Hello
I solved my managed DC/RELS-EXT datastreams in METS worries - they are
just regular datastreams, but with the particular ID attributes.
Now I'm stuck on using an external POLICY datastream. In a METS document,
I have:
<mets OBJID="alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf" ...>
...
<fileGrp ID="POLICY" VERSIONABLE="true" STATUS="A">
<file ID="POLICY.0" MIMETYPE="text/xml" OWNERID="E">
<FLocat xmlns:xlink="http://www.w3.org/1999/xlink"; LOCTYPE="URL"
xlink:href="http://itspc-cs2/~archive/policy_service/policy_rps_data.xml"/>
</file>
</fileGrp>
The URL resolves to this document:
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
PolicyId="deny-data-access-if-not-rps_reader"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>A policy to provide access to users with the rps_reader
role</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
</Target>
<Rule RuleId="rps_data_rul1" Effect="Deny">
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>rps_reader</AttributeValue>
<SubjectAttributeDesignator AttributeId="fedoraRole"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
</Policy>
If I go to the object in a browser or a particular datastream, e.g.
http://.../fedora/objects/alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf or
http://.../fedora/objects/alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf/DS1,
then there is no prompting for authentication. If I then try to view the
/datastreams for the object, then I am prompted for authentication. But
the user who has "rps_reader" in their fedoraRole can't view the
datastreams (getting Fedora: 403 NOTAPPLICABLE), only fedoraAdmin can.
Looking at fedora.log and fesl.log (both set to DEBUG), it doesn't look
like my external policy is being used, let alone whether the XACML does
what I want it to do.
Does anyone have a working example of an external policy covering many
objects?
Thanks.
Swithun.
--
The University of St Andrews is a charity registered in Scotland: SC013532
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
