qE)ÅqF}qG(h"U�h#h@h$h%h&U�fieldqHh(}qI(h*]h+]h,]h-]h/]uh1K�h2h�h�]qJ(cdocutils.nodes
field_name
qK)ÅqL}qM(h"X����AuthorqNh#hFh$h%h&U
field_nameqOh(}qP(h*]h+]h,]h-]h/]uh1K�h�]qQh;X����AuthorqRÖÅqS}qT(h"hNh#hLubaubcdocutils.nodes
field_body
qU)ÅqV}qW(h"X
���Matt JonesqXh(}qY(h*]h+]h,]h-]h/]uh#hFh�]qZcdocutils.nodes
paragraph
q[)Åq\}q](h"hXh#hVh$h%h&U paragraphq^h(}q_(h*]h+]h,]h-]h/]uh1K�h�]q`h;X
���Matt JonesqaÖÅqb}qc(h"hXh#h\ubaubah&U
field_bodyqdubeubhE)Åqe}qf(h"U�h#h@h$h%h&hHh(}qg(h*]h+]h,]h-]h/]uh1K�h2h�h�]qh(hK)Åqi}qj(h"X����Statusqkh#heh$h%h&hOh(}ql(h*]h+]h,]h-]h/]uh1K�h�]qmh;X����StatusqnÖÅqo}qp(h"hkh#hiubaubhU)Åqq}qr(h"X1���Incomplete Draft, Work in Progress being Edited
h(}qs(h*]h+]h,]h-]h/]uh#heh�]qth[)Åqu}qv(h"X/���Incomplete Draft, Work in Progress being Editedqwh#hqh$h%h&h^h(}qx(h*]h+]h,]h-]h/]uh1K�h�]qyh;X/���Incomplete Draft, Work in Progress being EditedqzÖÅq{}q|(h"hwh#huubaubah&hdubeubeubh[)Åq}}q~(h"X®���This document provides an overview of authorization technologies that have been
considered as part of the design of the DataONE authorization and access
control system.qh#h h$h%h&h^h(}qÄ(h*]h+]h,]h-]h/]uh1K�h2h�h�]qÅh;X®���This document provides an overview of authorization technologies that have been
considered as part of the design of the DataONE authorization and access
control system.qÇÖÅqÉ}qÑ(h"hh#h}ubaubh[)ÅqÖ}qÜ(h"Xà���Several open technologies can be used to express the policies for describing
access control rules for resources and services in DataONE.qáh#h h$h%h&h^h(}qà(h*]h+]h,]h-]h/]uh1K�h2h�h�]qâh;Xà���Several open technologies can be used to express the policies for describing
access control rules for resources and services in DataONE.qäÖÅqã}qå(h"háh#hÖubaubh�)Åqç}qé(h"U�h#h h$h%h&h'h(}qè(h*]h+]h,]h-]qêh�ah/]qëh�auh1K�h2h�h�]qí(h4)Åqì}qî(h"X
���eml-accessqïh#hçh$h%h&h8h(}qñ(h*]h+]h,]h-]h/]uh1K�h2h�h�]qóh;X
���eml-accessqòÖÅqô}qö(h"hïh#hìubaubh[)Åqõ}qú(h"X„���Ecological Metadata Language (EML) is in common use in the ecological and
environmental monitoring community, and includes a simple module
(eml-access.xsd) for describing access control policies for data resources. It
allows both additive and subtractive rules, which allows one to either build up
a set of allowed permissions and then subtract a few (e.g., all of the members
of group 'data-managers' except 'john), or to deny all of the members of a
group and then add a few. After years of experience using EML within the KNB
network, it has become clear that this ability to modify the ruleset using
different approaches for combining the rules is unnecessary to express the
typical rules needed in the stakeholder community. The complexity also makes
it more difficult for users to understand the implications of the access rules
that they write, and that even with use of a GUI, many users compose access
expressions that do not capture their intent. Here is a simple eml-access
block:qùh#hçh$h%h&h^h(}qû(h*]h+]h,]h-]h/]uh1K�h2h�h�]qüh;X„���Ecological Metadata Language (EML) is in common use in the ecological and
environmental monitoring community, and includes a simple module
(eml-access.xsd) for describing access control policies for data resources. It
allows both additive and subtractive rules, which allows one to either build up
a set of allowed permissions and then subtract a few (e.g., all of the members
of group 'data-managers' except 'john), or to deny all of the members of a
group and then add a few. After years of experience using EML within the KNB
network, it has become clear that this ability to modify the ruleset using
different approaches for combining the rules is unnecessary to express the
typical rules needed in the stakeholder community. The complexity also makes
