Re: [Fedora-commons-developers] PEP Denying Access

Huân Thebault Tue, 01 Jun 2010 01:19:20 -0700

The same request, earlier in the day... 
I had done "fedora-rebuild" before, and I was identified as "fedoraAdmin".



DEBUG 2010-05-31 16:11:33.098 [http-8091-1] (EvaluationEngineImpl) No item
found in cache. Sending to PDP for evaluation.
DEBUG 2010-05-31 16:11:33.098 [http-8091-1] (DirectPDPClient) Resolving
String request:
<Request>
  <Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subjec
t">
    <Attribute AttributeId="urn:fedora:names:fedora:2.1:subject:loginId"
DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>anonymous
</AttributeValue></Attribute>
  </Subject>
  <Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subjec
t">
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>anonymous
</AttributeValue></Attribute>
  </Subject>
  <Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subjec
t">
    <Attribute
AttributeId="urn:fedora:names:fedora:2.1:subject:subjectRepresented"
DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>anonymous
</AttributeValue></Attribute>
  </Subject>
  <Resource>
    <Attribute AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>CRDO-Aix:
PYJ011</AttributeValue></Attribute>
    <Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI";><AttributeValue>/CRDO-Aix
:PYJ011</AttributeValue></Attribute>
  </Resource>
  <Action>
    <Attribute AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>urn:fedor
a:names:fedora:2.1:action:api-a</AttributeValue></Attribute>
    <Attribute AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>read</Att
ributeValue></Attribute>
  </Action>
  <Environment>
    <Attribute
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAdd
ress"
DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>134.158.7
1.109</AttributeValue></Attribute>
  </Environment>
</Request>

DEBUG 2010-05-31 16:11:33.098 [http-8091-1] (MelcoePDPImpl) evaluating
request
DEBUG 2010-05-31 16:11:33.100 [http-8091-1] (FedoraRIAttributeFinder)
RIAttributeFinder: [http://www.w3.org/2001/XMLSchema#string]
urn:fedora:names:fedora:2.1:resource:datastream:id, rid=/CRDO-Aix:PYJ011
DEBUG 2010-05-31 16:11:33.100 [http-8091-1] (FedoraRIAttributeFinder) Does
not know about attribute: urn:fedora:names:fedora:2.1:resource:datastream:id
DEBUG 2010-05-31 16:11:33.100 [http-8091-1] (DbXmlPolicyDataManager)
SubjectId0 = 'urn:oasis:names:tc:xacml:1.0:subject:subject-id'
DEBUG 2010-05-31 16:11:33.100 [http-8091-1] (DbXmlPolicyDataManager)
SubjectId0-Value0 = 'anonymous'
DEBUG 2010-05-31 16:11:33.100 [http-8091-1] (DbXmlPolicyDataManager)
SubjectId1 = 'urn:fedora:names:fedora:2.1:subject:loginId'
DEBUG 2010-05-31 16:11:33.100 [http-8091-1] (DbXmlPolicyDataManager)
SubjectId1-Value0 = 'anonymous'
DEBUG 2010-05-31 16:11:33.101 [http-8091-1] (DbXmlPolicyDataManager)
XacmlResourceIdValue0: /CRDO-Aix:PYJ011
DEBUG 2010-05-31 16:11:33.101 [http-8091-1] (DbXmlPolicyDataManager)
XacmlResourceIdValue1: /CRDO-Aix:PYJ011$
DEBUG 2010-05-31 16:11:33.101 [http-8091-1] (DbXmlPolicyDataManager)
ResourceId0 = 'urn:fedora:names:fedora:2.1:resource:object:pid'
DEBUG 2010-05-31 16:11:33.101 [http-8091-1] (DbXmlPolicyDataManager)
ResourceId0-Value0 = 'CRDO-Aix:PYJ011'
DEBUG 2010-05-31 16:11:33.101 [http-8091-1] (DbXmlPolicyDataManager) Query
prep. time: 1063000ns
DEBUG 2010-05-31 16:11:33.103 [http-8091-1] (DbXmlPolicyDataManager) Query
exec. time: 2081000ns
DEBUG 2010-05-31 16:11:33.103 [http-8091-1] (DbXmlPolicyDataManager) Total
exec. time: 3144000ns
DEBUG 2010-05-31 16:11:33.103 [http-8091-1] (PolicyManager) Obtained
policies: 0
DEBUG 2010-05-31 16:11:33.103 [http-8091-1] (PolicyManager) Matched policies
and created abstract policy.
DEBUG 2010-05-31 16:11:33.105 [http-8091-1] (ResponseCacheImpl) Adding Cache
Item (49/49/49): 03678d44a515c899f2be05b2f977a8b3
DEBUG 2010-05-31 16:11:33.106 [http-8091-1] (EvaluationEngineImpl) Time
taken for XACML Evaluation: 10ms
DEBUG 2010-05-31 16:11:33.108 [http-8091-1] (PEP) Denying access: 3



