Hi Steve, Thanks a lot for the quick response, I just re-wrote the XACML as you suggested (here below), but I'm still having the same issue.... Basically to test it I log on to the admin console as testUser on http://[host]:8080/fedora/admin Then I try to search for objects, and it works. Then again I select an object and I try to export it (both the entire object and/or a datastream inside the object...) and the result is that I can actually export the object even if the supposed result would be an AuthZ denial... Any further tips would be really appreciated.
Many thanks and Regards, Enrico <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; PolicyId="access-admin" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd";> <Description>A policy to provide access to the testUser</Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>testUser</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string";></SubjectAttributeDesignator> </SubjectMatch> </Subject> </Subjects> </Target> <Rule Effect="Deny" RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"> <Target> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:id-export</AttributeValue> <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator> </ActionMatch> </Action> </Actions> </Target> </Rule> <Rule Effect="Permit" RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit2"></Rule> </Policy> ________________________________________ From: Steve Bayliss [stephen.bayl...@acuityunlimited.net] Sent: Tuesday, June 07, 2011 3:21 PM To: 'Support and info exchange list for Fedora users.' Subject: Re: [fcrepo-user] XACMLs... Hi Enrico A couple of things you might want to look at - in your Rule you are using AnySubject and AnyResource elements β these are XACML 1.0 and are not in XACML 2.0. To specify βanyβ just omit the Subjects/Resources elements entirely. - in the main Target of your policy you seem effectively to be specifying every action (read, write, plus all API-A and API-M) β if your intention here is to specify all actions then you can omit the Actions element from the target. Steve ________________________________ From: Enrico Anello (OEKM) [mailto:enrico.ane...@fao.org] Sent: 06 June 2011 11:03 To: fedora-commons-users@lists.sourceforge.net Subject: [fcrepo-user] XACMLs... Hi all, I'm a brand new fedora user and I'm having troubles setting up a basic XACML rule using FESL AuthZ (Fedora repo version 3.4.2) The rule is very simple, I want to grant a user called "testUser" with r/w permissions but, in the meanwhile, I want to deny exporting objects or datastreams. The XACML I wrote is as follow and saved inside a FESLPOLICY datastream of a new created fedora-policy object. <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";<http://www.w3.org/2001/XMLSchema-instance> PolicyId="access-admin" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides" xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd urn:oasis:names:tc:xacml:2.0:context:schema:os http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd";> <Description>A policy to provide access to the testUser</Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>>testUser</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>></SubjectAttributeDesignator> </SubjectMatch> </Subject> </Subjects> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue> <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:api" DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>></ActionAttributeDesignator> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>>urn:fedora:names:fedora:2.1:action:api-m</AttributeValue> <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:api" DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>></ActionAttributeDesignator> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>>write</AttributeValue> <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>></ActionAttributeDesignator> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>>read</AttributeValue> <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>></ActionAttributeDesignator> </ActionMatch> </Action> </Actions> </Target> <Rule Effect="Deny" RuleId="1"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources><AnyResource/></Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>>urn:fedora:names:fedora:2.1:action:id-export</AttributeValue> <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>></ActionAttributeDesignator> </ActionMatch> </Action> </Actions> </Target> </Rule> <Rule Effect="Permit" RuleId="2"></Rule> </Policy> This rule is always validated as permitted, so it never validate the deny rule as true.... Why? Thanks for any help or tips. This is driving me crazy :( Enrico ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
