Hello again,
So I have found a way to get the organization id as a value in the
fedoraRole attribute which resides in the subject. And I have made a
general FESLPOLICY which allows a user with a specific role to read
the repository.
Now I want the user to be allowed to read objects belonging to her
organization. I have tried several ways with the same result, that
neither of the policies give me access to these objects.
First approach:
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd
urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd";
PolicyId="access-organisation"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>A policy allowing users to see all of
organization 200 objects.</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>
200
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="http://kemibrug.dk/k2/rdf#orgid";
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule Effect="Permit" RuleId="1" />
</Policy>
This does nothing. When I search for NOTE:* in the /fedora/objects I
get no results.
The second approach I tried was:
<Policy
xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd
urn:oasis:names:tc:xacml:2.0:context:schema:os
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd";
PolicyId="access-organisation"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>A policy allowing users of an organisation to do
anything with their own objects.</Description>
<Target>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule Effect="Permit" RuleId="1">
<Description>Permit subject to access target if target is in
the organisation subject is part of</Description>
<Condition>
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<ResourceAttributeDesignator
AttributeId="http://kemibrug.dk/k2/rdf#orgid";
DataType="http://www.w3.org/2001/XMLSchema#string"/>
<SubjectAttributeDesignator
AttributeId="fedoraRole"
MustBePresent="false"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
</Policy>
This results in the same thing as the first approach. No objects
appear when I search for Notes...
I have remembered to add the attribute designator in
pdp/conf/config-attribute-finder.xml
Can someone see what I am doing wrong here?
The users attributes (from /fedora/user) appear as follows:
<user id="KED">
<attribute name="Host"/>
<attribute name="role">
<value>200</value>
<value>authenticated user</value>
<value>local editor</value>
</attribute>
<attribute name="fedoraRole">
<value>200</value>
<value>authenticated user</value>
<value>local editor</value>
</attribute>
</user>
On Wed, Jun 15, 2011 at 3:11 PM, Stephen Bayliss
<stephen.bayl...@acuityunlimited.net> wrote:
> Hi Tomasz
>
> Thanks for raising the JIRA issue.
>
> There are a couple of implementation choices for this that I can see
> 1) have the attributes added by the PEP
> 2) implement via an AttributeFinderModule.
>
> I would tend towards the latter, though implementation via the former might
> be easier.
>
> If you take a look at
> org.fcrepo.server.security.xacml.pdp.finder.attribute.LDAPAttributeFinder.LD
> APAttributeFinder in fcrepo-security-pdp you will see an
> AttributeFinderModule that deals with subject attributes.
>
> The attributes are in fact picked up by the JAAS module - see
> org.fcrepo.server.security.jaas.auth.module.XmlUsersFileModule - you'll see
> them added around line 213.
>
> So the question is how to build some kind of bridge from this to a new
> AttributeFinderModule.
>
> Also you'll see how the current subject attributes are added into the
> request by the PEP around line 93 of
> org.fcrepo.server.security.xacml.pep.rest.filters.AbstractFilter - this may
> give some clues. Though adding them in at this point is option (1) which I
> think is less preferable to option (2).
>
> Whichever is the option, some configuration will be required to map the name
> given in the fedora-users.xml file to a XACML subject attribute ID>
>
> Regards
> Steve
>
>
>
>> -----Original Message-----
>> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk]
>> Sent: 15 June 2011 12:50
>> To: Support and info exchange list for Fedora users.
>> Subject: Re: [fcrepo-user] Using information from
>> datastreamstocreateFeSLpolicies.
>>
>>
>> Hi Stephen,
>>
>> Where should I look if I want to take a shot at allowing
>> access to other subject attributes in FeSL?
>>
>> I see there is a lot of related code in fcrepo-security, but
>> not sure where to start.
>>
>> On Wed, Jun 15, 2011 at 8:04 AM, Stephen Bayliss
>> <stephen.bayl...@acuityunlimited.net> wrote:
>> > Hi Tomasz
>> >
>> >> Being able to only access fedoraRole from FeSL is indeed a barrier!
