Hello, Thank you very much for the responses! You guys ROCK!!
I have another question regarding XACML policies. Here is the scenario. 1) I have objects with POLICY DataStream embedded in it. 2) POLICY says not to allow API-A or API-M (actually <Any Action/>) access to certain other data streams to anyone except owner of the object. 3) But even when I have the policy in place I can still see the data streams when I call listDatastreams API even though I cannot access it for operations which makes sense. Is there a way that I can restrict the visibility of the datastreams completely for unauthorized users? 4) Just to let you know that I actually tried this policy system-wide but still encounter same issues. Here is the policy sample: <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; PolicyId="deny-access-to-particular-datastreams" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> <Description>Deny Access to Specific Datastreams Unless Paid</Description> <Target> <Subjects> <AnySubject></AnySubject> </Subjects> <Resources> <AnyResource></AnyResource> </Resources> <Actions> <AnyAction></AnyAction> </Actions> </Target> <Rule Effect="Deny" RuleId="1"> <Target> <Subjects> <AnySubject></AnySubject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>POLICY</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" DataType="http://www.w3.org/2001/XMLSchema#string";></ResourceAttributeDesignator> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>VMDK</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" DataType="http://www.w3.org/2001/XMLSchema#string";></ResourceAttributeDesignator> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>OVF</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" DataType="http://www.w3.org/2001/XMLSchema#string";></ResourceAttributeDesignator> </ResourceMatch> </Resource> </Resources> <Actions> <AnyAction></AnyAction> </Actions> </Target> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <SubjectAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:subject:loginId" DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"></SubjectAttributeDesignator> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>fedoraAdmin</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>john</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>joe</AttributeValue> </Apply> </Apply> </Condition> </Rule> <Rule Effect="Permit" RuleId="2"></Rule> </Policy> Thanks, Vamsee -----Original Message----- From: [email protected] [mailto:[email protected]] Sent: Wednesday, March 03, 2010 2:19 AM To: [email protected] Subject: Fedora-commons-users Digest, Vol 37, Issue 3 Send Fedora-commons-users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/fedora-commons-users or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of Fedora-commons-users digest..." Today's Topics: 1. Re: Backing up fedora repositories (Chris Wilper) 2. RDF ITQL query against date (Khaled Almahallawy) 3. Re: Collections in Fedora (ps552) ---------------------------------------------------------------------- Message: 1 Date: Tue, 2 Mar 2010 21:01:44 -0500 From: Chris Wilper <[email protected]> Subject: Re: [Fedora-commons-users] Backing up fedora repositories To: Aaron Birkland <[email protected]> Cc: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=UTF-8 On Tue, Mar 2, 2010 at 7:05 PM, Aaron Birkland <[email protected]> wrote: > >> I think (haven't tested it) if you also back up the DB tables used by Fedora >> (and the triple store if enabled and thusly configured), you may be able to >> skip the rebuild. You might want to try this first :-). > > That works, the trick is that the repository needs to be quiescent as > you're backing up the files, databases, and triple store. ? If you can > disable writes to your repository for a period of time, that would work. One way to ensure writes are disabled for a period of time is via a repository-wide policy. This could be done during your backup window while still allowing reads against the repository (e.g. for "warm" backups). For example: 1) Copy disable-writes.xml (see below) into your $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/ directory 2) Run $FEDORA_HOME/server/bin/fedora-reload-policies.sh http [admin-user] [admin-pass] (this immediately makes any repo-wide policy changes active without requiring a restart) 3) Wait a few minutes to let any in-progress writes complete. 4) Do a database+filesystem backup 5) Remove disable-writes.xml 6) Run fedora-reload-policies again This could be scripted as part of a regular backup process. Step #3 is not perfect, however: if you wait 5 minutes but someone is in the middle of upload a multi-GB file to the repository, you might still get an inconsistent backup. - Chris disable-writes.xml (derived from deny-apim-if-not-localhost.xml): <?