Hi Stephen, Where should I look if I want to take a shot at allowing access to other subject attributes in FeSL?
I see there is a lot of related code in fcrepo-security, but not sure where to start. On Wed, Jun 15, 2011 at 8:04 AM, Stephen Bayliss <stephen.bayl...@acuityunlimited.net> wrote: > Hi Tomasz > >> Being able to only access fedoraRole from FeSL is indeed a barrier! > > That is the case currently - if you'd like to be able to access other > subject attributes maybe you'd like to raise a JIRA ticket for this at > https://jira.duraspace.org/browse/FCREPO? > > In the meantime you are restricted to using a fedoraRole to make it > available as a subject attribute ID > "urn:fedora:names:fedora:2.1:subject:role" > > To expose the target of your relationship as a resource attribute, you'll > need to define it in $FEDORA_HOME/pdp/conf/config-attribute-finder.xml. > > You would need something like: > > <attribute designator="resource" > name="http://kemibrug.dk/k2/relations#belongsToOrg"; /> > > This makes the value of the target of the relationship available as a XACML > resource attribute with an ID the same as your relationship name; ie > "http://kemibrug.dk/k2/relations#belongsToOrg"; so you can use this in your > policies (in the forthcoming 3.5 release this is enhanced, see > https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization - > particularly you can define the XACML resource attribute ID independently of > the relationship URI) > > I'd recommend you use the same value for your subject attribute (ie > fedoraRole) as the target of the relationship as this will make the > comparison in the policy easier. The value type of the resource attribute > is actually treated as a string (not a URI) so you'd use this value as your > fedoraRole. > > Your policy should contain a Rule element with a Condition to specify the > comparison - if you look at the example right at the end of > https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization this should > guide you - in your case you'll be comparing the subject role (as per the > example) with your newly-defined resource attribute ID. > > Steve > >> -----Original Message----- >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] >> Sent: 14 June 2011 16:40 >> To: Support and info exchange list for Fedora users. >> Subject: Re: [fcrepo-user] Using information from datastreams >> tocreateFeSLpolicies. >> >> >> In this case the user with the k2Org attribute with value 236 >> would not be allowed to view the ressource with the relation >> k2rel:belongsToOrg with URI info:fedora/org:243. If it would >> be easier this could also be stored as a string in the RELS-EXT. >> >> Lets say the values matched, then the user would be able to >> view the object and its methods. As simple as that. But I >> don't understand how to access information stored in RELS-EXT >> from a FeSL policy. >> >> Being able to only access fedoraRole from FeSL is indeed a barrier! >> >> On Sat, Jun 11, 2011 at 10:36 PM, Steve Bayliss >> <stephen.bayl...@acuityunlimited.net> wrote: >> > Hi Tomasz >> > >> > I'm not entirely clear on the policy condition you want to >> implement. >> > >> > I see in your RDF: >> >> <k2rel:belongsToOrg >> >> rdf:resource="info:fedora/org:243"/> >> > >> > And in your user attributes: >> >> <attribute name="k2Org"> >> >> <value>236</value> >> > >> > So I'm not clear, as these values are different, what the condition >> > would be to allow access. Also one's a URI and one's a string. >> > >> > As far as I know (I'll need to look at the code to check), >> I believe >> > only fedoraRole subject attributes get passed through to FeSL >> > currently, so that may be one barrier. >> > >> > Regards >> > Steve >> > >> >> -----Original Message----- >> >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] >> >> Sent: 10 June 2011 05:26 >> >> To: Support and info exchange list for Fedora users. >> >> Subject: Re: [fcrepo-user] Using information from datastreams to >> >> createFeSLpolicies. >> >> >> >> Hello Stephen, >> >> >> >> So lets say I have a note object I talked about with following >> >> RELS-EXT data