>> >
>> > That is the case currently - if you'd like to be able to
>> access other
>> > subject attributes maybe you'd like to raise a JIRA ticket
>> for this at
>> > https://jira.duraspace.org/browse/FCREPO?
>> >
>> > In the meantime you are restricted to using a fedoraRole to make it
>> > available as a subject attribute ID
>> > "urn:fedora:names:fedora:2.1:subject:role"
>> >
>> > To expose the target of your relationship as a resource attribute,
>> > you'll need to define it in
>> > $FEDORA_HOME/pdp/conf/config-attribute-finder.xml.
>> >
>> > You would need something like:
>> >
>> > <attribute designator="resource"
>> > name="http://kemibrug.dk/k2/relations#belongsToOrg"; />
>> >
>> > This makes the value of the target of the relationship
>> available as a
>> > XACML resource attribute with an ID the same as your relationship
>> > name; ie "http://kemibrug.dk/k2/relations#belongsToOrg"; so
>> you can use
>> > this in your policies (in the forthcoming 3.5 release this is
>> > enhanced, see
>> > https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization -
>> > particularly you can define the XACML resource attribute ID
>> > independently of the relationship URI)
>> >
>> > I'd recommend you use the same value for your subject attribute (ie
>> > fedoraRole) as the target of the relationship as this will make the
>> > comparison in the policy easier. The value type of the resource
>> > attribute is actually treated as a string (not a URI) so you'd use
>> > this value as your fedoraRole.
>> >
>> > Your policy should contain a Rule element with a Condition
>> to specify
>> > the comparison - if you look at the example right at the end of
>> >
>> https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization this
>> > should guide you - in your case you'll be comparing the
>> subject role
>> > (as per the
>> > example) with your newly-defined resource attribute ID.
>> >
>> > Steve
>> >
>> >> -----Original Message-----
>> >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk]
>> >> Sent: 14 June 2011 16:40
>> >> To: Support and info exchange list for Fedora users.
>> >> Subject: Re: [fcrepo-user] Using information from datastreams
>> >> tocreateFeSLpolicies.
>> >>
>> >>
>> >> In this case the user with the k2Org attribute with value
>> 236 would
>> >> not be allowed to view the ressource with the relation
>> >> k2rel:belongsToOrg with URI info:fedora/org:243. If it would be
>> >> easier this could also be stored as a string in the RELS-EXT.
>> >>
>> >> Lets say the values matched, then the user would be able
>> to view the
>> >> object and its methods. As simple as that. But I don't
>> understand how
>> >> to access information stored in RELS-EXT from a FeSL policy.
>> >>
>> >> Being able to only access fedoraRole from FeSL is indeed a barrier!
>> >>
>> >> On Sat, Jun 11, 2011 at 10:36 PM, Steve Bayliss
>> >> <stephen.bayl...@acuityunlimited.net> wrote:
>> >> > Hi Tomasz
>> >> >
>> >> > I'm not entirely clear on the policy condition you want to
>> >> implement.
>> >> >
>> >> > I see in your RDF:
>> >> >> <k2rel:belongsToOrg
>> >> >> rdf:resource="info:fedora/org:243"/>
>> >> >
>> >> > And in your user attributes:
>> >> >> <attribute name="k2Org">
>> >> >> <value>236</value>
>> >> >
>> >> > So I'm not clear, as these values are different, what
>> the condition
>> >> > would be to allow access. Also one's a URI and one's a string.
>> >> >
>> >> > As far as I know (I'll need to look at the code to check),
>> >> I believe
>> >> > only fedoraRole subject attributes get passed through to FeSL
>> >> > currently, so that may be one barrier.
>> >> >
>> >> > Regards
>> >> > Steve
>> >> >
>> >> >> -----Original Message-----
>> >> >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk]
>> >> >> Sent: 10 June 2011 05:26
>> >> >> To: Support and info exchange list for Fedora users.
