Hello,
I need some assistance writing XACML policies for the Fedora Repository
(Version 3.3). First some questions:
1. We are not using the bundled Tomcat, so there is no fedora.sh
script in our installation. How can I use another
logging.properties file in this case? And which logging.properties
file used in this case?
2. What is the best way to "debug" XACML policies. At the moment, I'm
trying to write a policy which permits the reload-policy action to a
specific user. This user should have the permission to do only
policy reloading, and nothing else. We need this for some sort of
policy editing tool for one of our applications. This policies editor
will write policy files into the policies directory, and after this
the editor should reload the policies to make them active. (If it is
helpful: I've attached the policy and the end of this message.
Thanks in advance for your answers.
Jens Pelzetter
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:1.0:policy
http://www.fedora.info/definitions/1/0/api/cs-xacml-schema-policy-01.xsd";
PolicyId="teuchos-security-permit-reload-policies-to-reload-user"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides">
<Description> Permits creation of objects to a group. </Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<Action>
<ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";
>urn:fedora:names:fedora:2.1:action:id-reloadPolicies</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule RuleId="1" Effect="Permit">
<Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<SubjectAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string";
AttributeId="uid"/>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";
>reload-user</AttributeValue>
</Apply>
</Condition>
</Rule>
</Policy>
------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