stream: <foxml:datastream ID="RELS-EXT" >> >> CONTROL_GROUP="X"> >> >> <foxml:datastreamVersion >> >> FORMAT_URI="info:fedora/fedora-system:FedoraRELSExt-1.0" >> >> ID="RELS-EXT.0" MIMETYPE="application/rdf+xml" LABEL="RDF >> Statements >> >> about this object" SIZE="752" CREATED="2011-04-01T00:00:00.000Z"> >> >> <foxml:xmlContent> >> >> <rdf:RDF >> >> xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"; >> >> xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"; >> >> xmlns:rel="info:fedora/fedora-system:def/relations-external#" >> >> xmlns:k2rel="http://kemibrug.dk/k2/relations#"; >> >> xmlns:k2rdf="http://kemibrug.dk/k2/rdf#"; >> >> xmlns:dc="http://purl.org/dc/elements/1.1/"; >> >> xmlns:oai_dc="http://www.openarchives.org/OAI/2.0/oai_dc/";> >> >> <rdf:Description rdf:about="info:fedora/note:78734"> >> >> <k2rel:belongsToOrg >> >> rdf:resource="info:fedora/org:243"/> >> >> <k2rel:belongsToKBA >> >> rdf:resource="info:fedora/localreg:15989"/> >> >> <k2rdf:type>31</k2rdf:type> >> >> <k2rdf:value>R38</k2rdf:value> >> >> </rdf:Description> >> >> </rdf:RDF> >> >> </foxml:xmlContent> >> >> </foxml:datastreamVersion> >> >> </foxml:datastream> >> >> >> >> Where I now have defined an organisation with the relation >> >> belongsToOrg. And I have a user with following attributes: <user >> >> id="toci"> >> >> <attribute name="k2Org"> >> >> <value>236</value> >> >> </attribute> >> >> >> >> <attribute name="k2Host"> >> >> <value>127.0.0.1</value> >> >> </attribute> >> >> >> >> <attribute name="role"> >> >> <value>administrator</value> >> >> </attribute> >> >> >> >> <attribute name="fedoraRole"> >> >> <value>administrator</value> >> >> </attribute> >> >> </user> >> >> >> >> What should I do to give the user access to the note >> object by using >> >> the k2Org in the user attributes? >> >> >> >> On Tue, May 31, 2011 at 7:01 PM, Stephen Bayliss >> >> <stephen.bayl...@acuityunlimited.net> wrote: >> >> > Hi Tomasz >> >> > >> >> > Basing policies directly on XML content (and restricting >> access to >> >> > XML >> >> > content) is part of the XACML 2.0 spec as part of the >> Hierarchical >> >> Resource >> >> > Profile - >> >> > >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier- >> >> profile-s >> >> > pec-os.pdf >> >> > >> >> > However this is not implemented in FeSL (it would be >> interesting to >> >> > know >> >> if >> >> > there's a general need for this). >> >> > >> >> > It is possible to define XACML Resource attributes based >> on object >> >> > and datastream properties that are specified in RELS-EXT and >> >> > RELS-INT datastreams - the configuration for this is in >> >> > $FEDORA_HOME/pdp/conf/config-attribute-finder.xml - so >> if you can >> >> > get >> >> your >> >> > attributes into RELS-EXT/RELS-INT then maybe this is a solution. >> >> > >> >> > The functionality of this has been enhanced for Fedora 3.5, some >> >> > draft documentation for this is at >> >> > >> https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization - >> >> > this >> >> may >> >> > help you as the basic simple relationship-based attributes are >> >> > present >> >> ni >> >> > Fedora 3.4. >> >> > >> >> > FYI there's also some draft documentation on >> installation for 3.5 >> >> > at >> https://wiki.duraspace.org/display/FEDORADEV/FeSL+Installation; >> >> > feedback welcomed on both of these. >> >> > >> >> > Steve >> >> > >> >> >> -----Original Message----- >> >> >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] >> >> >> Sent: 30 May 2011 14:29 >> >> >> To: fedora-commons-users@lists.sourceforge.net >> >> >> Subject: [fcrepo-user] Using information from datastreams to >> >> >> create FeSLpolicies. >> >> >> >> >> >> >> >> >> Hello fcrepo-users, >> >> >> >> >> >> I find it a bit hard to understand how to write >> policies for FeSL >> >> >> to authorize against attributes found in an object's >> data stream. >> >> >> >> >> >> For instance I have an object called note:1 which has the DC >> >> >> record an RELS-EXT record and a data stream called >> content, which >> >> >> content is in XML format. >> >> >> >> >> >> Is it possible to access data stored in the content data