>> >> >> Subject: Re: [fcrepo-user] Using information from
>> datastreams to
>> >> >> createFeSLpolicies.
>> >> >>
>> >> >> Hello Stephen,
>> >> >>
>> >> >> So lets say I have a note object I talked about with following
>> >> >> RELS-EXT data stream: <foxml:datastream ID="RELS-EXT"
>> >> >> CONTROL_GROUP="X">
>> >> >> <foxml:datastreamVersion
>> >> >> FORMAT_URI="info:fedora/fedora-system:FedoraRELSExt-1.0"
>> >> >> ID="RELS-EXT.0" MIMETYPE="application/rdf+xml" LABEL="RDF
>> >> Statements
>> >> >> about this object" SIZE="752"
>> CREATED="2011-04-01T00:00:00.000Z">
>> >> >> <foxml:xmlContent>
>> >> >> <rdf:RDF
>> >> >> xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#";
>> >> >> xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#";
>> >> >> xmlns:rel="info:fedora/fedora-system:def/relations-external#"
>> >> >> xmlns:k2rel="http://kemibrug.dk/k2/relations#";
>> >> >> xmlns:k2rdf="http://kemibrug.dk/k2/rdf#";
>> >> >> xmlns:dc="http://purl.org/dc/elements/1.1/";
>> >> >> xmlns:oai_dc="http://www.openarchives.org/OAI/2.0/oai_dc/";>
>> >> >> <rdf:Description rdf:about="info:fedora/note:78734">
>> >> >> <k2rel:belongsToOrg
>> >> >> rdf:resource="info:fedora/org:243"/>
>> >> >> <k2rel:belongsToKBA
>> >> >> rdf:resource="info:fedora/localreg:15989"/>
>> >> >> <k2rdf:type>31</k2rdf:type>
>> >> >> <k2rdf:value>R38</k2rdf:value>
>> >> >> </rdf:Description>
>> >> >> </rdf:RDF>
>> >> >> </foxml:xmlContent>
>> >> >> </foxml:datastreamVersion>
>> >> >> </foxml:datastream>
>> >> >>
>> >> >> Where I now have defined an organisation with the relation
>> >> >> belongsToOrg. And I have a user with following
>> attributes: <user
>> >> >> id="toci">
>> >> >> <attribute name="k2Org">
>> >> >> <value>236</value>
>> >> >> </attribute>
>> >> >>
>> >> >> <attribute name="k2Host">
>> >> >> <value>127.0.0.1</value>
>> >> >> </attribute>
>> >> >>
>> >> >> <attribute name="role">
>> >> >> <value>administrator</value>
>> >> >> </attribute>
>> >> >>
>> >> >> <attribute name="fedoraRole">
>> >> >> <value>administrator</value>
>> >> >> </attribute>
>> >> >> </user>
>> >> >>
>> >> >> What should I do to give the user access to the note
>> >> object by using
>> >> >> the k2Org in the user attributes?
>> >> >>
>> >> >> On Tue, May 31, 2011 at 7:01 PM, Stephen Bayliss
>> >> >> <stephen.bayl...@acuityunlimited.net> wrote:
>> >> >> > Hi Tomasz
>> >> >> >
>> >> >> > Basing policies directly on XML content (and restricting
>> >> access to
>> >> >> > XML
>> >> >> > content) is part of the XACML 2.0 spec as part of the
>> >> Hierarchical
>> >> >> Resource
>> >> >> > Profile -
>> >> >> >
>> >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-hier-
>> >> >> profile-s
>> >> >> > pec-os.pdf
>> >> >> >
>> >> >> > However this is not implemented in FeSL (it would be
>> >> interesting to
>> >> >> > know
>> >> >> if
>> >> >> > there's a general need for this).
>> >> >> >
>> >> >> > It is possible to define XACML Resource attributes based
>> >> on object
>> >> >> > and datastream properties that are specified in RELS-EXT and
>> >> >> > RELS-INT datastreams - the configuration for this is in
>> >> >> > $FEDORA_HOME/pdp/conf/config-attribute-finder.xml - so
>> >> if you can
>> >> >> > get
>> >> >> your
>> >> >> > attributes into RELS-EXT/RELS-INT then maybe this is
>> a solution.
