Hi Enrico I see you have RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:pe rmit-overrides"
I wonder if that could be the issue? Steve > -----Original Message----- > From: Anello, Enrico (OEKM) [mailto:enrico.ane...@fao.org] > Sent: 07 June 2011 10:28 > To: Support and info exchange list for Fedora users. > Subject: Re: [fcrepo-user] XACMLs... > > Hi Steve, > Thanks a lot for the quick response, I just re-wrote the XACML as you > suggested (here below), but I'm still having the same issue.... > Basically to test it I log on to the admin console as testUser on > http://[host]:8080/fedora/admin > Then I try to search for objects, and it works. Then again I select an > object and I try to export it (both the entire object and/or a datastream > inside the object...) and the result is that I can actually export the > object even if the supposed result would be an AuthZ denial... > Any further tips would be really appreciated. > > Many thanks and Regards, > Enrico > > <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml- > context="urn:oasis:names:tc:xacml:2.0:context:schema:os" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; PolicyId="access- > admin" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining- > algorithm:permit-overrides" > xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy- > schema-os.xsd urn:oasis:names:tc:xacml:2.0:context:schema:os > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context- > schema-os.xsd"> > <Description>A policy to provide access to the testUser</Description> > <Target> > <Subjects> > <Subject> > <SubjectMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>testUser</AttributeValu > e> > <SubjectAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > DataType="http://www.w3.org/2001/XMLSchema#string";></SubjectAttributeDesig > nator> > </SubjectMatch> > </Subject> > </Subjects> > > </Target> > <Rule Effect="Deny" > RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"> > <Target> > <Actions> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora > :2.1:action:id-export</AttributeValue> > <ActionAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:action:id" > DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesign > ator> > </ActionMatch> > </Action> > </Actions> > </Target> > </Rule> > > <Rule Effect="Permit" > RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic- > permit2"></Rule> > </Policy> > ________________________________________ > From: Steve Bayliss [stephen.bayl...@acuityunlimited.net] > Sent: Tuesday, June 07, 2011 3:21 PM > To: 'Support and info exchange list for Fedora users.' > Subject: Re: [fcrepo-user] XACMLs... > > Hi Enrico > > A couple of things you might want to look at > - in your Rule you are using AnySubject and AnyResource elements - these > are XACML 1.0 and are not in XACML 2.0. To specify "any" just omit the > Subjects/Resources elements entirely. > - in the main Target of your policy you seem effectively to be specifying > every action (read, write, plus all API-A and API-M) - if your intention > here is to specify all actions then you can omit the Actions element from > the target. > > Steve > > ________________________________ > From: Enrico Anello (OEKM) [mailto:enrico.ane...@fao.org] > Sent: 06 June 2011 11:03 > To: fedora-commons-users@lists.sourceforge.net > Subject: [fcrepo-user] XACMLs... > > Hi all, > I'm a brand new fedora user and I'm having troubles setting up a basic > XACML rule using FESL AuthZ (Fedora repo version 3.4.2) > > The rule is very simple, I want to grant a user called "testUser" with r/w > permissions but, in the meanwhile, I want to deny exporting objects or > datastreams. > The XACML I wrote is as follow and saved inside a FESLPOLICY datastream of > a new created fedora-policy object. > > <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml- > context="urn:oasis:names:tc:xacml:2.0:context:schema:os" > xmlns:xsi="http://www.w3.org/2001/XMLSchema- > instance"<http://www.w3.org/2001/XMLSchema-instance> PolicyId="access- > admin" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining- > algorithm:permit-overrides" > xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy- > schema-os.xsd urn:oasis:names:tc:xacml:2.0:context:schema:os > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context- > schema-os.xsd"> > <Description>A policy to provide access to the testUser</Description> > <Target> > <Subjects> > <Subject> > <SubjectMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>>testUser</AttributeValue> > <SubjectAttributeDesignator > AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>></SubjectAttributeDesignator> > </SubjectMatch> > </Subject> > </Subjects> > <Actions> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>>urn:fedora:names:fedora:2.1:action:api- > a</AttributeValue> > <ActionAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:action:api" > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>></ActionAttributeDesignator> > </ActionMatch> > </Action> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>>urn:fedora:names:fedora:2.1:action:api- > m</AttributeValue> > <ActionAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:action:api" > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>></ActionAttributeDesignator> > </ActionMatch> > </Action> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>>write</AttributeValue> > <ActionAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:action:id" > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>></ActionAttributeDesignator> > </ActionMatch> > </Action> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>>read</AttributeValue> > <ActionAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:action:id" > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>></ActionAttributeDesignator> > </ActionMatch> > </Action> > </Actions> > </Target> > <Rule Effect="Deny" RuleId="1"> > <Target> > <Subjects> > <AnySubject/> > </Subjects> <Resources><AnyResource/></Resources> > <Actions> > <Action> > <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string- > equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>>urn:fedora:names:fedora:2.1:action:id- > export</AttributeValue> > <ActionAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:action:id" > DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ > XMLSchema#string>></ActionAttributeDesignator> > </ActionMatch> > </Action> > </Actions> > </Target> > </Rule> > <Rule Effect="Permit" RuleId="2"></Rule> > </Policy> > > This rule is always validated as permitted, so it never validate the deny > rule as true.... Why? > > Thanks for any help or tips. This is driving me crazy :( > Enrico > > -------------------------------------------------------------------------- > ---- > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