it more difficult for users to understand the implications of the access rules
that they write, and that even with use of a GUI, many users compose access
expressions that do not capture their intent. Here is a simple eml-access
block:q†ÖÅq°}q¢(h"hùh#hõubaubcdocutils.nodes
literal_block
q£)Åq§}q•(h"Xˆ���<?xml version="1.0" encoding="UTF-8"?>
<eml:access
xmlns:eml="eml://ecoinformatics.org/access-2.1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<eml>
<access
authSystem="ldap://ldap.ecoinformatics.org:389/dc=ecoinformatics,dc=org"
order="allowFirst">
<allow>
<principal>uid=alice,o=NCEAS,dc=ecoinformatics,dc=org</principal>
<permission>read</permission>
<permission>write</permission>
<allow>
</access>
<eml>
h#hçh$h%h&U
literal_blockq¶h(}qß(U�linenosq®âU�languageq©cdocutils.nodes
reprunicode
q™X����xmlq´ÖÅq¨}q≠bh*]U xml:spaceqÆU�preserveqØh-]h,]U�sourceXn���/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/eml-access-example.xmlU�highlight_argsq∞}q±U�linenostartq≤K�sh+]h/]uh1K h2h�h�]q≥h;Xˆ���<?xml version="1.0" encoding="UTF-8"?>
<eml:access
xmlns:eml="eml://ecoinformatics.org/access-2.1.0"
xmlns:xs="http://www.w3.org/2001/XMLSchema">
<eml>
<access
authSystem="ldap://ldap.ecoinformatics.org:389/dc=ecoinformatics,dc=org"
order="allowFirst">
<allow>
<principal>uid=alice,o=NCEAS,dc=ecoinformatics,dc=org</principal>
<permission>read</permission>
<permission>write</permission>
<allow>
</access>
<eml>
q¥ÖÅqµ}q∂(h"U�h#h§ubaubh[)Åq∑}q∏(h"X‰���One of the shortcominings of eml-access is that it assumes that the linkage to
a particular resource is expressed elsewhere (typically the access element is
embedded in a broader EML document, thereby implicitly expressing which
resources it applies to), and so it contains no mechanism for referencing the
resource that is to be controlled. Experience with using eml-access in EML
documents indicates that this mechanism is cumbersome and causes inadvertant
creation of multiple versions of objects just to accomplish an access rule
policy change. This is part of the motivation to moving access policies to
SystemMetadata in DataONE (the other reason being that many metadata standards
do not include an access policy descriptor at all).qπh#hçh$h%h&h^h(}q∫(h*]h+]h,]h-]h/]uh1K#h2h�h�]qªh;X‰���One of the shortcominings of eml-access is that it assumes that the linkage to
a particular resource is expressed elsewhere (typically the access element is
embedded in a broader EML document, thereby implicitly expressing which
resources it applies to), and so it contains no mechanism for referencing the
resource that is to be controlled. Experience with using eml-access in EML
documents indicates that this mechanism is cumbersome and causes inadvertant
creation of multiple versions of objects just to accomplish an access rule
policy change. This is part of the motivation to moving access policies to
SystemMetadata in DataONE (the other reason being that many metadata standards
do not include an access policy descriptor at all).qºÖÅqΩ}qæ(h"hπh#h∑ubaubeubh�)Åqø}q¿(h"U�h#h h$h%h&h'h(}q¡(h*]h+]h,]h-]q¬h�ah/]q√h�auh1K/h2h�h�]qƒ(h4)Åq≈}q∆(h"X ���XACML 3.0q«h#høh$h%h&h8h(}q»(h*]h+]h,]h-]h/]uh1K/h2h�h�]q…h;X ���XACML 3.0q ÖÅqÀ}qÃ(h"h«h#h≈ubaubh[)ÅqÕ}qŒ(h"X����XACML 3 replaces version 2.qœh#høh$h%h&h^h(}q–(h*]h+]h,]h-]h/]uh1K0h2h�h�]q—h;X����XACML 3 replaces version 2.q“ÖÅq”}q‘(h"hœh#hÕubaubcdocutils.nodes
note
q’)Åq÷}q◊(h"Xb���Need to outline the approach to access control in version 3 and contrast it
with versions 2 and 1.h#høh$h%h&U�noteqÿh(}qŸ(h*]h+]h,]h-]h/]uh1Nh2h�h�]q⁄h[)Åq€}q‹(h"Xb���Need to outline the approach to access control in version 3 and contrast it
with versions 2 and 1.q›h#h÷h$h%h&h^h(}qfi(h*]h+]h,]h-]h/]uh1K3h�]qflh;Xb���Need to outline the approach to access control in version 3 and contrast it
