Hi Tomasz Thanks for raising the JIRA issue.
There are a couple of implementation choices for this that I can see 1) have the attributes added by the PEP 2) implement via an AttributeFinderModule. I would tend towards the latter, though implementation via the former might be easier. If you take a look at org.fcrepo.server.security.xacml.pdp.finder.attribute.LDAPAttributeFinder.LD APAttributeFinder in fcrepo-security-pdp you will see an AttributeFinderModule that deals with subject attributes. The attributes are in fact picked up by the JAAS module - see org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule - you'll see them added around line 213. So the question is how to build some kind of bridge from this to a new AttributeFinderModule. Also you'll see how the current subject attributes are added into the request by the PEP around line 93 of org.fcrepo.server.security.xacml.pep.rest.filters.AbstractFilter - this may give some clues. Though adding them in at this point is option (1) which I think is less preferable to option (2). Whichever is the option, some configuration will be required to map the name given in the fedora-users.xml file to a XACML subject attribute ID> Regards Steve > -----Original Message----- > From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] > Sent: 15 June 2011 12:50 > To: Support and info exchange list for Fedora users. > Subject: Re: [fcrepo-user] Using information from > datastreamstocreateFeSLpolicies. > > > Hi Stephen, > > Where should I look if I want to take a shot at allowing > access to other subject attributes in FeSL? > > I see there is a lot of related code in fcrepo-security, but > not sure where to start. > > On Wed, Jun 15, 2011 at 8:04 AM, Stephen Bayliss > <stephen.bayl...@acuityunlimited.net> wrote: > > Hi Tomasz > > > >> Being able to only access fedoraRole from FeSL is indeed a barrier! > > > > That is the case currently - if you'd like to be able to > access other > > subject attributes maybe you'd like to raise a JIRA ticket > for this at > > https://jira.duraspace.org/browse/FCREPO? > > > > In the meantime you are restricted to using a fedoraRole to make it > > available as a subject attribute ID > > "urn:fedora:names:fedora:2.1:subject:role" > > > > To expose the target of your relationship as a resource attribute, > > you'll need to define it in > > $FEDORA_HOME/pdp/conf/config-attribute-finder.xml. > > > > You would need something like: > > > > <attribute designator="resource" > > name="http://kemibrug.dk/k2/relations#belongsToOrg"; /> > > > > This makes the value of the target of the relationship > available as a > > XACML resource attribute with an ID the same as your relationship > > name; ie "http://kemibrug.dk/k2/relations#belongsToOrg"; so > you can use > > this in your policies (in the forthcoming 3.5 release this is > > enhanced, see > > https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization - > > particularly you can define the XACML resource attribute ID > > independently of the relationship URI) > > > > I'd recommend you use the same value for your subject attribute (ie > > fedoraRole) as the target of the relationship as this will make the > > comparison in the policy easier. The value type of the resource > > attribute is actually treated as a string (not a URI) so you'd use > > this value as your fedoraRole. > > > > Your policy should contain a Rule element with a Condition > to specify > > the comparison - if you look at the example right at the end of > > > https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization this > > should guide you - in your case you'll be comparing the > subject role > > (as per the > > example) with your newly-defined resource attribute ID. > > > > Steve > > > >> -----Original Message----- > >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] > >> Sent: 14 June 2011 16:40 > >> To: Support and info exchange list for Fedora users. > >> Subject: Re: [fcrepo-user] Using information from datastreams > >> tocreateFeSLpolicies. > >> > >> > >> In this case the user with the k2Org attribute with value > 236 would > >> not be allowed to view the ressource with the relation > >> k2rel:belongsToOrg with URI info:fedora/org:243. If it would be > >> easier this could also be stored as a string in the RELS-EXT. > >> > >> Lets say the values matched, then the user would be able > to view the > >> object and its methods. As simple as that. But I don't > understand how > >> to access information stored in RELS-EXT from a FeSL policy. > >> > >> Being able to only access fedoraRole from FeSL is indeed a barrier! > >> > >> On Sat, Jun 11, 2011 at 10:36 PM, Steve Bayliss > >> <stephen.bayl...