My memory is a little hazy on this, but wasn't there a sunxacml pitfall about AttributeDesignators being evaluated as single values in the Policy Target, but bags in the Rule Conditions? It might be the case that you need to either wrap the Designator in the Rule Condition in a string-one-and-only function, or use a comparison function that operates on bags (string-is-in or string-at-least-one-member-of, depending on whether you're comparing a string to a one-member bag, or a bag to a bag).
If that is the problem, you will also need to change the RuleCombiningAlgId, since anything that matchs the Policy targets will also match rule 2, and thus have at least one Permit in the policy evaluation results. Also, this document is helpful (even if it is "under construction"): https://wiki.duraspace.org/display/FCR30/Fedora+XACML+Policy+Writing+Guide - Ben On Wed, Jun 8, 2011 at 4:51 AM, Anello, Enrico (OEKM) <enrico.ane...@fao.org> wrote: > Hi Steve, > Thanks again for the answer... > I have tried with the following RuleCombiningAlgId with no success: > > - urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable > - urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:deny-overrides > - urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides > > I asked the sys admins to send me the logs of an export request in debug mode > and I see some weird things inside which may affect the behavior (see > attached for the log).... > > First of all I see this line: > > DEBUG 2011-06-06 08:11:32.716 [http-8080-2] (PolicyEnforcementPoint) > permitting request because enforceMode==ENFORCE_MODE_PERMIT_ALL_REQUESTS > > even if I have to say that if I change the rule with a "Deny all" it actually > denies everything.... > > Also I see that when the the PDP evaluates the request it changes it without > specifying the id-export action... instead it uses a migrate context which > seems I cannot use inside the XACML.... > > <Request> > <Subject > SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> > <Attribute AttributeId="urn:fedora:names:fedora:2.1:subject:loginId" > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>testUser</AttributeValue></Attribute> > <Attribute AttributeId="urn:fedora:names:fedora:2.1:subject:role" > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>testUser</AttributeValue></Attribute> > </Subject> > <Subject > SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> > <Attribute > AttributeId="urn:fedora:names:fedora:2.1:subject:subjectRepresented" > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>testUser</AttributeValue></Attribute> > <Attribute AttributeId="urn:fedora:names:fedora:2.1:subject:role" > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>testUser</AttributeValue></Attribute> > </Subject> > <Subject > SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"> > <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>testUser</AttributeValue></Attribute> > <Attribute AttributeId="urn:fedora:names:fedora:2.1:subject:role" > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>testUser</AttributeValue></Attribute> > </Subject> > <Resource> > <Attribute > AttributeId="urn:fedora:names:fedora:2.1:resource:object:encoding" > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>info:fedora/fedora-system:FOXML-1.1</AttributeValue></Attribute> > <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" > DataType="http://www.w3.org/2001/XMLSchema#anyURI";><AttributeValue>/eims-document:eims-documentObjectCollection/eims-document:10016</AttributeValue></Attribute> > <Attribute > AttributeId="urn:fedora:names:fedora:2.1:resource:object:context" > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>migrate</AttributeValue></Attribute> > <Attribute AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>eims-document:10016</AttributeValue></Attribute> > </Resource> > <Action> > <Attribute AttributeId="urn:fedora:names:fedora:2.1:action:api" > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>urn:fedora:names:fedora:2.1:action:api-m</AttributeValue></Attribute> > <Attribute AttributeId="urn:fedora:names:fedora:2.1:action:id" > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>read</AttributeValue></Attribute> > </Action> > <Environment> > <Attribute > AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress" > > DataType="http://www.w3.org/2001/XMLSchema#string";><AttributeValue>168.202.17.210</AttributeValue></Attribute> > </Environment> > </Request> > > Please help me out... I'm starting to work in a cloud :-)) > > Thank you, > Enrico > ________________________________________ > From: Steve Bayliss [stephen.bayl...@acuityunlimited.net] > Sent: Tuesday, June 07, 2011 6:19 PM > To: 'Support and info exchange list for Fedora users.' > Subject: Re: [fcrepo-user] XACMLs... > > Hi Enrico > > I see you have > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:pe > rmit-overrides" > > I wonder if that could be the issue? > > Steve > >> -----Original Message----- >> From: Anello, Enrico (OEKM) [mailto:enrico.ane...@fao.org] >> Sent: 07 June 2011 10:28 >> To: Support and info exchange list for Fedora users. >> Subject: Re: [fcrepo-user] XACMLs... >> >> Hi Steve, >> Thanks a lot for the quick response, I just re-wrote the XACML as you >> suggested (here below), but I'm still having the same issue.... >> Basically to test it I log on to the admin console as testUser on >> http://[host]:8080/fedora/admin >> Then I try to search for objects, and it works. Then again I select an >> object and I try to export it (both the entire object and/or a datastream >> inside the object...) and the result is that I can actually export the >> object even if the supposed result would be an AuthZ denial... >> Any further tips would be really appreciated. >> >> Many thanks and Regards, >> Enrico >> >> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml- >> context="urn:oasis:names:tc:xacml:2.0:context:schema:os" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; PolicyId="access- >> admin" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining- >> algorithm:permit-overrides" >> xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy- >> schema-os.xsd