-----
Huân Thebault
Centre de Calcul de l'IN2P3
Development Team
Tel. Std                 +33 4 78 93 08 80

-----Message d'origine-----
De : Edwin Shin [mailto:[email protected]] 
Envoyé : lundi 31 mai 2010 18:27
À : Huân Thebault
Cc : fedora-commons-develop...@lists. sourceforge. net
Objet : Re: [Fedora-commons-developers] PEP Denying Access

Can you find an earlier reference in the logs where the request has not
already been cached? Look for a debug message that includes "No item found
in cache. Sending to PDP for evaluation"

On 31 May 2010, at 3:48 PM, Huân Thebault wrote:

> Hello
>  
> Ive built fedora-3.4 from trunk but I cant access any of my objects
(created with fedora 3.2). I keep getting this :
>  
> DEBUG 2010-05-31 15:34:25.702 [http-8091-2] (PolicyEnforcementPoint) in
pep, before denyBiasedAuthz() called
> DEBUG 2010-05-31 15:34:25.702 [http-8091-2] (PolicyEnforcementPoint)
AUTHZ:  permits=1 denies=0 indeterminates=0 notApplicables=0 unexpecteds=0
> DEBUG 2010-05-31 15:34:25.702 [http-8091-2] (PolicyEnforcementPoint)
Policy enforcement took 1ms.
> DEBUG 2010-05-31 15:34:25.702 [http-8091-2] (DefaultAuthorization) Exiting
enforceGetRelationships
> DEBUG 2010-05-31 15:34:25.702 [http-8091-2] (DefaultDOManager) Got
DOReader (source=memory) for CCIN2P3:PYJ033 in 0ms.
> DEBUG 2010-05-31 15:34:25.703 [http-8091-2] (DefaultManagement) Getting
Relationships:  pid = CCIN2P3:PYJ033 predicate =
info:fedora/fedora-system:def/relations-external#isMemberOf
> INFO 2010-05-31 15:34:25.703 [http-8091-2] (DefaultManagement) Completed
getRelationships(pid: CCIN2P3:PYJ033, relationship:
info:fedora/fedora-system:def/relations-external#isMemberOf)
> DEBUG 2010-05-31 15:34:25.703 [http-8091-2] (DefaultManagement) Exiting
getRelationships
> INFO 2010-05-31 15:34:25.703 [http-8091-2] (LogUtil) 20100531 15:34:25.703
null    urn:fedora:names:fedora:2.1:action:id-getObjectProfile
CCIN2P3:PYJ033
> DEBUG 2010-05-31 15:34:25.703 [http-8091-2] (EvaluationEngineImpl)
evaluating RequestCtx request
> DEBUG 2010-05-31 15:34:25.704 [http-8091-2] (EvaluationEngineImpl)
evaluating String request
> DEBUG 2010-05-31 15:34:25.704 [http-8091-2] (EvaluationEngineImpl)
evaluating array of String requests
> DEBUG 2010-05-31 15:34:25.707 [http-8091-2] (ResponseCacheImpl) Getting
Cache Item (22/22/22): 66b0155128b5729db8839206f6265b79
> DEBUG 2010-05-31 15:34:25.707 [http-8091-2] (EvaluationEngineImpl) Time
taken for XACML Evaluation: 3ms
> DEBUG 2010-05-31 15:34:25.709 [http-8091-2] (PEP) Denying access: 3
>  
> Looking at sources, the 3 at last line means : DECISION_NOT_APPLICABLE ,
which is an error (it should be : DECISION_PERMIT, DECISION_INDETERMINATE,
DECISION_DENY)
>  
> Im using FeSL . This happens whatever "ENFORCE-MODE" is use.
>  
> Any help please ?
>  
>  
> -----
> Huân Thebault
> Centre de Calcul de l'IN2P3
> Development Team
> Tel. Std          +33 4 78 93 08 80
>  
>
----------------------------------------------------------------------------
--
> 
> _______________________________________________
> Fedora-commons-developers mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers




------------------------------------------------------------------------------

_______________________________________________
Fedora-commons-developers mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-developers

Re: [Fedora-commons-developers] PEP Denying Access

Reply via email to