with versions 2 and 1.q‡ÖÅq·}q‚(h"h›h#h€ubaubaubeubh�)Åq„}q‰(h"U�h#h h$h%h&h'h(}qÂ(h*]h+]h,]h-]qÊh�ah/]qÁh�auh1K7h2h�h�]qË(h4)ÅqÈ}qÍ(h"X ���XACML 2.0qÎh#h„h$h%h&h8h(}qÏ(h*]h+]h,]h-]h/]uh1K7h2h�h�]qÌh;X ���XACML 2.0qÓÖÅqÔ}q(h"hÎh#hÈubaubh[)ÅqÒ}qÚ(h"X����XACML 3 replaces version 1.qÛh#h„h$h%h&h^h(}qÙ(h*]h+]h,]h-]h/]uh1K8h2h�h�]qıh;X����XACML 3 replaces version 1.qˆÖÅq˜}q¯(h"hÛh#hÒubaubh’)Åq˘}q˙(h"X[���Need to outline the approach to access control in version 2 and contrast it
with version 1.h#h„h$h%h&hÿh(}q˚(h*]h+]h,]h-]h/]uh1Nh2h�h�]q¸h[)Åq˝}q˛(h"X[���Need to outline the approach to access control in version 2 and contrast it
with version 1.qˇh#h˘h$h%h&h^h(}r����(h*]h+]h,]h-]h/]uh1K;h�]r����h;X[���Need to outline the approach to access control in version 2 and contrast it
with version 1.r����ÖÅr����}r����(h"hˇh#h˝ubaubaubeubh�)År����}r����(h"U�h#h h$h%h&h'h(}r����(h*]h+]h,]h-]r����h�ah/]r ���h�auh1K?h2h�h�]r
���(h4)År����}r����(h"X ���XACML 1.0r
���h#j����h$h%h&h8h(}r����(h*]h+]h,]h-]h/]uh1K?h2h�h�]r����h;X ���XACML 1.0r����ÖÅr����}r����(h"j
���h#j����ubaubh[)År����}r����(h"X)���The Extensible Access Control Markup Language (XACML) is an OASIS standard for
representing access control policies for resources and services. XACML
specifically includes support for federated systems in an open Internet
environment, is an open standard, and is being widely adopted by various
software systems. The advantages of XACML lie in its completeness and that it
is an industry standard. The disadvantages for DataONE lie in its complexity,
which makes it difficult to author, understand, and consume these documents
because of the large number of permutations which it could support. As an
example, below is the same access rule that is expressed in eml-access expressed
instead in XACML. Note that there are multiple qualified mechanisms and types
for matching values (e.g., string-equals), which is flexible but requires more
implementation complexity than is specified in the DataONE authorization use
cases. With XACML, one could express conditions that include complex functions
and comparisons of arbitrary subject attributes (beyond identity).r����h#j����h$h%h&h^h(}r����(h*]h+]h,]h-]h/]uh1K@h2h�h�]r����h;X)���The Extensible Access Control Markup Language (XACML) is an OASIS standard for
representing access control policies for resources and services. XACML
specifically includes support for federated systems in an open Internet
environment, is an open standard, and is being widely adopted by various
software systems. The advantages of XACML lie in its completeness and that it
is an industry standard. The disadvantages for DataONE lie in its complexity,
which makes it difficult to author, understand, and consume these documents
because of the large number of permutations which it could support. As an
example, below is the same access rule that is expressed in eml-access expressed
instead in XACML. Note that there are multiple qualified mechanisms and types
for matching values (e.g., string-equals), which is flexible but requires more
implementation complexity than is specified in the DataONE authorization use
cases. With XACML, one could express conditions that include complex functions
and comparisons of arbitrary subject attributes (beyond identity).r����ÖÅr����}r����(h"j����h#j����ubaubh£)År����}r����(h"XO���<?xml version="1.0" encoding="UTF-8"?>
<Policy
xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy
cs-xacml-schema-policy-01.xsd"
PolicyId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIA1:policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description>
Example policy that grants read and write access to a data object.
