[fcrepo-user] POLICY datastream

Swithun Crowe Thu, 21 Apr 2011 07:00:59 -0700

Hello

I solved my managed DC/RELS-EXT datastreams in METS worries - they are 
just regular datastreams, but with the particular ID attributes.


Now I'm stuck on using an external POLICY datastream. In a METS document, 
I have:

<mets OBJID="alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf" ...>
   ...
       <fileGrp ID="POLICY" VERSIONABLE="true" STATUS="A">
         <file ID="POLICY.0" MIMETYPE="text/xml" OWNERID="E">
           <FLocat xmlns:xlink="http://www.w3.org/1999/xlink"; LOCTYPE="URL" 
xlink:href="http://itspc-cs2/~archive/policy_service/policy_rps_data.xml"/>
         </file>
       </fileGrp>

The URL resolves to this document:

<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
     PolicyId="deny-data-access-if-not-rps_reader"
     
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
   <Description>A policy to provide access to users with the rps_reader 
role</Description>
   <Target>
     <Subjects>
       <AnySubject/>
     </Subjects>
   </Target>
   <Rule RuleId="rps_data_rul1" Effect="Deny">
     <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
       <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
         <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>rps_reader</AttributeValue>
         <SubjectAttributeDesignator AttributeId="fedoraRole" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
       </Apply>
     </Condition>
   </Rule>
</Policy>

If I go to the object in a browser or a particular datastream, e.g.

http://.../fedora/objects/alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf or
http://.../fedora/objects/alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf/DS1,

then there is no prompting for authentication. If I then try to view the 
/datastreams for the object, then I am prompted for authentication. But 
the user who has "rps_reader" in their fedoraRole can't view the 
datastreams (getting Fedora: 403 NOTAPPLICABLE), only fedoraAdmin can.

Looking at fedora.log and fesl.log (both set to DEBUG), it doesn't look 
like my external policy is being used, let alone whether the XACML does 
what I want it to do.

Does anyone have a working example of an external policy covering many 
objects?

Thanks.

Swithun.

-- 
The University of St Andrews is a charity registered in Scotland: SC013532

------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload 
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve 
application availability and disaster protection. Learn more about boosting 
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

[fcrepo-user] POLICY datastream

Reply via email to