Here's a quick update on what I've learned about adding collection-level
policies to objects under the legacy system described here:
https://wiki.duraspace.org/pages/viewpage.action?pageId=27001145
1. For this to work, collection membership has to be asserted from the member
up to the collection, ie:
<demo:2> <fedora-model:isMemberOf> <demo:1>
and not:
<demo:1> <fedora-model:hasMember> <demo:2>
2. Edit $FEDORA_HOME/server/config/spring/policy-enforcement.xml and uncomment
the two sections below.
Section A.
<!-- Uncomment the bean below to enable the use of relationship index triples
in XACML policies -->
<bean
id="org.fcrepo.server.security.xacml.pdp.finder.attribute.RITriplesAttributeFinder"
class="org.fcrepo.server.security.xacml.pdp.finder.attribute.RITriplesAttributeFinder"
init-method="init">
<constructor-arg>
<ref bean="org.fcrepo.server.resourceIndex.ResourceIndex" />
</constructor-arg>
<property name="resourceAttributes">
<set>
<value
type="java.lang.String">info:fedora/fedora-system:def/view#mimeType</value>
<value
type="java.lang.String">info:fedora/fedora-system:def/model#ownerId</value>
<value
type="java.lang.String">info:fedora/fedora-system:def/model#state</value>
<value
type="java.lang.String">info:fedora/fedora-system:def/model#createdDate</value>
<value
type="java.lang.String">info:fedora/fedora-system:def/model#label</value>
<value
type="java.lang.String">http://www.w3.org/1999/02/22-rdf-syntax-ns#type</value>
<value
type="java.lang.String">http://muradora.ramp.org.au/sf#isSmartFolder</value>
</set>
</property>
</bean>
Section B.
<!-- Uncomment the bean below to enable the use of relationship index triples
in XACML policies -->
<ref
bean="org.fcrepo.server.security.xacml.pdp.finder.attribute.RITriplesAttributeFinder"
/>
3. Add your resource attribute to the list:
<value
type="java.lang.String">info:fedora/fedora-system:def/relations-external#isMemberOf</value>
4. Add the relationship to your RELS-EXT
<rdf:RDF xmlns:fedora-model="info:fedora/fedora-system:def/model#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#";
xmlns:rel="info:fedora/fedora-system:def/relations-external#">
<rdf:Description rdf:about="info:fedora/demo:2">
<rel:isMemberOf rdf:resource="info:fedora/demo:1"></rel:isMemberOf>
</rdf:Description>
</rdf:RDF>
5. Example XACML which applies to both demo:1 and demo:2:
<Resources>
<!-- match the collection -->
<Resource>
<ResourceMatchMatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>demo:1</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<!-- OR -->
<!-- match the collection's members -->
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>info:fedora/demo:1</AttributeValue>
<ResourceAttributeDesignator
AttributeId="info:fedora/fedora-system:def/relations-external#isMemberOf"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
Conclusion:
While this works, it only accomplishes part of my goal of collection-wide
policy enforcement. This only addresses direct relationships. I have since
implemented FESL/AUTHZ collection policies as described here:
https://wiki.duraspace.org/display/FEDORA35/FeSL+Authorization#FeSLAuthorization-TheXACMLhierarchicalresourceprofile
Thanks for the assistance Ben!
David Lacy
Falvey Library Technology Services
Villanova University
library.villanova.edu
610-519-7361
> -----Original Message-----
> From: Benjamin Armintor [mailto:[email protected]]
> Sent: Tuesday, June 26, 2012 4:31 PM
> To: Support and info exchange list for Fedora users.
> Subject: Re: [fcrepo-user] Collection-wide Policies in XACML
>
> David-
> The legacy authZ system doesn't operate on the RELS-EXT assertions
> out-of-the-box. You can wire it in (if you're using Fedora 3.5) with
> some Spring configuration... if you look at the file called
> "policy-enforcement.xml" under $FEDORA_HOME/server/config/spring you
> should see a commented-out AttributeFinderModule that operates on the
> RELS-EXT data. That code is somewhat experimental, but I can talk you
> through it if you decide to give it a go. Before Fedora 3.5, you're
> out of luck.
>
> - Ben
>
> On Tue, Jun 26, 2012 at 4:23 PM, David Lacy <[email protected]> wrote:
> > Hi,
> >
> >
> >
> > I read a FAQ
> > [https://wiki.duraspace.org/pages/viewpage.action?pageId=27001145] that
> > suggests it is possible to apply a XACML policy to an object and have that
> > policy enforce its associated children who contain a rel:isMemberOf
> > relationship. Is this correct? I cannot find any examples of this working in
> > the wild and would love to learn specifically how it is done.
> >
> >
> >
> > I read the documentation that would accomplish this using the FESL authz
> > system, but I would prefer to use the legacy system for time being.
> >
> >
> >
> > Any assistance would be greatly appreciated.
> >
> >
> >
> > David Lacy
> >
> > Falvey Library Technology Services
> >
> > Villanova University
> >
> > library.villanova.edu
> >
> > 610-519-7361
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security and
> > threat landscape has changed and how IT managers can respond. Discussions
> > will include endpoint security, mobile security and the latest in malware
> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> > _______________________________________________
> > Fedora-commons-users mailing list
> > [email protected]
> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
> >
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Fedora-commons-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
