Hi Swithun Are you using FeSL AuthZ? What does your $FEDORA_HOME/install/install.properties have for
xacml.enabled fesl.authz.enabled Steve > -----Original Message----- > From: Swithun Crowe [mailto:c...@st-andrews.ac.uk] > Sent: 21 April 2011 15:00 > To: Support and info exchange list for Fedora users. > Subject: [fcrepo-user] POLICY datastream > > > Hello > > I solved my managed DC/RELS-EXT datastreams in METS worries - > they are > just regular datastreams, but with the particular ID attributes. > > Now I'm stuck on using an external POLICY datastream. In a > METS document, > I have: > > <mets OBJID="alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf" ...> > ... > <fileGrp ID="POLICY" VERSIONABLE="true" STATUS="A"> > <file ID="POLICY.0" MIMETYPE="text/xml" OWNERID="E"> > <FLocat xmlns:xlink="http://www.w3.org/1999/xlink"; > LOCTYPE="URL" > xlink:href="http://itspc-cs2/~archive/policy_service/policy_rp > s_data.xml"/> > </file> > </fileGrp> > > The URL resolves to this document: > > <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > PolicyId="deny-data-access-if-not-rps_reader" > > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combinin > g-algorithm:first-applicable"> > <Description>A policy to provide access to users with the > rps_reader role</Description> > <Target> > <Subjects> > <AnySubject/> > </Subjects> > </Target> > <Rule RuleId="rps_data_rul1" Effect="Deny"> > <Condition > FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>rps_reader< > /AttributeValue> > <SubjectAttributeDesignator AttributeId="fedoraRole" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </Apply> > </Condition> > </Rule> > </Policy> > > If I go to the object in a browser or a particular datastream, e.g. > > http://.../fedora/objects/alfresco:a8d5f33f-b5d7-4a50-bb2f-d45 acbbbd5bf or http://.../fedora/objects/alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf/DS1, then there is no prompting for authentication. If I then try to view the /datastreams for the object, then I am prompted for authentication. But the user who has "rps_reader" in their fedoraRole can't view the datastreams (getting Fedora: 403 NOTAPPLICABLE), only fedoraAdmin can. Looking at fedora.log and fesl.log (both set to DEBUG), it doesn't look like my external policy is being used, let alone whether the XACML does what I want it to do. Does anyone have a working example of an external policy covering many objects? Thanks. Swithun. -- The University of St Andrews is a charity registered in Scotland: SC013532 ---------------------------------------------------------------------------- -- Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
