Had trailing whitespaces in it .. *sigh* So i'm further along now, but bumped into another problem. I have defined a rule with several allowed actions. One action is "urn:fedora:names:fedora:2.1:action:api-a" while the other actions are specific api-m methods. I assumed that specifiying the first would allow to use all api-a methods, but it seems i cannot.
Now the question is: is there actually some error in the policy, or is my assessment of the api-a action attribute incorrect? On 08.07.2011 18:03, thio wrote: > I could access it being logged in as another user which has a group. > Tried to add MustBePresent="false", but that didn't change the outcome. > > On 08.07.2011 17:53, Benjamin Armintor wrote: >> Are the unexpected Permit results coming when a user is logged in, has >> a fedoraRole, but it is not "administrator"? Or is it that no one is >> logged in/the logged in user has no fedoraRole? >> >> If the latter, the first thing I would try is adding >> MustBePresent="false" to your subjectAttributeDesignator. According >> to the spec: >> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf >> >> it effectively default to "true", and returns an Indeterminate result >> in the event of a missing attribute. Quoting from the rule evaluation >> spec: >> "If the target value is "No-match" or “Indeterminate” then the rule >> value SHALL be “NotApplicable” or “Indeterminate”, respectively, >> regardless of the value of the condition. For these cases, therefore, >> the condition need not be evaluated." >> >> Since you have no condition, it may be applying that rule whenever the >> fedoraRole attribute is missing. >> >> On 7/8/11, thio<t...@uni-koblenz.de> wrote: >>> Hi! >>> >>> Recently i was asked to build Policies for Fedora Objects. >>> >>> I have looked at the policy writing guide, and so far doing it like THAT >>> works, but i find this style kind of convoluted. >>> >>> Since i only need simple rules i thought i could as well use the >>> "straightforward" way, which is closer to the datamodel i get. >>> >>> To give you an example, a policy that shuts everyone out but admins: >>> >>> _*-guide:*_ >>> <Policy PolicyId="demo" >>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>> xmlns="urn:oasis:names:tc:xacml:1.0:policy" >>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> >>> <Target> >>> <Subjects> >>> <AnySubject/> >>> </Subjects> >>> <Resources> >>> <Resource> >>> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10061</AttributeValue> >>> <ResourceAttributeDesignator >>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>> </ResourceMatch> >>> </Resource> >>> </Resources> >>> <Actions> >>> <AnyAction/> >>> </Actions> >>> </Target> >>> <Rule Effect="Deny" RuleId="1"> >>> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> >>> <Apply >>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> >>> <SubjectAttributeDesignator AttributeId="fedoraRole" >>> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> >>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>administrator</AttributeValue> >>> </Apply> >>> </Apply> >>> </Condition> >>> </Rule> >>> <Rule Effect="Permit" RuleId="3"/> >>> </Policy> >>> _* >>> -mine:*_ >>> <Policy PolicyId="changeme:10061:DenyAllDefaultPolicy" >>> >>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> >>> <Target> >>> <Subjects> >>> <AnySubject /> >>> </Subjects> >>> <Resources> >>> <Resource> >>> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10059 >>> </AttributeValue> >>> <ResourceAttributeDesignator >>> >>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>> >>> DataType="http://www.w3.org/2001/XMLSchema#string"; /> >>> </ResourceMatch> >>> </Resource> >>> </Resources> >>> <Actions> >>> <AnyAction /> >>> </Actions> >>> </Target> >>> <Rule RuleId="AdminRule" Effect="Permit"> >>> <Target> >>> <Subjects> >>> <Subject> >>> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>> <AttributeValue >>> DataType="http://www.w3.org/2001/XMLSchema#string";>administrator >>> </AttributeValue> >>> <SubjectAttributeDesignator >>> AttributeId="fedoraRole" >>> DataType="http://www.w3.org/2001/XMLSchema#string"; /> >>> </SubjectMatch> >>> </Subject> >>> </Subjects> >>> <Resources> >>> <AnyResource /> >>> </Resources> >>> <Actions> >>> <AnyAction /> >>> </Actions> >>> </Target> >>> </Rule> >>> <Rule RuleId="FinalRule" Effect="Deny"> >>> </Rule> >>> </Policy> >>> >>> As far as i understood this SHOULD constitute the same behaviour, but my >>> policy doesn't shut anyone out. And i have no idea why not. >>> >>> greetings and thanks for any help, >>> Jessi >>> >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > ------------------------------------------------------------------------------ > All of the data generated in your IT infrastructure is seriously valuable. > Why? It contains a definitive record of application performance, security > threats, fraudulent activity, and more. Splunk takes this data and makes > sense of it. IT sense. And common sense. > http://p.sf.net/sfu/splunk-d2d-c2 > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