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; PolicyId="disable-writes" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> <Description>disable writes</Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-m</AttributeValue> <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"; AttributeId="urn:fedora:names:fedora:2.1:action:api"/> </ActionMatch> </Action> </Actions> </Target> <Rule RuleId="1" Effect="Deny"/> </Policy> ------------------------------ Message: 2 Date: Wed, 3 Mar 2010 11:50:05 +0200 From: Khaled Almahallawy <[email protected]> Subject: [Fedora-commons-users] RDF ITQL query against date To: "'[email protected]'" <[email protected]> Message-ID: <c61f84ef9bcacb44adcf9700547cb95703505aa...@sexgw3k-h2040.local.bibalex.dom> Content-Type: text/plain; charset="us-ascii" Dears, I want to know how to query the RI against the date, what is the predicate I can use in the ITQL for date comparison. select $object from <#ri> where $object <fedora-model:hasModel> <info:fedora/MY-CModel> and $object <fedora-view:lastModifiedDate> $modified and $ modified <???greaterthan???> '2010-02-22T12:54:59.265Z' The links provided regarding the same issue in this post(http://www.fedora-commons.org/confluence/display/FCKB/mail/8752530) seems broken. Thanks in advance. Best Regards ___________________________ Khaled Almahallawy -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ Message: 3 Date: Wed, 3 Mar 2010 09:45:47 -0000 From: "ps552" <[email protected]> Subject: Re: [Fedora-commons-users] Collections in Fedora To: <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" we have our objects arranged into collections. We are using foxml, so establish relationships using a RELS-EXT datastream. A collection object is just another fedora object, which has the rdf element like this example <rdf:Description rdf:about="info:fedora/york:26"> (ie the pid of the collection object) <rel:isCollection>true</rel:isCollection> </rdf:Description> which says it is a collection. A member of this collection would have a RELS-EXT datastream with the element <rdf:Description rdf:about="info:fedora/york:3243"> (ie the pid of the member object) <rel:isMemberOf rdf:resource="info:fedora/york:26" /> </rdf:Description> This could equally apply to a child collection of the parent collection, in which case it would also include the element <rel:isCollection>true</rel:isCollection> heres the full RELS-EXT datastream element for the parent collection above <foxml:datastream CONTROL_GROUP="X" ID="RELS-EXT" STATE="A" VERSIONABLE="true"> <foxml:datastreamVersion CREATED="2009-01-12T14:23:20.112Z" ID="RELS-EXT.0" LABEL="Metadata" MIMETYPE="text/xml" SIZE="271"> <foxml:contentDigest DIGEST="none" TYPE="DISABLED"/> <foxml:xmlContent> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"; xmlns:rel="info:fedora/fedora-system:def/relations-external#"> <rdf:Description rdf:about="info:fedora/york:26"> <rel:isCollection>true</rel:isCollection> </rdf:Description> </rdf:RDF> </foxml:xmlContent> </foxml:datastreamVersion> </foxml:datastream> our xacml policies are then applied to the collection objects (we are currently using muradora for this, with fedora 2.2.4) Cheers Peri Stracchino Digital Library Team University of York ext 4082 From: Gottwig, Jeremy M. (GSFC-272.0)[ZIMMERMAN & ASSOC.] [mailto:[email protected]] Sent: 02 March 2010 22:24 To: [email protected] Subject: Re: [Fedora-commons-users] Collections in Fedora I'm more of an interface developer, but I think I can point you in the right direction. Others may be able to elaborate. As I understand it, you create collections by establishing relationships between objects. You will generally create a collection object (to which you can apply a xacml policy if you desire), and using relational metadata, you can relate other objects to the collection object. This relational metadata can be captured by your indexing application (such as Lucene or Solr - look into GSearch to help you out here), meaning that you can specify which collection you wish to search in your query. You might get a good idea of how relationships work by examining the RDF stuff here: http://fedora-commons.org/confluence/display/FCR30/Digital+Object+Relationsh ips From: Vamsee Vanaparthy [mailto:[email protected]] Sent: Tuesday, March 02, 2010 4:29 PM To: [email protected] Subject: [Fedora-commons-users] Collections in Fedora Hello Guys, I have a small question and I really hope someone can quickly point me to right location. How do we implement collections in Fedora Commons? Can we have xacml policies pertaining to a collection? And also I want to know if these objects can be searched based on collection? Can someone please point me to right url from the documentation? I just can't seem to find it. Thanks, Vamsee -------------- next part -------------- An HTML attachment was scrubbed... ------------------------------ ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev ------------------------------ _______________________________________________ Fedora-commons-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-users End of Fedora-commons-users Digest, Vol 37, Issue 3 *************************************************** ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Fedora-commons-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