@acuityunlimited.net> wrote: > >> > Hi Tomasz > >> > > >> > I'm not entirely clear on the policy condition you want to > >> implement. > >> > > >> > I see in your RDF: > >> >> <k2rel:belongsToOrg > >> >> rdf:resource="info:fedora/org:243"/> > >> > > >> > And in your user attributes: > >> >> <attribute name="k2Org"> > >> >> <value>236</value> > >> > > >> > So I'm not clear, as these values are different, what > the condition > >> > would be to allow access. Also one's a URI and one's a string. > >> > > >> > As far as I know (I'll need to look at the code to check), > >> I believe > >> > only fedoraRole subject attributes get passed through to FeSL > >> > currently, so that may be one barrier. > >> > > >> > Regards > >> > Steve > >> > > >> >> -----Original Message----- > >> >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] > >> >> Sent: 10 June 2011 05:26 > >> >> To: Support and info exchange list for Fedora users. > >> >> Subject: Re: [fcrepo-user] Using information from > datastreams to > >> >> createFeSLpolicies. > >> >> > >> >> Hello Stephen, > >> >> > >> >> So lets say I have a note object I talked about with following > >> >> RELS-EXT data stream: <foxml:datastream ID="RELS-EXT" > >> >> CONTROL_GROUP="X"> > >> >> <foxml:datastreamVersion > >> >> FORMAT_URI="info:fedora/fedora-system:FedoraRELSExt-1.0" > >> >> ID="RELS-EXT.0" MIMETYPE="application/rdf+xml" LABEL="RDF > >> Statements > >> >> about this object" SIZE="752" > CREATED="2011-04-01T00:00:00.000Z"> > >> >> <foxml:xmlContent> > >> >> <rdf:RDF > >> >> xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"; > >> >> xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#"; > >> >> xmlns:rel="info:fedora/fedora-system:def/relations-external#" > >> >> xmlns:k2rel="http://kemibrug.dk/k2/relations#"; > >> >> xmlns:k2rdf="http://kemibrug.dk/k2/rdf#"; > >> >> xmlns:dc="http://purl.org/dc/elements/1.1/"; > >> >> xmlns:oai_dc="http://www.openarchives.org/OAI/2.0/oai_dc/";> > >> >> <rdf:Description rdf:about="info:fedora/note:78734"> > >> >> <k2rel:belongsToOrg > >> >> rdf:resource="info:fedora/org:243"/> > >> >> <k2rel:belongsToKBA > >> >> rdf:resource="info:fedora/localreg:15989"/> > >> >> <k2rdf:type>31</k2rdf:type> > >> >> <k2rdf:value>R38</k2rdf:value> > >> >> </rdf:Description> > >> >> </rdf:RDF> > >> >> </foxml:xmlContent> > >> >> </foxml:datastreamVersion> > >> >> </foxml:datastream> > >> >> > >> >> Where I now have defined an organisation with the relation > >> >> belongsToOrg. And I have a user with following > attributes: <user > >> >> id="toci"> > >> >> <attribute name="k2Org"> > >> >> <value>236</value> > >> >> </attribute> > >> >> > >> >> <attribute name="k2Host"> > >> >> <value>127.0.0.1</value> > >> >> </attribute> > >> >> > >> >> <attribute name="role"> > >> >> <value>administrator</value> > >> >> </attribute> > >> >> > >> >> <attribute name="fedoraRole"> > >> >> <value>administrator</value> > >> >> </attribute> > >> >> </user> > >> >> > >> >> What should I do to give the user access to the note > >> object by using > >> >> the k2Org in the user attributes? > >> >> > >> >> On Tue, May 31, 2011 at 7:01 PM, Stephen Bayliss > >> >> <stephen.bayl...@acuityunlimited.net> wrote: > >> >> > Hi Tomasz > >> >> > > >> >> > Basing policies directly on XML content (and restricting > >> access to > >> >> > XML > >> >> > content) is part of the XACML 2.0 spec as part of the > >> Hierarchical > >> >> Resource > >> >> > Profile - > >> >> > > >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier- > >> >> profile-s > >> >> > pec-os.pdf > >> >> > > >> >> > However this is not implemented in FeSL (it would be > >> interesting to > >> >> > know > >> >> if > >> >> > there's a general need for this). > >> >> > > >> >> > It is possible to define XACML Resource attributes based > >> on object > >> >> > and datastream properties that are specified in RELS-EXT and > >> >> > RELS-INT datastreams - the configuration for this is in > >> >> > $FEDORA_HOME/pdp/conf/config-attribute-finder.xml - so > >> if you can > >> >> > get > >> >> your > >> >> > attributes into RELS-EXT/RELS-INT then maybe this is > a solution. > >> >> > > >> >> > The functionality of this has been enhanced for > Fedora 3.5, some > >> >> > draft documentation for this is at > >> >> > > >> https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization - > >> >> > this > >> >> may > >> >> > help you as the basic simple relationship-based > attributes are > >> >> > present > >> >> ni > >> >> > Fedora 3.4. > >> >> > > >> >> > FYI there's also some draft documentation on > >> installation for 3.5 > >> >> > at > >> https://wiki.duraspace.org/display/FEDORADEV/FeSL+Installation; > >> >> > feedback welcomed on both of these. > >> >> > > >> >> > Steve > >> >> > > >> >> >> -----Original Message----- > >> >> >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk] > >> >> >> Sent: 30 May 2011 14:29 > >> >> >> To: fedora-commons-users@lists.sourceforge.net > >> >> >> Subject: [fcrepo-user] Using information from datastreams to > >> >> >> create FeSLpolicies. > >> >> >> > >> >> >> > >> >> >> Hello fcrepo-users, > >> >> >> > >> >> >> I find it a bit hard to understand how to write > >> policies for FeSL > >> >> >> to authorize against attributes found in an object's > >> data stream. > >> >> >> > >> >> >> For instance I have an object called note:1 which has the DC > >> >> >> record an RELS-EXT record and a data stream called > >> content, which > >> >> >> content is in XML format. > >> >> >> > >> >> >> Is it possible to access data stored in the content > data stream > >> >> >> through a policy? For instance I want to access an > >> organization id > >> >> >> stored in that content data stream, which I want to match a > >> >> >> against a users attributes