>> >> >> >
>> >> >> > The functionality of this has been enhanced for
>> Fedora 3.5, some
>> >> >> > draft documentation for this is at
>> >> >> >
>> >> https://wiki.duraspace.org/display/FEDORADEV/FeSL+Authorization -
>> >> >> > this
>> >> >> may
>> >> >> > help you as the basic simple relationship-based
>> attributes are
>> >> >> > present
>> >> >> ni
>> >> >> > Fedora 3.4.
>> >> >> >
>> >> >> > FYI there's also some draft documentation on
>> >> installation for 3.5
>> >> >> > at
>> >> https://wiki.duraspace.org/display/FEDORADEV/FeSL+Installation;
>> >> >> > feedback welcomed on both of these.
>> >> >> >
>> >> >> > Steve
>> >> >> >
>> >> >> >> -----Original Message-----
>> >> >> >> From: Tomasz Cielecki [mailto:tom...@ostebaronen.dk]
>> >> >> >> Sent: 30 May 2011 14:29
>> >> >> >> To: fedora-commons-users@lists.sourceforge.net
>> >> >> >> Subject: [fcrepo-user] Using information from datastreams to
>> >> >> >> create FeSLpolicies.
>> >> >> >>
>> >> >> >>
>> >> >> >> Hello fcrepo-users,
>> >> >> >>
>> >> >> >> I find it a bit hard to understand how to write
>> >> policies for FeSL
>> >> >> >> to authorize against attributes found in an object's
>> >> data stream.
>> >> >> >>
>> >> >> >> For instance I have an object called note:1 which has the DC
>> >> >> >> record an RELS-EXT record and a data stream called
>> >> content, which
>> >> >> >> content is in XML format.
>> >> >> >>
>> >> >> >> Is it possible to access data stored in the content
>> data stream
>> >> >> >> through a policy? For instance I want to access an
>> >> organization id
>> >> >> >> stored in that content data stream, which I want to match a
>> >> >> >> against a users attributes to see if the user is
>> >> allowed to access
>> >> >> >> that object and its related objects.
>> >> >> >>
>> >> >> >> Maybe the attributes should be placed elsewhere? How do
>> >> I access
>> >> >> >> them?
>> >> >> >>
>> >> >> >> If you could be so kind to give me some examples to
>> >> work with as I
>> >> >> >> find the ones in the wiki lacking or maybe I am
>> >> understanding them
>> >> >> >> incorrectly.
>> >> >> >>
>> >> >> >> --
>> >> >> >> With Best Regards
>> >> >> >> Tomasz Cielecki
>> >> >> >>
>> >> >> >>
>> --------------------------------------------------------------
>> >> >> >> ----------------
>> >> >> >> vRanger cuts backup time in half-while increasing
>> >> security. With
>> >> >> >> the market-leading solution for virtual backup and
>> >> recovery, you
>> >> >> >> get blazing-fast, flexible, and affordable data protection.
>> >> >> >> Download your free trial now.
>> >> >> >> http://p.sf.net/sfu/quest-d2dcopy1
>> >> >> >> _______________________________________________
>> >> >> >> Fedora-commons-users mailing list
>> >> >> >> Fedora-commons-users@lists.sourceforge.net
>> >> >> >>
>> >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>> >> >> >>
>> >> >> >
>> >> >> >
>> >> >> >
>> >> -------------------------------------------------------------------
>> >> >> > -----
>> >> >> ------
>> >> >> > Simplify data backup and recovery for your virtual
>> >> environment with
>> >> >> vRanger.
>> >> >> > Installation's a snap, and flexible recovery options
>> >> mean your data
>> >> >> > is
>> >> >> safe,
>> >> >> > secure and there when you need it. Data protection
>> magic? Nope -
>> >> >> > It's vRanger. Get your free trial download today.
