All,
Question about targeting repository-wide XACXML policies towards a specific
datastream. I would like to permit all api-a requests to datastreams with an ID
of "THUMBNAIL", but am having trouble getting this to override other
object-specific deny policies.
In fedora.fcfg, setting is to allow "permits" to override:
<param name="XACML-COMBINING-ALGORITHM"
value="com.sun.xacml.combine.PermitOverridesPolicyAlg"/>
Repository wide policy in question looks something like this:
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
PolicyId="permit-apia-THUMBNAIL-datastream"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>Permits api-a on thumbnail datastreams</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>
THUMBNAIL
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:*datastream:id*"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>
THUMB_1
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:*datastream:id*"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule Effect="Permit" RuleId="1"/>
</Policy>
Requests fail when trying to access objects with this object-specific policy in
the POLICY datastream:
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
PolicyId="permit-apia-unrestricted"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>Permits api-a access to campus computer. This rule is IP based. IP
ranges included: [CAMPUS IP ADDRESSES HERE] </Description>
<Target>
<Subjects>
<AnySubject></AnySubject>
</Subjects>
<Resources>
<AnyResource></AnyResource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule Effect="Permit" RuleId="1">
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>[CAMPUS IP
ADDRESSES HERE]</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<EnvironmentAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string";></EnvironmentAttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
Is it possible, when combing all "permits" and "denys", to have a
repository-wide "permit" override an object-specific policy? I would have
thought accessing a datastream with the ID "THUMBNAIL" would have prompted a
"permit" from the repo-wide policy, thereby allowing that request given the "
PermitOverridesPolicyAlg " algorithm . Or if that's not doable, is it possible
to rewrite the object-specific policy to allow for datastreams with the ID of
"THUMBNAIL" to be accessed?
On a related note, for debugging XACXML policies, is there any way to see the
breakdown of how policies were combined for a given request?
many thanks,
Graham
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
