I could access it being logged in as another user which has a group. Tried to add MustBePresent="false", but that didn't change the outcome.
On 08.07.2011 17:53, Benjamin Armintor wrote: > Are the unexpected Permit results coming when a user is logged in, has > a fedoraRole, but it is not "administrator"? Or is it that no one is > logged in/the logged in user has no fedoraRole? > > If the latter, the first thing I would try is adding > MustBePresent="false" to your subjectAttributeDesignator. According > to the spec: > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf > > it effectively default to "true", and returns an Indeterminate result > in the event of a missing attribute. Quoting from the rule evaluation > spec: > "If the target value is "No-match" or “Indeterminate” then the rule > value SHALL be “NotApplicable” or “Indeterminate”, respectively, > regardless of the value of the condition. For these cases, therefore, > the condition need not be evaluated." > > Since you have no condition, it may be applying that rule whenever the > fedoraRole attribute is missing. > > On 7/8/11, thio<t...@uni-koblenz.de> wrote: >> Hi! >> >> Recently i was asked to build Policies for Fedora Objects. >> >> I have looked at the policy writing guide, and so far doing it like THAT >> works, but i find this style kind of convoluted. >> >> Since i only need simple rules i thought i could as well use the >> "straightforward" way, which is closer to the datamodel i get. >> >> To give you an example, a policy that shuts everyone out but admins: >> >> _*-guide:*_ >> <Policy PolicyId="demo" >> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >> xmlns="urn:oasis:names:tc:xacml:1.0:policy" >> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> >> <Target> >> <Subjects> >> <AnySubject/> >> </Subjects> >> <Resources> >> <Resource> >> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10061</AttributeValue> >> <ResourceAttributeDesignator >> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >> DataType="http://www.w3.org/2001/XMLSchema#string"/> >> </ResourceMatch> >> </Resource> >> </Resources> >> <Actions> >> <AnyAction/> >> </Actions> >> </Target> >> <Rule Effect="Deny" RuleId="1"> >> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> >> <Apply >> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> >> <SubjectAttributeDesignator AttributeId="fedoraRole" >> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> >> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>administrator</AttributeValue> >> </Apply> >> </Apply> >> </Condition> >> </Rule> >> <Rule Effect="Permit" RuleId="3"/> >> </Policy> >> _* >> -mine:*_ >> <Policy PolicyId="changeme:10061:DenyAllDefaultPolicy" >> >> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> >> <Target> >> <Subjects> >> <AnySubject /> >> </Subjects> >> <Resources> >> <Resource> >> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10059 >> </AttributeValue> >> <ResourceAttributeDesignator >> >> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >> >> DataType="http://www.w3.org/2001/XMLSchema#string"; /> >> </ResourceMatch> >> </Resource> >> </Resources> >> <Actions> >> <AnyAction /> >> </Actions> >> </Target> >> <Rule RuleId="AdminRule" Effect="Permit"> >> <Target> >> <Subjects> >> <Subject> >> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> <AttributeValue >> DataType="http://www.w3.org/2001/XMLSchema#string";>administrator >> </AttributeValue> >> <SubjectAttributeDesignator >> AttributeId="fedoraRole" >> DataType="http://www.w3.org/2001/XMLSchema#string"; /> >> </SubjectMatch> >> </Subject> >> </Subjects> >> <Resources> >> <AnyResource /> >> </Resources> >> <Actions> >> <AnyAction /> >> </Actions> >> </Target> >> </Rule> >> <Rule RuleId="FinalRule" Effect="Deny"> >> </Rule> >> </Policy> >> >> As far as i understood this SHOULD constitute the same behaviour, but my >> policy doesn't shut anyone out. And i have no idea why not. >> >> greetings and thanks for any help, >> Jessi >> > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2d-c2 _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