</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule
RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIA1:rule"
Effect="Permit">
<Description>
Alice can read and write data object with id doi:10.5432/example.1
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">uid=alice,o=NCEAS,dc=ecoinformatics,dc=org</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">doi:10.0000/example_data_identifier</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
h#j����h$h%h&h¶h(}r����(h®âh©h™X����xmlr����ÖÅr����}r ���bh*]hÆhØh-]h,]U�sourceXm���/var/lib/jenkins/jobs/API_Documentation_trunk/workspace/api-documentation/source/design/xacml-1.0-example.xmlh∞}r!���h≤K�sh+]h/]uh1KOh2h�h�]r"���h;XO���<?xml version="1.0" encoding="UTF-8"?>
<Policy
xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy
cs-xacml-schema-policy-01.xsd"
PolicyId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIA1:policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides">
<Description>
Example policy that grants read and write access to a data object.
</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule
RuleId="urn:oasis:names:tc:xacml:1.0:conformance-test:IIA1:rule"
Effect="Permit">
<Description>
Alice can read and write data object with id doi:10.5432/example.1
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">uid=alice,o=NCEAS,dc=ecoinformatics,dc=org</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">doi:10.0000/example_data_identifier</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
</Policy>
r#���ÖÅr$���}r%���(h"U�h#j����ubaubh[)År&���}r'���(h"XQ���The XACML 'Permit' Effect is equivalent to the eml-access 'allow' rule, the
XACML 'Deny' Effect is equivalent to the EML 'deny' element, the
XACML 'Subject' is equivalent to the EML 'principal' element, and the XACML
'Action' element is equivalent to the EML 'permission' element. The XACML
constructs have considerably more flexibility in what is expressed that is
accomplished via the indirection in the model, but this flexibility and
expressive power come at a significant cost in implementation time and software
complexity that would need to be borne by all Member Node implementations.r(���h#j����h$h%h&h^h(}r)���(h*]h+]h,]h-]h/]uh1KRh2h�h�]r*���h;XQ���The XACML 'Permit' Effect is equivalent to the eml-access 'allow' rule, the
XACML 'Deny' Effect is equivalent to the EML 'deny' element, the
XACML 'Subject' is equivalent to the EML 'principal' element, and the XACML
'Action' element is equivalent to the EML 'permission' element. The XACML
constructs have considerably more flexibility in what is expressed that is
accomplished via the indirection in the model, but this flexibility and
expressive power come at a significant cost in implementation time and software
complexity that would need to be borne by all Member Node implementations.r+���ÖÅr,���}r-���(h"j(���h#j&���ubaubeubh�)År.���}r/���(h"U�h#h h$h%h&h'h(}r0���(h*]h+]h,]h-]r1���h�ah/]r2���h�auh1K\h2h�h�]r3���(h4)År4���}r5���(h"X ���Simplified Policy Language (SPL)r6���h#j.���h$h%h&h8h(}r7���(h*]h+]h,]h-]h/]uh1K\h2h�h�]r8���h;X ���Simplified Policy Language (SPL)r9���ÖÅr:���}r;���(h"j6���h#j4���ubaubh[)År<���}r=���(h"Xó���A simplified syntax that acts as a front-end to XACML policies. See the
