Hi!
Recently i was asked to build Policies for Fedora Objects.
I have looked at the policy writing guide, and so far doing it like THAT
works, but i find this style kind of convoluted.
Since i only need simple rules i thought i could as well use the
"straightforward" way, which is closer to the datamodel i get.
To give you an example, a policy that shuts everyone out but admins:
_*-guide:*_
<Policy PolicyId="demo"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10061</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule Effect="Deny" RuleId="1">
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<SubjectAttributeDesignator AttributeId="fedoraRole"
DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>administrator</AttributeValue>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Permit" RuleId="3"/>
</Policy>
_*
-mine:*_
<Policy PolicyId="changeme:10061:DenyAllDefaultPolicy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Target>
<Subjects>
<AnySubject />
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10059
</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
DataType="http://www.w3.org/2001/XMLSchema#string"; />
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<AnyAction />
</Actions>
</Target>
<Rule RuleId="AdminRule" Effect="Permit">
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>administrator
</AttributeValue>
<SubjectAttributeDesignator
AttributeId="fedoraRole"
DataType="http://www.w3.org/2001/XMLSchema#string"; />
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<AnyResource />
</Resources>
<Actions>
<AnyAction />
</Actions>
</Target>
</Rule>
<Rule RuleId="FinalRule" Effect="Deny">
</Rule>
</Policy>
As far as i understood this SHOULD constitute the same behaviour, but my
policy doesn't shut anyone out. And i have no idea why not.
greetings and thanks for any help,
Jessi
------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security
threats, fraudulent activity, and more. Splunk takes this data and makes
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
