As a follow-up to policy-wide vs. object-specific XACML question...
Barring any success with a repository-wide XACML policy for opening all
datastreams with the ID, "THUMBNAIL", we are looking to open them up at the
object level now. Our policy combining algorithm is "
OrderedPermitOverridesPolicyAlg ", with a blanket api-a and api-m "Deny". We
are then opening up objects via their POLICY datastreams. It's worked quite
nicely up until this point, hoping this won't require rethinking that
arrangement.
Onto the question...
Any insight as to why this first object-specific policy would work, keying off
resource:object:pid:
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
PolicyId="permit-apia-community-and-thumbnail"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>Permits API-A access to designated community, and to THUMBNAIL
datastream</Description>
<Target>
<Subjects>
<AnySubject></AnySubject>
</Subjects>
<Resources>
<AnyResource></AnyResource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule Effect="Permit" RuleId="1">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>foo:bar</AttributeValue>
<!--LOOKING FOR PID ID "foo:bar"-->
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
DataType="http://www.w3.org/2001/XMLSchema#string";></ResourceAttributeDesignator>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="2">
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>XXX.XXX.*|XXX.XXX.*</AttributeValue>
<!--IP RANGES HERE-->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<EnvironmentAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string";></EnvironmentAttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
But this one, keying off resource:datastream:id, would not? I can't seem to get
the ResourceAttributeDesignator to ever fire matching on datastream ID's,
altID's, mimeType, etc.
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; PolicyId="
permit-apia-community-and-thumbnail "
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>Permits API-A access to designated community, and to THUMBNAIL
datastream</Description>
<Target>
<Subjects>
<AnySubject></AnySubject>
</Subjects>
<Resources>
<AnyResource></AnyResource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule Effect="Permit" RuleId="1">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>THUMBNAIL</AttributeValue>
<!--LOOKING FOR DATASTREAM ID "THUMBNAIL"-->
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id"
DataType="http://www.w3.org/2001/XMLSchema#string";></ResourceAttributeDesignator>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="2">
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>XXX.XXX.*|XXX.XXX.*</AttributeValue>
<!--IP RANGES HERE-->
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<EnvironmentAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string";></EnvironmentAttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
Any help would be greatly appreciated, tangling with XACML is an exercise in
patience...
-Graham
----- Original Message -----
From: "Graham S Hukill" <[email protected]>
To: [email protected]
Sent: Wednesday, September 18, 2013 4:34:26 PM
Subject: [fcrepo-user] XACXML: repo-wide override object-specific policy
All,
Question about targeting repository-wide XACXML policies towards a specific
datastream. I would like to permit all api-a requests to datastreams with an ID
of "THUMBNAIL", but am having trouble getting this to override other
object-specific deny policies.
In fedora.fcfg, setting is to allow "permits" to override:
<param name="XACML-COMBINING-ALGORITHM"
value="com.sun.xacml.combine.PermitOverridesPolicyAlg"/>
Repository wide policy in question looks something like this:
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
PolicyId="permit-apia-THUMBNAIL-datastream"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>Permits api-a on thumbnail datastreams</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>
THUMBNAIL
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:*datastream:id*"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>
THUMB_1
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:*datastream:id*"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule Effect="Permit" RuleId="1"/>
</Policy>
Requests fail when trying to access objects with this object-specific policy in
the POLICY datastream:
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
PolicyId="permit-apia-unrestricted"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>Permits api-a access to campus computer. This rule is IP based. IP
ranges included: [CAMPUS IP ADDRESSES HERE] </Description>
<Target>
<Subjects>
<AnySubject></AnySubject>
</Subjects>
<Resources>
<AnyResource></AnyResource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule Effect="Permit" RuleId="1">
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>[CAMPUS IP
ADDRESSES HERE]</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<EnvironmentAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string";></EnvironmentAttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
Is it possible, when combing all "permits" and "denys", to have a
repository-wide "permit" override an object-specific policy? I would have
thought accessing a datastream with the ID "THUMBNAIL" would have prompted a
"permit" from the repo-wide policy, thereby allowing that request given the
"PermitOverridesPolicyAlg " algorithm . Or if that's not doable, is it possible
to rewrite the object-specific policy to allow for datastreams with the ID of
"THUMBNAIL" to be accessed?
On a related note, for debugging XACXML policies, is there any way to see the
breakdown of how policies were combined for a given request?
many thanks,
Graham
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Fedora-commons-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