to see if the user is > >> allowed to access > >> >> >> that object and its related objects. > >> >> >> > >> >> >> Maybe the attributes should be placed elsewhere? How do > >> I access > >> >> >> them? > >> >> >> > >> >> >> If you could be so kind to give me some examples to > >> work with as I > >> >> >> find the ones in the wiki lacking or maybe I am > >> understanding them > >> >> >> incorrectly. > >> >> >> > >> >> >> -- > >> >> >> With Best Regards > >> >> >> Tomasz Cielecki > >> >> >> > >> >> >> > -------------------------------------------------------------- > >> >> >> ---------------- > >> >> >> vRanger cuts backup time in half-while increasing > >> security. With > >> >> >> the market-leading solution for virtual backup and > >> recovery, you > >> >> >> get blazing-fast, flexible, and affordable data protection. > >> >> >> Download your free trial now. > >> >> >> http://p.sf.net/sfu/quest-d2dcopy1 > >> >> >> _______________________________________________ > >> >> >> Fedora-commons-users mailing list > >> >> >> Fedora-commons-users@lists.sourceforge.net > >> >> >> > >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > >> >> >> > >> >> > > >> >> > > >> >> > > >> ------------------------------------------------------------------- > >> >> > ----- > >> >> ------ > >> >> > Simplify data backup and recovery for your virtual > >> environment with > >> >> vRanger. > >> >> > Installation's a snap, and flexible recovery options > >> mean your data > >> >> > is > >> >> safe, > >> >> > secure and there when you need it. Data protection > magic? Nope - > >> >> > It's vRanger. Get your free trial download today. > >> >> > http://p.sf.net/sfu/quest-sfdev2dev > >> >> > _______________________________________________ > >> >> > Fedora-commons-users mailing list > >> >> > Fedora-commons-users@lists.sourceforge.net > >> >> > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-user > >> >> > s > >> >> > > >> >> > >> >> > >> >> > >> >> -- > >> >> Med Venlig Hilsen / With Best Regards > >> >> Tomasz Cielecki > >> >> http://ostebaronen.dk > >> >> > >> >> > >> > --------------------------------------------------------------------- > >> >> ----- > >> >> ---- > >> >> EditLive Enterprise is the world's most technically > >> advanced content > >> >> authoring tool. Experience the power of Track Changes, Inline > >> >> Image Editing and ensure content is compliant with Accessibility > >> Checking. > >> >> http://p.sf.net/sfu/ephox-dev2dev > >> >> _______________________________________________ > >> >> Fedora-commons-users mailing list > >> >> Fedora-commons-users@lists.sourceforge.net > >> >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > >> > > >> > > >> > > >> > --------------------------------------------------------------------- > >> - > >> > -------- > >> > EditLive Enterprise is the world's most technically advanced > >> > content authoring tool. Experience the power of Track Changes, > >> > Inline Image Editing and ensure content is compliant with > >> > Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev > >> > _______________________________________________ > >> > Fedora-commons-users mailing list > >> > Fedora-commons-users@lists.sourceforge.net > >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > >> > > >> > >> > >> > >> -- > >> Med Venlig Hilsen / With Best Regards > >> Tomasz Cielecki > >> http://ostebaronen.dk > >> > >> -------------------------------------------------------------- > >> ---------------- > >> EditLive Enterprise is the world's most technically > advanced content > >> authoring tool. Experience the power of Track Changes, > Inline Image > >> Editing and ensure content is compliant with Accessibility > Checking. > >> http://p.sf.net/sfu/ephox-dev2dev > >> _______________________________________________ > >> Fedora-commons-users mailing list > >> Fedora-commons-users@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > >> > > > > > > > ---------------------------------------------------------------------- > > -------- > > EditLive Enterprise is the world's most technically advanced content > > authoring tool. Experience the power of Track Changes, Inline Image > > Editing and ensure content is compliant with Accessibility Checking. > > http://p.sf.net/sfu/ephox-dev2dev > > _______________________________________________ > > Fedora-commons-users mailing list > > Fedora-commons-users@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > > > > -- > Med Venlig Hilsen / With Best Regards > Tomasz Cielecki > http://ostebaronen.dk > > -------------------------------------------------------------- > ---------------- > EditLive Enterprise is the world's most technically advanced > content authoring tool. Experience the power of Track > Changes, Inline Image Editing and ensure content is compliant > with Accessibility Checking. > http://p.sf.net/sfu/ephox-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > ------------------------------------------------------------------------------ EditLive Enterprise is the world's most technically advanced content authoring tool. Experience the power of Track Changes, Inline Image Editing and ensure content is compliant with Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