urn:oasis:names:tc:xacml:2.0:context:schema:os >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context- >> schema-os.xsd"> >> <Description>A policy to provide access to the testUser</Description> >> <Target> >> <Subjects> >> <Subject> >> <SubjectMatch >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>testUser</AttributeValu >> e> >> <SubjectAttributeDesignator >> AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" >> DataType="http://www.w3.org/2001/XMLSchema#string";></SubjectAttributeDesig >> nator> >> </SubjectMatch> >> </Subject> >> </Subjects> >> >> </Target> >> <Rule Effect="Deny" >> RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"> >> <Target> >> <Actions> >> <Action> >> <ActionMatch >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora >> :2.1:action:id-export</AttributeValue> >> <ActionAttributeDesignator >> AttributeId="urn:fedora:names:fedora:2.1:action:id" >> DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesign >> ator> >> </ActionMatch> >> </Action> >> </Actions> >> </Target> >> </Rule> >> >> <Rule Effect="Permit" >> RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic- >> permit2"></Rule> >> </Policy> >> ________________________________________ >> From: Steve Bayliss [stephen.bayl...@acuityunlimited.net] >> Sent: Tuesday, June 07, 2011 3:21 PM >> To: 'Support and info exchange list for Fedora users.' >> Subject: Re: [fcrepo-user] XACMLs... >> >> Hi Enrico >> >> A couple of things you might want to look at >> - in your Rule you are using AnySubject and AnyResource elements - these >> are XACML 1.0 and are not in XACML 2.0. To specify "any" just omit the >> Subjects/Resources elements entirely. >> - in the main Target of your policy you seem effectively to be specifying >> every action (read, write, plus all API-A and API-M) - if your intention >> here is to specify all actions then you can omit the Actions element from >> the target. >> >> Steve >> >> ________________________________ >> From: Enrico Anello (OEKM) [mailto:enrico.ane...@fao.org] >> Sent: 06 June 2011 11:03 >> To: fedora-commons-users@lists.sourceforge.net >> Subject: [fcrepo-user] XACMLs... >> >> Hi all, >> I'm a brand new fedora user and I'm having troubles setting up a basic >> XACML rule using FESL AuthZ (Fedora repo version 3.4.2) >> >> The rule is very simple, I want to grant a user called "testUser" with r/w >> permissions but, in the meanwhile, I want to deny exporting objects or >> datastreams. >> The XACML I wrote is as follow and saved inside a FESLPOLICY datastream of >> a new created fedora-policy object. >> >> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" xmlns:xacml- >> context="urn:oasis:names:tc:xacml:2.0:context:schema:os" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema- >> instance"<http://www.w3.org/2001/XMLSchema-instance> PolicyId="access- >> admin" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining- >> algorithm:permit-overrides" >> xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy- >> schema-os.xsd urn:oasis:names:tc:xacml:2.0:context:schema:os >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context- >> schema-os.xsd"> >> <Description>A policy to provide access to the testUser</Description> >> <Target> >> <Subjects> >> <Subject> >> <SubjectMatch >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>>testUser</AttributeValue> >> <SubjectAttributeDesignator >> AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>></SubjectAttributeDesignator> >> </SubjectMatch> >> </Subject> >> </Subjects> >> <Actions> >> <Action> >> <ActionMatch >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>>urn:fedora:names:fedora:2.1:action:api- >> a</AttributeValue> >> <ActionAttributeDesignator >> AttributeId="urn:fedora:names:fedora:2.1:action:api" >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>></ActionAttributeDesignator> >> </ActionMatch> >> </Action> >> <Action> >> <ActionMatch >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>>urn:fedora:names:fedora:2.1:action:api- >> m</AttributeValue> >> <ActionAttributeDesignator >> AttributeId="urn:fedora:names:fedora:2.1:action:api" >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>></ActionAttributeDesignator> >> </ActionMatch> >> </Action> >> <Action> >> <ActionMatch >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>>write</AttributeValue> >> <ActionAttributeDesignator >> AttributeId="urn:fedora:names:fedora:2.1:action:id" >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>></ActionAttributeDesignator> >> </ActionMatch> >> </Action> >> <Action> >> <ActionMatch >> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>>read</AttributeValue> >> <ActionAttributeDesignator >> AttributeId="urn:fedora:names:fedora:2.1:action:id" >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>></ActionAttributeDesignator> >> </ActionMatch> >> </Action> >> </Actions> >> </Target> >> <Rule Effect="Deny" RuleId="1"> >> <Target> >> <Subjects> >> <AnySubject/> >> </Subjects> <Resources><AnyResource/></Resources> >> <Actions> >> <Action> >> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string- >> equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>>urn:fedora:names:fedora:2.1:action:id- >> export</AttributeValue> >> <ActionAttributeDesignator >> AttributeId="urn:fedora:names:fedora:2.1:action:id" >> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/ >> XMLSchema#string>></ActionAttributeDesignator> >> </ActionMatch> >> </Action> >> </Actions> >> </Target> >> </Rule> >> <Rule Effect="Permit" RuleId="2"></Rule> >> </Policy> >> >> This rule is always validated as permitted, so it never validate the deny >> rule as true.... Why? >> >> Thanks for any help or tips. This is driving me crazy :( >> Enrico >> >> -------------------------------------------------------------------------- >> ---- >> EditLive Enterprise is the world's most technically advanced content >> authoring tool. Experience the power of Track Changes, Inline Image >> Editing and ensure content is compliant with Accessibility Checking. >> http://p.sf.net/sfu/ephox-dev2dev >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
