João- I hadn't even thought about the FESL action mapping, that's a great point. You would have had to customize the mapping to get a value of "readds", though.
I don't think the third rule should be a problem: The rule combining algorithm for the policy should mean that a match against the "public-meta" rule takes precedence over the subsequent rule "3". The "deny takes precedence" configuration has to do with multiple policy responses, not multiple rules within a policy. - Ben On Mon, Jul 2, 2012 at 12:52 PM, João Miguel Quintino de Morais Zamite <[email protected]> wrote: > Hi carlos, > > There's action mapping in fedora in the config file > config-melcoe-pep-mapping.xml so the action might not be your issue. > > It could be the case that you end the rule by using a "Deny" that > applies to everything and if you have "Deny Takes Precedence" you > might be overriding all the permit rules. > > Best, > João Zamite > > Quoting Benjamin Armintor <[email protected]>: > >> Carlos: >> I think your action id value (readds) looks suspicious: The action >> id is going to be something like >> "urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination" if >> you're fetching the datastream content. >> >> Also, and this is just a matter of aesthetics: You don't need to >> reproduce the attribute matches from the policy target in each rule, >> so you could remove the later references to the object's pid. You >> might also consider using a string bag for all those datastream ids >> rather than separate matches: There's an example of this in the >> default policies ('deny-apim-if-not-localhost.xml'). >> >> regards, >> Ben >> >> On Mon, Jul 2, 2012 at 11:53 AM, Carlos Santos >> <[email protected]> wrote: >>> Greetings, >>> >>> I am trying to define multiple rules in a FESLPOLICY datastream but it isn't >>> working (the policies aren't applied). The following is the content of the >>> policy ds: >>> >>>> <Policy PolicyId="pid" >>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>>> xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >>>> xmlns:schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"; >>>> xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> >>>> <Description>FESLPOLICY for empid:1001</Description> >>>> <!-- This policy applies to the resource empid:1001 --> >>>> <Target> >>>> <Resources> >>>> <Resource> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> <ResourceAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ResourceMatch> >>>> </Resource> >>>> </Resources> >>>> </Target> >>>> >>>> <!-- The object is visible to any subject --> >>>> <Rule Effect="Permit" RuleId="public-object"> >>>> <Target> >>>> <Resources> >>>> <Resource> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> <ResourceAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ResourceMatch> >>>> </Resource> >>>> </Resources> >>>> <Actions> >>>> <Action> >>>> <ActionMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> >>>> <ActionAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:action:id" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ActionMatch> >>>> </Action> >>>> </Actions> >>>> </Target> >>>> </Rule> >>>> >>>> <!-- The meta datastreams are public --> >>>> <Rule Effect="Permit" RuleId="public-meta"> >>>> <Target> >>>> <Resources> >>>> <Resource> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> <ResourceAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ResourceMatch> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>EM</AttributeValue> >>>> <ResourceAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ResourceMatch> >>>> </Resource> >>>> <Resource> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> <ResourceAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ResourceMatch> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>DC</AttributeValue> >>>> <ResourceAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ResourceMatch> >>>> </Resource> >>>> <Resource> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> <ResourceAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ResourceMatch> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>Request</AttributeValue> >>>> <ResourceAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ResourceMatch> >>>> </Resource> >>>> <Resource> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> <ResourceAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ResourceMatch> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>RELS-EXT</AttributeValue> >>>> <ResourceAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ResourceMatch> >>>> </Resource> >>>> </Resources> >>>> <Actions> >>>> <Action> >>>> <ActionMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>readds</AttributeValue> >>>> <ActionAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:action:id" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ActionMatch> >>>> </Action> >>>> </Actions> >>>> </Target> >>>> </Rule> >>>> <!-- Deny everything else --> >>>> <Rule Effect="Deny" RuleId="3"/> >>>> </Policy> >>> >>> >>> If anyone finds the problem I would be very grateful. >>> >>> >>> -- >>> cumprimentos, >>> Carlos Santos @ LaSIGE >>> >>> ------------------------------------------------------------------------------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. Discussions >>> will include endpoint security, mobile security and the latest in malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> _______________________________________________ >>> Fedora-commons-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Fedora-commons-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Fedora-commons-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Fedora-commons-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
