Hi Swithun
Unfortunately FeSL isn't that well documented at present, I'm hoping to add
some additional documentation as part of the next release.
In FeSL, all XACML policies are stored as datastreams in Fedora objects. So
you can either have separate Fedora objects for each policy (with FESLPOLICY
datastreams), or you can add a FESLPOLICY datastream to existing objects.
The pdp/policies directory contains bootstrap policies that are loaded into
Fedora when the server first starts - if you do a search you should see
Fedora objects that are created with these policies. The intent isn't that
this directory should be used for your own policies, you should instead
create Fedora objects for these (as the server does for these policies when
it starts). Though in this case as you've discovered, adding a policy to
this directory will result in a policy object being created (but an
important caveat in using this directory is that if you modify a policy in
pdp/policies, the Fedora object will not be updated - the objects are
created once and only once when the server starts).
It is the XACML policy that specifies what resources it applies to, rather
than a Fedora object specifying which policies apply. This is somewhat
different to the existing XACML implementation, where, if a POLICY
datastream is added to an object there is an implied specification in the
policy that it applies to that object (that's not exactly the mechanism, but
the effect is the same). This is not the case in FeSL; where for instance
adding a FESLPOLICY datastream to an object where the Resources section of
the policy is not present will result in the policy applying to all objects.
To specify that the policy applies to the object containing the FESLPOLICY
datastream it is necessary to specify that in the policy.
XACML policies specify which resources they apply to using the Resources
sub-element of the XACML Target element.
FeSL uses the XACML hierarchical resources profile, so policies can be
applied to all members of a collection for example.
An example of this (actualy from the public-demoObjectCollection policy in
pdp/poi:
<Resources>
<Resource>
<!-- to view everything under the resource
collection -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>/demo:demoObjectCollectio
n/.*</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"; />
</ResourceMatch>
</Resource>
<Resource>
<!-- to view the resource collection
itself-->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI";>/demo:demoObjectCollectio
n</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"; />
</ResourceMatch>
</Resource>
</Resources>
It is also possible to specify additional resource attributes such as the
PID of the resource, a datastream identifier etc.
In the forthcoming Fedora 3.5 release it is possible to define additional
XACML resource attributes sourced from object relationships (eg via the
resource index).
So for example it would be possible to define a XACML resource attribute
with an ID "http://example.org/objectProperties#policy";, define this as a
relationship in RELS-EXT, and specify the target of the relationship as the
name of a policy.
Then in the XACML policy you could specify this as a
ResourceAttributeDesignator, and use an AttributeValue to specify the name
of the policy. Thus the policy resource attribute value matches this custom
object property; thus effectively the object can define which policies apply
to it.
What are your use cases for applying policies to objects? Maybe a few
examples might help and I can suggest some ways of implementing these.
Regards
Steve
-----Original Message-----
From: Swithun Crowe [mailto:c...@st-andrews.ac.uk]
Sent: 04 May 2011 12:53
To: Support and info exchange list for Fedora users.
Subject: Re: [fcrepo-user] POLICY datastream
Hello
Sorry about the delay in getting back about this - holidays got in the
way.
SB> Is it your intent to use FeSL AuthZ?
Yes, I want to use the new FeSL authZ (among other authz mechanisms).
SB> If so, you'll need FESLPOLICY datastreams rather than POLICY
SB> datastreams.
OK. I have a policy which works if I copy it to pdp/policy-db, but not
when it is referenced as an E(xternal) datastream, which is what you say
below:
SB> Also, by default the policy in an object's datastream will not apply
SB> to that object - you will need to specify the policy in the Resources
SB> target.
I don't understand the bit about specifying a policy in the Resources
target. Are there any examples of an external FESLPOLICY datastream, or
something which has the same effect? What I would like to achieve is to
store my policies outside Fedora, and have many objects referencing the
same policy.
Thanks for all the help so far.
Swithun.
--
The University of St Andrews is a charity registered in Scotland: SC013532
----------------------------------------------------------------------------
--
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
