FeSL (Fedora enhanced security layer) [1] has been released as part of Fedora 3.3. Access control to Fedora resources is specified using XACML policies. In the initial implementation, policies are stored as XACML documents in a DbXml database [2]. Policies are loaded into DbXml when Fedora starts, from files in a policy directory. Otherwise there is no way of manipulating XACML policies other than through direct access to DbXml.
DbXml serves two purposes: providing a store for policies, and providing indexed look-up of policies based on their attributes (subject, resource, etc). An indexed look-up of policies is required as part of policy enforcement to provide a means of locating policies applicable to a particular context (subject, resouce etc). [1] http://www.fedora-commons.org/confluence/display/DEV/Fedora+Enhanced+Securit y+Layer [2] http://www.oracle.com/technology/products/berkeley-db/xml/index.html FCREPO-577 ========== FCREPO-577 [3] proposes that XACML policies are stored as Fedora objects, enabling direct manipulation of policies through Fedora's API. A proposed implementation for FCREPO-577 is described below, and feedback is invited on this. [3] http://www.fedora-commons.org/jira/browse/FCREPO-577 Implementation Overview ======================= 1) XACML policies will be stored as Fedora Objects with a specified content model and PID namespace 2) DbXML will be retained (initially) to provide indexed look-up of policies. 3) A mechanism will be implemented to propagate changes from Fedora policy objects to DbXml. This represents a splitting of the current persistence and indexing responsibilities of DbXml, with Fedora Objects becoming responsible for the storage responsibilities, retaining DbXML for the indexing. This is similar to the way in which Fedora relationships are stored in RELS datastreams within Fedora objects, with the Resource Index providing the means of querying these relationships. The implementation will be "pluggable", so that in the future DbXml may be replaced entirely with an alternative mechanism for indexing XACML policies. Implementation detail ===================== Currently all access to policies in DbXml is through a class DbXmlPolicyDataManager, which is an implementation of the PolicyDataManager interface. There are two categories of methods provided by this interface: - create/read/update/delete/list operations based on the XACML PolicyID - search operations based on other information in the XACML policy documents It is proposed to: 1) Split the PolicyDataManager interface into two, with PolicyDataManager being responsible for CRUD operations, and PolicyDataQuery being responsible for search operations 2) Implement FedoraPolicyDataManager to replace the current CRUD methods of DbXmlPolicyDataManager, directly manipulating Fedora policy objects 3) Implement DbXmlPolicyDataQuery for search methods against DbXml 4) Implement a mechanism for synchronising modifications to policies in Fedora objects with DbXml, using the decorator pattern configured in fedora.fcfg in the Management module 5) CRUD methods need to access policies based on the XACML PolicyID, it is proposed this is stored in the Dublin Core metadata as a dc:identifier 6) "Bootstrap" policies (those currently stored in pdp/policies) will be loaded when Fedora first starts to create an initial set of Fedora objects based on those policies 7) Implement a "rebuilder" mechanism (similar to eg the resource index rebuilder) so that the DbXml database can be recreated from policies stored as Fedora objects. Configuration ============= Configuration will be stored in the existing config files in fedora's pdp/conf directory (these files are subject to future revision and potential incorporation with Fedora's main server configuration files). config-policy-manager.xml (existing file): - specify which implementation of PolicyDataManager to use (FedoraPolicyDataManager) - specify which implementation of PolicyDataQuery to use (DbXmlPolicyDataQuery) config-pdm-fedora.xml (new file): - content model for Policy objects - datastream identifier for XACML policy datastreams (POLICY) - PID namespace for policy objects (policy:) Regards Steve ------------------------------------------------------------------------------ SOLARIS 10 is the OS for Data Centers - provides features such as DTrace, Predictive Self Healing and Award Winning ZFS. Get Solaris 10 NOW http://p.sf.net/sfu/solaris-dev2dev _______________________________________________ Fedora-commons-developers mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers
