Hi Tomasz > Being able to only access fedoraRole from FeSL is indeed a barrier!
That is the case currently - if you'd like to be able to access other subject attributes maybe you'd like to raise a JIRA ticket for this at https://jira.duraspace.org/browse/FCREPO? In the meantime you are restricted to using a fedoraRole to make it available as a subject attribute ID "urn:fedora:names:fedora:2.1:subject:role" To expose the target of your relationship as a resource attribute, you'll need to define it in $FEDORA_HOME/pdp/conf/config-attribute-finder.xml. You would need something like: <attribute designator="resource" name="http://kemibrug.dk/k2/relations#belongsToOrg"; /> This makes the value of the target of the relationship available as a XACML resource attribute with an ID the same as your relationship name; ie "http://kemibrug.dk/k2/relations#belongsToOrg"; so you can use this in your policies (in the forthcoming 3.5 release this is enhanced, see https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization - particularly you can define the XACML resource attribute ID independently of the relationship URI) I'd recommend you use the same value for your subject attribute (ie fedoraRole) as the target of the relationship as this will make the comparison in the policy easier. The value type of the resource attribute is actually treated as a string (not a URI) so you'd use this value as your fedoraRole. Your policy should contain a Rule element with a Condition to specify the comparison - if you look at the example right at the end of https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization this should guide you - in your case you'll be comparing the subject role (as per the example) with your newly-defined resource attribute ID. Steve > -----Original Message----- > From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] > Sent: 14 June 2011 16:40 > To: Support and info exchange list for Fedora users. > Subject: Re: [fcrepo-user] Using information from datastreams > tocreateFeSLpolicies. > > > In this case the user with the k2Org attribute with value 236 > would not be allowed to view the ressource with the relation > k2rel:belongsToOrg with URI info:fedora/org:243. If it would > be easier this could also be stored as a string in the RELS-EXT. > > Lets say the values matched, then the user would be able to > view the object and its methods. As simple as that. But I > don't understand how to access information stored in RELS-EXT > from a FeSL policy. > > Being able to only access fedoraRole from FeSL is indeed a barrier! > > On Sat, Jun 11, 2011 at 10:36 PM, Steve Bayliss > <stephen.bayl...@acuityunlimited.net> wrote: > > Hi Tomasz > > > > I'm not entirely clear on the policy condition you want to > implement. > > > > I see in your RDF: > >> <k2rel:belongsToOrg > >> rdf:resource="info:fedora/org:243"/> > > > > And in your user attributes: > >> <attribute name="k2Org"> > >> <value>236</value> > > > > So I'm not clear, as these values are different, what the condition > > would be to allow access. Also one's a URI and one's a string. > > > > As far as I know (I'll need to look at the code to check), > I believe > > only fedoraRole subject attributes get passed through to FeSL > > currently, so that may be one barrier. > > > > Regards > > Steve > > > >> -----Original Message----- > >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] > >> Sent: 10 June 2011 05:26 > >> To: Support and info exchange list for Fedora users. > >> Subject: Re: [fcrepo-user] Using information from datastreams to > >> createFeSLpolicies. > >> > >> Hello Stephen, > >> > >> So lets say I have a note object I talked about with following > >> RELS-EXT data stream: <foxml:datastream ID="RELS-EXT" > >> CONTROL_GROUP="X"> > >> <foxml:datastreamVersion > >> FORMAT_URI="info:fedora/fedora-system:FedoraRELSExt-1.0" > >> ID="RELS-EXT.0" MIMETYPE="application/rdf+xml" LABEL="RDF > Statements > >> about this object" SIZE="752" CREATED="2011-04-01T00:00:00.000Z"> > >> <foxml:xmlContent> > >> <rdf:RDF > >> xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"; > >> xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"; > >> xmlns:rel="info:fedora/fedora-system:def/relations-external#" > >> xmlns:k2rel="http://kemibrug.dk/k2/relations#"; > >> xmlns:k2rdf="http://kemibrug.dk/k2/rdf#"; > >> xmlns:dc="http://purl.org/dc/elements/1.1/"; > >> xmlns:oai_dc="http://www.openarchives.org/OAI/2.0/oai_dc/";> > >> <rdf:Description rdf:about="info:fedora/note:78734"> > >> <k2rel:belongsToOrg > >> rdf:resource="info:fedora/org:243"/> > >> <k2rel:belongsToKBA > >> rdf:resource="info:fedora/localreg:15989"/> > >> <k2rdf:type>31</k2rdf:type> > >> <k2rdf:value>R38</k2rdf:value> > >> </rdf:Description> > >> </rdf:RDF> > >> </foxml:xmlContent> > >> </foxml:datastreamVersion> > >> </foxml:datastream> > >> > >> Where I now have defined an organisation with the relation > >> belongsToOrg. And I have a user with following attributes: <user > >> id="toci"> > >> <attribute name="k2Org"> > >> <value>236</value> > >> </attribute> > >> > >> <attribute name="k2Host"> > >> <value>127.0.0.1</value> > >> </attribute> > >> > >> <attribute name="role"> > >> <value>administrator</value> > >> </attribute> > >> > >> <attribute name="fedoraRole"> > >> <value>administrator</value> > >> </attribute> > >> </user> > >> > >> What should I do to give the user access to the note > object by using > >> the k2Org in the user attributes? > >> > >> On Tue, May 31, 2011 at 7:01 PM, Stephen Bayliss > >> <stephen.bayl...