stream >> >> >> through a policy? For instance I want to access an >> organization id >> >> >> stored in that content data stream, which I want to match a >> >> >> against a users attributes to see if the user is >> allowed to access >> >> >> that object and its related objects. >> >> >> >> >> >> Maybe the attributes should be placed elsewhere? How do >> I access >> >> >> them? >> >> >> >> >> >> If you could be so kind to give me some examples to >> work with as I >> >> >> find the ones in the wiki lacking or maybe I am >> understanding them >> >> >> incorrectly. >> >> >> >> >> >> -- >> >> >> With Best Regards >> >> >> Tomasz Cielecki >> >> >> >> >> >> -------------------------------------------------------------- >> >> >> ---------------- >> >> >> vRanger cuts backup time in half-while increasing >> security. With >> >> >> the market-leading solution for virtual backup and >> recovery, you >> >> >> get blazing-fast, flexible, and affordable data protection. >> >> >> Download your free trial now. http://p.sf.net/sfu/quest-d2dcopy1 >> >> >> _______________________________________________ >> >> >> Fedora-commons-users mailing list >> >> >> Fedora-commons-users@lists.sourceforge.net >> >> >> >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> >> >> >> >> > >> >> > >> >> > >> ------------------------------------------------------------------- >> >> > ----- >> >> ------ >> >> > Simplify data backup and recovery for your virtual >> environment with >> >> vRanger. >> >> > Installation's a snap, and flexible recovery options >> mean your data >> >> > is >> >> safe, >> >> > secure and there when you need it. Data protection magic? Nope - >> >> > It's vRanger. Get your free trial download today. >> >> > http://p.sf.net/sfu/quest-sfdev2dev >> >> > _______________________________________________ >> >> > Fedora-commons-users mailing list >> >> > Fedora-commons-users@lists.sourceforge.net >> >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> >> > >> >> >> >> >> >> >> >> -- >> >> Med Venlig Hilsen / With Best Regards >> >> Tomasz Cielecki >> >> http://ostebaronen.dk >> >> >> >> >> --------------------------------------------------------------------- >> >> ----- >> >> ---- >> >> EditLive Enterprise is the world's most technically >> advanced content >> >> authoring tool. Experience the power of Track Changes, Inline Image >> >> Editing and ensure content is compliant with Accessibility >> Checking. >> >> http://p.sf.net/sfu/ephox-dev2dev >> >> _______________________________________________ >> >> Fedora-commons-users mailing list >> >> Fedora-commons-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> > >> > >> > >> ---------------------------------------------------------------------- >> > -------- >> > EditLive Enterprise is the world's most technically advanced content >> > authoring tool. Experience the power of Track Changes, Inline Image >> > Editing and ensure content is compliant with Accessibility Checking. >> > http://p.sf.net/sfu/ephox-dev2dev >> > _______________________________________________ >> > Fedora-commons-users mailing list >> > Fedora-commons-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> > >> >> >> >> -- >> Med Venlig Hilsen / With Best Regards >> Tomasz Cielecki >> http://ostebaronen.dk >> >> -------------------------------------------------------------- >> ---------------- >> EditLive Enterprise is the world's most technically advanced >> content authoring tool. Experience the power of Track >> Changes, Inline Image Editing and ensure content is compliant >> with Accessibility Checking. >> http://p.sf.net/sfu/ephox-dev2dev >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> > > > ------------------------------------------------------------------------------ > EditLive Enterprise is the world's most technically advanced content > authoring tool. Experience the power of Track Changes, Inline Image > Editing and ensure content is compliant with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > -- Med Venlig Hilsen / With Best Regards Tomasz Cielecki http://ostebaronen.dk ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