>> >> >> > http://p.sf.net/sfu/quest-sfdev2dev
>> >> >> > _______________________________________________
>> >> >> > Fedora-commons-users mailing list
>> >> >> > Fedora-commons-users@lists.sourceforge.net
>> >> >> >
>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-user
>> >> >> > s
>> >> >> >
>> >> >>
>> >> >>
>> >> >>
>> >> >> --
>> >> >> Med Venlig Hilsen / With Best Regards
>> >> >> Tomasz Cielecki
>> >> >> http://ostebaronen.dk
>> >> >>
>> >> >>
>> >>
>> ---------------------------------------------------------------------
>> >> >> -----
>> >> >> ----
>> >> >> EditLive Enterprise is the world's most technically
>> >> advanced content
>> >> >> authoring tool. Experience the power of Track Changes, Inline
>> >> >> Image Editing and ensure content is compliant with Accessibility
>> >> Checking.
>> >> >> http://p.sf.net/sfu/ephox-dev2dev
>> >> >> _______________________________________________
>> >> >> Fedora-commons-users mailing list
>> >> >> Fedora-commons-users@lists.sourceforge.net
>> >> >>
>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>> >> >
>> >> >
>> >> >
>> >>
>> ---------------------------------------------------------------------
>> >> -
>> >> > --------
>> >> > EditLive Enterprise is the world's most technically advanced
>> >> > content authoring tool. Experience the power of Track Changes,
>> >> > Inline Image Editing and ensure content is compliant with
>> >> > Accessibility Checking. http://p.sf.net/sfu/ephox-dev2dev
>> >> > _______________________________________________
>> >> > Fedora-commons-users mailing list
>> >> > Fedora-commons-users@lists.sourceforge.net
>> >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>> >> >
>> >>
>> >>
>> >>
>> >> --
>> >> Med Venlig Hilsen / With Best Regards
>> >> Tomasz Cielecki
>> >> http://ostebaronen.dk
>> >>
>> >> --------------------------------------------------------------
>> >> ----------------
>> >> EditLive Enterprise is the world's most technically
>> advanced content
>> >> authoring tool. Experience the power of Track Changes,
>> Inline Image
>> >> Editing and ensure content is compliant with Accessibility
>> Checking.
>> >> http://p.sf.net/sfu/ephox-dev2dev
>> >> _______________________________________________
>> >> Fedora-commons-users mailing list
>> >> Fedora-commons-users@lists.sourceforge.net
>> >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>> >>
>> >
>> >
>> >
>> ----------------------------------------------------------------------
>> > --------
>> > EditLive Enterprise is the world's most technically advanced content
>> > authoring tool. Experience the power of Track Changes, Inline Image
>> > Editing and ensure content is compliant with Accessibility Checking.
>> > http://p.sf.net/sfu/ephox-dev2dev
>> > _______________________________________________
>> > Fedora-commons-users mailing list
>> > Fedora-commons-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>> >
>>
>>
>>
>> --
>> Med Venlig Hilsen / With Best Regards
>> Tomasz Cielecki
>> http://ostebaronen.dk
>>
>> --------------------------------------------------------------
>> ----------------
>> EditLive Enterprise is the world's most technically advanced
>> content authoring tool. Experience the power of Track
>> Changes, Inline Image Editing and ensure content is compliant
>> with Accessibility Checking.
>> http://p.sf.net/sfu/ephox-dev2dev
>> _______________________________________________
>> Fedora-commons-users mailing list
>> Fedora-commons-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>>
>
>
> ------------------------------------------------------------------------------
> EditLive Enterprise is the world's most technically advanced content
> authoring tool. Experience the power of Track Changes, Inline Image
> Editing and ensure content is compliant with Accessibility Checking.
> http://p.sf.net/sfu/ephox-dev2dev
> _______________________________________________
> Fedora-commons-users mailing list
> Fedora-commons-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
--
Med Venlig Hilsen / With Best Regards
Tomasz Cielecki
http://ostebaronen.dk
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