@acuityunlimited.net> wrote: > >> > Hi Tomasz > >> > > >> > Basing policies directly on XML content (and restricting > access to > >> > XML > >> > content) is part of the XACML 2.0 spec as part of the > Hierarchical > >> Resource > >> > Profile - > >> > > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier- > >> profile-s > >> > pec-os.pdf > >> > > >> > However this is not implemented in FeSL (it would be > interesting to > >> > know > >> if > >> > there's a general need for this). > >> > > >> > It is possible to define XACML Resource attributes based > on object > >> > and datastream properties that are specified in RELS-EXT and > >> > RELS-INT datastreams - the configuration for this is in > >> > $FEDORA_HOME/pdp/conf/config-attribute-finder.xml - so > if you can > >> > get > >> your > >> > attributes into RELS-EXT/RELS-INT then maybe this is a solution. > >> > > >> > The functionality of this has been enhanced for Fedora 3.5, some > >> > draft documentation for this is at > >> > > https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization - > >> > this > >> may > >> > help you as the basic simple relationship-based attributes are > >> > present > >> ni > >> > Fedora 3.4. > >> > > >> > FYI there's also some draft documentation on > installation for 3.5 > >> > at > https://wiki.duraspace.org/display/FEDORADEV/FeSL+Installation; > >> > feedback welcomed on both of these. > >> > > >> > Steve > >> > > >> >> -----Original Message----- > >> >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] > >> >> Sent: 30 May 2011 14:29 > >> >> To: fedora-commons-users@lists.sourceforge.net > >> >> Subject: [fcrepo-user] Using information from datastreams to > >> >> create FeSLpolicies. > >> >> > >> >> > >> >> Hello fcrepo-users, > >> >> > >> >> I find it a bit hard to understand how to write > policies for FeSL > >> >> to authorize against attributes found in an object's > data stream. > >> >> > >> >> For instance I have an object called note:1 which has the DC > >> >> record an RELS-EXT record and a data stream called > content, which > >> >> content is in XML format. > >> >> > >> >> Is it possible to access data stored in the content data stream > >> >> through a policy? For instance I want to access an > organization id > >> >> stored in that content data stream, which I want to match a > >> >> against a users attributes to see if the user is > allowed to access > >> >> that object and its related objects. > >> >> > >> >> Maybe the attributes should be placed elsewhere? How do > I access > >> >> them? > >> >> > >> >> If you could be so kind to give me some examples to > work with as I > >> >> find the ones in the wiki lacking or maybe I am > understanding them > >> >> incorrectly. > >> >> > >> >> -- > >> >> With Best Regards > >> >> Tomasz Cielecki > >> >> > >> >> -------------------------------------------------------------- > >> >> ---------------- > >> >> vRanger cuts backup time in half-while increasing > security. With > >> >> the market-leading solution for virtual backup and > recovery, you > >> >> get blazing-fast, flexible, and affordable data protection. > >> >> Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 > >> >> _______________________________________________ > >> >> Fedora-commons-users mailing list > >> >> Fedora-commons-users@lists.sourceforge.net > >> >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > >> >> > >> > > >> > > >> > > ------------------------------------------------------------------- > >> > ----- > >> ------ > >> > Simplify data backup and recovery for your virtual > environment with > >> vRanger. > >> > Installation's a snap, and flexible recovery options > mean your data > >> > is > >> safe, > >> > secure and there when you need it. Data protection magic? Nope - > >> > It's vRanger. Get your free trial download today. > >> > http://p.sf.net/sfu/quest-sfdev2dev > >> > _______________________________________________ > >> > Fedora-commons-users mailing list > >> > Fedora-commons-users@lists.sourceforge.net > >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > >> > > >> > >> > >> > >> -- > >> Med Venlig Hilsen / With Best Regards > >> Tomasz Cielecki > >> http://ostebaronen.dk > >> > >> > --------------------------------------------------------------------- > >> ----- > >> ---- > >> EditLive Enterprise is the world's most technically > advanced content > >> authoring tool. Experience the power of Track Changes, Inline Image > >> Editing and ensure content is compliant with Accessibility > Checking. > >> http://p.sf.net/sfu/ephox-dev2dev > >> _______________________________________________ > >> Fedora-commons-users mailing list > >> Fedora-commons-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > > > > > ---------------------------------------------------------------------- > > -------- > > EditLive Enterprise is the world's most technically advanced content > > authoring tool. Experience the power of Track Changes, Inline Image > > Editing and ensure content is compliant with Accessibility Checking. > > http://p.sf.net/sfu/ephox-dev2dev > > _______________________________________________ > > Fedora-commons-users mailing list > > Fedora-commons-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > > > > -- > Med Venlig Hilsen / With Best Regards > Tomasz Cielecki > http://ostebaronen.dk > > -------------------------------------------------------------- > ---------------- > EditLive Enterprise is the world's most technically advanced > content authoring tool. Experience the power of Track > Changes, Inline Image Editing and ensure content is compliant > with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