`SimplifiedPolicyLanguage`_ web site for examples of use in the grid community.h#j.���h$h%h&h^h(}r>���(h*]h+]h,]h-]h/]uh1K]h2h�h�]r?���(h;XH���A simplified syntax that acts as a front-end to XACML policies. See the
r@���ÖÅrA���}rB���(h"XH���A simplified syntax that acts as a front-end to XACML policies. See the
h#j<���ubcdocutils.nodes
reference
rC���)ÅrD���}rE���(h"X����`SimplifiedPolicyLanguage`_U�resolvedrF���K�h#j<���h&U referencerG���h(}rH���(U�nameX����SimplifiedPolicyLanguageU�refurirI���XB���https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguagerJ���h-]h,]h*]h+]h/]uh�]rK���h;X����SimplifiedPolicyLanguagerL���ÖÅrM���}rN���(h"U�h#jD���ubaubh;X4��� web site for examples of use in the grid community.rO���ÖÅrP���}rQ���(h"X4��� web site for examples of use in the grid community.h#j<���ubeubcdocutils.nodes
target
rR���)ÅrS���}rT���(h"X`���.. _SimplifiedPolicyLanguage: https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguageU
referencedrU���K�h#j.���h$h%h&U�targetrV���h(}rW���(jI���jJ���h-]rX���h�ah,]h*]h+]h/]rY���h auh1K`h2h�h�]ubeubeubah"U�U�transformerrZ���NU
footnote_refsr[���}r\���U�refnamesr]���}r^���X����simplifiedpolicylanguage]r_���jD���asU�symbol_footnotesr`���]ra���U�autofootnote_refsrb���]rc���U�symbol_footnote_refsrd���]re���U citationsrf���]rg���h2h�U�current_linerh���NU�transform_messagesri���]rj���U�reporterrk���NU�id_startrl���K�U
autofootnotesrm���]rn���U
citation_refsro���}rp���U�indirect_targetsrq���]rr���U�settingsrs���(cdocutils.frontend
Values
rt���oru���}rv���(U�footnote_backlinksrw���K�U�record_dependenciesrx���NU�rfc_base_urlry���U�https://tools.ietf.org/html/rz���U tracebackr{���àU�pep_referencesr|���NU�strip_commentsr}���NU
toc_backlinksr~���U�entryr���U
language_coder���U�enr���U datestampr���NU�report_levelr���K�U�_destinationr���NU
halt_levelr���K�U
strip_classesrÜ���Nh8NU�error_encoding_error_handlerrá���U�backslashreplacerà���U�debugrâ���NU�embed_stylesheeträ���âU�output_encoding_error_handlerrã���U�strictrå���U
sectnum_xformr��K�U�dump_transformsr��NU
docinfo_xformrè���K�U�warning_streamrê���NU�pep_file_url_templaterë���U�pep-%04drí���U�exit_status_levelrì���K�U�configrî���NU�strict_visitorrï���NU�cloak_email_addressesrñ���àU�trim_footnote_reference_spaceró���âU�envrò���NU�dump_pseudo_xmlrô���NU�expose_internalsrö���NU�sectsubtitle_xformrõ���âU�source_linkrú���NU�rfc_referencesrù���NU�output_encodingrû���U�utf-8rü���U
source_urlr†���NU�input_encodingr°���U utf-8-sigr¢���U�_disable_configr£���NU id_prefixr§���U�U tab_widthr•���K�U�error_encodingr¶���U�UTF-8rß���U�_sourcer®���h%U�gettext_compactr©���àU generatorr™���NU�dump_internalsr´���NU�smart_quotesr¨���âU�pep_base_urlr≠���U https://www.python.org/dev/peps/rÆ���U�syntax_highlightrØ���U�longr∞���U�input_encoding_error_handlerr±���jå���U�auto_id_prefixr≤���U�idr≥���U�doctitle_xformr¥���âU�strip_elements_with_classesrµ���NU
_config_filesr∂���]U�file_insertion_enabledr∑���àU�raw_enabledr∏���K�U
dump_settingsrπ���NubU�symbol_footnote_startr∫���K�U�idsrª���}rº���(h�høh�j.���h�hçh�h h�j����h�h„h�jS���uU�substitution_namesrΩ���}ræ���h&h2h(}rø���(h*]h-]h,]U�sourceh%h+]h/]uU footnotesr¿���]r¡���U�refidsr¬���}r√���ub.