2012/7/2 Benjamin Armintor <[email protected]>
> João-
> I hadn't even thought about the FESL action mapping, that's a great
> point. You would have had to customize the mapping to get a value of
> "readds", though.
>
> I don't think the third rule should be a problem: The rule combining
> algorithm for the policy should mean that a match against the
> "public-meta" rule takes precedence over the subsequent rule "3". The
> "deny takes precedence" configuration has to do with multiple policy
> responses, not multiple rules within a policy.
>
> - Ben
>
> On Mon, Jul 2, 2012 at 12:52 PM, João Miguel Quintino de Morais Zamite
> <[email protected]> wrote:
> > Hi carlos,
> >
> > There's action mapping in fedora in the config file
> > config-melcoe-pep-mapping.xml so the action might not be your issue.
> >
> > It could be the case that you end the rule by using a "Deny" that
> > applies to everything and if you have "Deny Takes Precedence" you
> > might be overriding all the permit rules.
> >
> > Best,
> > João Zamite
> >
> > Quoting Benjamin Armintor <[email protected]>:
> >
> >> Carlos:
> >> I think your action id value (readds) looks suspicious: The action
> >> id is going to be something like
> >> "urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination" if
> >> you're fetching the datastream content.
>
@Benjamin The action isn't the problem because we defined action-mapping
and it works well when in separate policy objects. It only fails when I put
all these rules together in the same policy object.
> >>
> >> Also, and this is just a matter of aesthetics: You don't need to
> >> reproduce the attribute matches from the policy target in each rule,
> >> so you could remove the later references to the object's pid. You
> >> might also consider using a string bag for all those datastream ids
> >> rather than separate matches: There's an example of this in the
> >> default policies ('deny-apim-if-not-localhost.xml').
>
@Benjamin So, I removed the repeated resource references to empid:1001, but
still I have the same problem.
> >>
> >> regards,
> >> Ben
> >>
> >> On Mon, Jul 2, 2012 at 11:53 AM, Carlos Santos
> >> <[email protected]> wrote:
> >>> Greetings,
> >>>
> >>> I am trying to define multiple rules in a FESLPOLICY datastream but it
> isn't
> >>> working (the policies aren't applied). The following is the content of
> the
> >>> policy ds:
> >>>
> >>>> <Policy PolicyId="pid"
> >>>>
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
> >>>> xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
> >>>> xmlns:schemaLocation="
> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd
> "
> >>>> xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
> >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
> >>>> <Description>FESLPOLICY for empid:1001</Description>
> >>>> <!-- This policy applies to the resource empid:1001 -->
> >>>> <Target>
> >>>> <Resources>
> >>>> <Resource>
> >>>> <ResourceMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">empid:1001</AttributeValue>
> >>>> <ResourceAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ResourceMatch>
> >>>> </Resource>
> >>>> </Resources>
> >>>> </Target>
> >>>>
> >>>> <!-- The object is visible to any subject -->
> >>>> <Rule Effect="Permit" RuleId="public-object">
> >>>> <Target>
> >>>> <Resources>
> >>>> <Resource>
> >>>> <ResourceMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">empid:1001</AttributeValue>
> >>>> <ResourceAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ResourceMatch>
> >>>> </Resource>
> >>>> </Resources>
> >>>> <Actions>
> >>>> <Action>
> >>>> <ActionMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">read</AttributeValue>
> >>>> <ActionAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:action:id"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ActionMatch>
> >>>> </Action>
> >>>> </Actions>
> >>>> </Target>
> >>>> </Rule>
> >>>>
> >>>> <!-- The meta datastreams are public -->
> >>>> <Rule Effect="Permit" RuleId="public-meta">
> >>>> <Target>
> >>>> <Resources>
> >>>> <Resource>
> >>>> <ResourceMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">empid:1001</AttributeValue>
> >>>> <ResourceAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ResourceMatch>
> >>>> <ResourceMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">EM</AttributeValue>
> >>>> <ResourceAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ResourceMatch>
> >>>> </Resource>
> >>>> <Resource>
> >>>> <ResourceMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">empid:1001</AttributeValue>
> >>>> <ResourceAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ResourceMatch>
> >>>> <ResourceMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">DC</AttributeValue>
> >>>> <ResourceAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ResourceMatch>
> >>>> </Resource>
> >>>> <Resource>
> >>>> <ResourceMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">empid:1001</AttributeValue>
> >>>> <ResourceAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ResourceMatch>
> >>>> <ResourceMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">Request</AttributeValue>
> >>>> <ResourceAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ResourceMatch>
> >>>> </Resource>
> >>>> <Resource>
> >>>> <ResourceMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">empid:1001</AttributeValue>
> >>>> <ResourceAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ResourceMatch>
> >>>> <ResourceMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">RELS-EXT</AttributeValue>
> >>>> <ResourceAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ResourceMatch>
> >>>> </Resource>
> >>>> </Resources>
> >>>> <Actions>
> >>>> <Action>
> >>>> <ActionMatch
> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> >>>> <AttributeValue
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string
> ">readds</AttributeValue>
> >>>> <ActionAttributeDesignator
> >>>> AttributeId="urn:fedora:names:fedora:2.1:action:id"
> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> >>>> </ActionMatch>
> >>>> </Action>
> >>>> </Actions>
> >>>> </Target>
> >>>> </Rule>
> >>>> <!-- Deny everything else -->
> >>>> <Rule Effect="Deny" RuleId="3"/>
> >>>> </Policy>
> >>>
> >>>
> >>> If anyone finds the problem I would be very grateful.
> >>>
> >>>
> >>> --
> >>> cumprimentos,
> >>> Carlos Santos @ LaSIGE
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> Live Security Virtual Conference
> >>> Exclusive live event will cover all the ways today's security and
> >>> threat landscape has changed and how IT managers can respond.
> Discussions
> >>> will include endpoint security, mobile security and the latest in
> malware
> >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >>> _______________________________________________
> >>> Fedora-commons-users mailing list
> >>> [email protected]
> >>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
> >>>
> >>
> >>
> ------------------------------------------------------------------------------
> >> Live Security Virtual Conference
> >> Exclusive live event will cover all the ways today's security and
> >> threat landscape has changed and how IT managers can respond.
> Discussions
> >> will include endpoint security, mobile security and the latest in
> malware
> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> >> _______________________________________________
> >> Fedora-commons-users mailing list
> >> [email protected]
> >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
> >>
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Fedora-commons-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Fedora-commons-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
--
cumprimentos,
Carlos Santos @ LaSIGE
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
