Hi all,
I'm a brand new fedora user and I'm having troubles setting up a basic
XACML rule using FESL AuthZ (Fedora repo version 3.4.2)
The rule is very simple, I want to grant a user called "testUser" with
r/w permissions but, in the meanwhile, I want to deny exporting objects
or datastreams.
The XACML I wrote is as follow and saved inside a FESLPOLICY datastream
of a new created fedora-policy object.
<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
PolicyId="access-admin"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd
urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd";>
<Description>A policy to provide access to the testUser</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>testUser</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string";></SubjectAttributeDesignator>
</SubjectMatch>
</Subject>
</Subjects>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-m</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>write</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule Effect="Deny" RuleId="1">
<Target>
<Subjects>
<AnySubject/>
</Subjects> <Resources><AnyResource/></Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:id-export</AttributeValue>
<ActionAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
</ActionMatch>
</Action>
</Actions>
</Target>
</Rule>
<Rule Effect="Permit" RuleId="2"></Rule>
</Policy>
This rule is always validated as permitted, so it never validate the
deny rule as true.... Why?
Thanks for any help or tips. This is driving me crazy :(
Enrico
------------------------------------------------------------------------------
Simplify data backup and recovery for your virtual environment with vRanger.
Installation's a snap, and flexible recovery options mean your data is safe,
secure and there when you need it. Discover what all the cheering's about.
Get your free trial download today.
http://p.sf.net/sfu/quest-dev2dev2
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
