Forget it, found the problem :) On 04.08.2011 11:30, thio wrote: > Had trailing whitespaces in it .. *sigh* > > So i'm further along now, but bumped into another problem. I have > defined a rule with several allowed actions. One action is > "urn:fedora:names:fedora:2.1:action:api-a" while the other actions are > specific api-m methods. I assumed that specifiying the first would allow > to use all api-a methods, but it seems i cannot. > > Now the question is: is there actually some error in the policy, or is > my assessment of the api-a action attribute incorrect? > > On 08.07.2011 18:03, thio wrote: >> I could access it being logged in as another user which has a group. >> Tried to add MustBePresent="false", but that didn't change the outcome. >> >> On 08.07.2011 17:53, Benjamin Armintor wrote: >>> Are the unexpected Permit results coming when a user is logged in, has >>> a fedoraRole, but it is not "administrator"? Or is it that no one is >>> logged in/the logged in user has no fedoraRole? >>> >>> If the latter, the first thing I would try is adding >>> MustBePresent="false" to your subjectAttributeDesignator. According >>> to the spec: >>> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf >>> >>> it effectively default to "true", and returns an Indeterminate result >>> in the event of a missing attribute. Quoting from the rule evaluation >>> spec: >>> "If the target value is "No-match" or “Indeterminate” then the rule >>> value SHALL be “NotApplicable” or “Indeterminate”, respectively, >>> regardless of the value of the condition. For these cases, therefore, >>> the condition need not be evaluated." >>> >>> Since you have no condition, it may be applying that rule whenever the >>> fedoraRole attribute is missing. >>> >>> On 7/8/11, thio<t...@uni-koblenz.de> wrote: >>>> Hi! >>>> >>>> Recently i was asked to build Policies for Fedora Objects. >>>> >>>> I have looked at the policy writing guide, and so far doing it like THAT >>>> works, but i find this style kind of convoluted. >>>> >>>> Since i only need simple rules i thought i could as well use the >>>> "straightforward" way, which is closer to the datamodel i get. >>>> >>>> To give you an example, a policy that shuts everyone out but admins: >>>> >>>> _*-guide:*_ >>>> <Policy PolicyId="demo" >>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>>> xmlns="urn:oasis:names:tc:xacml:1.0:policy" >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> >>>> <Target> >>>> <Subjects> >>>> <AnySubject/> >>>> </Subjects> >>>> <Resources> >>>> <Resource> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10061</AttributeValue> >>>> <ResourceAttributeDesignator >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> </ResourceMatch> >>>> </Resource> >>>> </Resources> >>>> <Actions> >>>> <AnyAction/> >>>> </Actions> >>>> </Target> >>>> <Rule Effect="Deny" RuleId="1"> >>>> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> >>>> <Apply >>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> >>>> <SubjectAttributeDesignator AttributeId="fedoraRole" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/> >>>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>administrator</AttributeValue> >>>> </Apply> >>>> </Apply> >>>> </Condition> >>>> </Rule> >>>> <Rule Effect="Permit" RuleId="3"/> >>>> </Policy> >>>> _* >>>> -mine:*_ >>>> <Policy PolicyId="changeme:10061:DenyAllDefaultPolicy" >>>> >>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> >>>> <Target> >>>> <Subjects> >>>> <AnySubject /> >>>> </Subjects> >>>> <Resources> >>>> <Resource> >>>> <ResourceMatch >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10059 >>>> </AttributeValue> >>>> <ResourceAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"; /> >>>> </ResourceMatch> >>>> </Resource> >>>> </Resources> >>>> <Actions> >>>> <AnyAction /> >>>> </Actions> >>>> </Target> >>>> <Rule RuleId="AdminRule" Effect="Permit"> >>>> <Target> >>>> <Subjects> >>>> <Subject> >>>> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> <AttributeValue >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>administrator >>>> </AttributeValue> >>>> <SubjectAttributeDesignator >>>> AttributeId="fedoraRole" >>>> DataType="http://www.w3.org/2001/XMLSchema#string"; /> >>>> </SubjectMatch> >>>> </Subject> >>>> </Subjects> >>>> <Resources> >>>> <AnyResource /> >>>> </Resources> >>>> <Actions> >>>> <AnyAction /> >>>> </Actions> >>>> </Target> >>>> </Rule> >>>> <Rule RuleId="FinalRule" Effect="Deny"> >>>> </Rule> >>>> </Policy> >>>> >>>> As far as i understood this SHOULD constitute the same behaviour, but my >>>> policy doesn't shut anyone out. And i have no idea why not. >>>> >>>> greetings and thanks for any help, >>>> Jessi >>>> >>> ------------------------------------------------------------------------------ >>> All of the data generated in your IT infrastructure is seriously valuable. >>> Why? It contains a definitive record of application performance, security >>> threats, fraudulent activity, and more. Splunk takes this data and makes >>> sense of it. IT sense. And common sense. >>> http://p.sf.net/sfu/splunk-d2d-c2 >>> _______________________________________________ >>> Fedora-commons-users mailing list >>> Fedora-commons-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> ------------------------------------------------------------------------------ >> All of the data generated in your IT infrastructure is seriously valuable. >> Why? It contains a definitive record of application performance, security >> threats, fraudulent activity, and more. Splunk takes this data and makes >> sense of it. IT sense. And common sense. >> http://p.sf.net/sfu/splunk-d2d-c2 >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > ------------------------------------------------------------------------------ > BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA > The must-attend event for mobile developers. Connect with experts. > Get tools for creating Super Apps. See the latest technologies. > Sessions, hands-on labs, demos& much more. Register early& save! > http://p.sf.net/sfu/rim-blackberry-1 > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
------------------------------------------------------------------------------ BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA The must-attend event for mobile developers. Connect with experts. Get tools for creating Super Apps. See the latest technologies. Sessions, hands-on labs, demos & much more. Register early & save! http://p.sf.net/sfu/rim-blackberry-1 _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
