Re: [fcrepo-user] What is wrong with my Policy?

Asger Askov Blekinge Thu, 04 Aug 2011 06:56:32 -0700

The whitespace thing is very funny. That one boggled me for a while, 
because my editor would insert them automatically...


I have taken to using

<Apply 
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-normalize-space">
                                         <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";
                                                 >administrator
                                         </AttributeValue>
                                     </Apply>

on every single constant string I use, to guard against this.

Regards


On 04/08/11 11:52, thio wrote:
> Forget it, found the problem :)
>
> On 04.08.2011 11:30, thio wrote:
>> Had trailing whitespaces in it .. *sigh*
>>
>> So i'm further along now, but bumped into another problem. I have
>> defined a rule with several allowed actions. One action is
>> "urn:fedora:names:fedora:2.1:action:api-a" while the other actions are
>> specific api-m methods. I assumed that specifiying the first would allow
>> to use all api-a methods, but it seems i cannot.
>>
>> Now the question is: is there actually some error in the policy, or is
>> my assessment of the api-a action attribute incorrect?
>>
>> On 08.07.2011 18:03, thio wrote:
>>> I could access it being logged in as another user which has a group.
>>> Tried to add MustBePresent="false", but that didn't change the outcome.
>>>
>>> On 08.07.2011 17:53, Benjamin Armintor wrote:
>>>> Are the unexpected Permit results coming when a user is logged in, has
>>>> a fedoraRole, but it is not "administrator"? Or is it that no one is
>>>> logged in/the logged in user has no fedoraRole?
>>>>
>>>> If the latter, the first thing I would try is adding
>>>> MustBePresent="false" to your subjectAttributeDesignator.  According
>>>> to the spec:
>>>> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf
>>>>
>>>> it effectively default to "true", and returns an Indeterminate result
>>>> in the event of a missing attribute.  Quoting from the rule evaluation
>>>> spec:
>>>> "If the target value is "No-match" or “Indeterminate” then the rule
>>>> value SHALL be “NotApplicable” or “Indeterminate”, respectively,
>>>> regardless of the value of the condition.  For these cases, therefore,
>>>> the condition need not be evaluated."
>>>>
>>>> Since you have no condition, it may be applying that rule whenever the
>>>> fedoraRole attribute is missing.
>>>>
>>>> On 7/8/11, thio<t...@uni-koblenz.de>     wrote:
>>>>> Hi!
>>>>>
>>>>> Recently i was asked to build Policies for Fedora Objects.
>>>>>
>>>>> I have looked at the policy writing guide, and so far doing it like THAT
>>>>> works, but i find this style kind of convoluted.
>>>>>
>>>>> Since i only need simple rules i thought i could as well use the
>>>>> "straightforward" way, which is closer to the datamodel i get.
>>>>>
>>>>> To give you an example, a policy that shuts everyone out but admins:
>>>>>
>>>>> _*-guide:*_
>>>>> <Policy PolicyId="demo"
>>>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>>>>>        xmlns="urn:oasis:names:tc:xacml:1.0:policy"
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";>
>>>>> <Target>
>>>>> <Subjects>
>>>>> <AnySubject/>
>>>>> </Subjects>
>>>>> <Resources>
>>>>> <Resource>
>>>>> <ResourceMatch 
>>>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>>>>> <AttributeValue
>>>>> DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10061</AttributeValue>
>>>>> <ResourceAttributeDesignator
>>>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"/>
>>>>> </ResourceMatch>
>>>>> </Resource>
>>>>> </Resources>
>>>>> <Actions>
>>>>> <AnyAction/>
>>>>> </Actions>
>>>>> </Target>
>>>>> <Rule Effect="Deny" RuleId="1">
>>>>> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
>>>>> <Apply
>>>>> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
>>>>> <SubjectAttributeDesignator AttributeId="fedoraRole"
>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; MustBePresent="false"/>
>>>>> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
>>>>> <AttributeValue
>>>>> DataType="http://www.w3.org/2001/XMLSchema#string";>administrator</AttributeValue>
>>>>> </Apply>
>>>>> </Apply>
>>>>> </Condition>
>>>>> </Rule>
>>>>> <Rule Effect="Permit" RuleId="3"/>
>>>>> </Policy>
>>>>> _*
>>>>> -mine:*_
>>>>> <Policy PolicyId="changeme:10061:DenyAllDefaultPolicy"
>>>>>
>>>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
>>>>> <Target>
>>>>> <Subjects>
>>>>> <AnySubject />
>>>>> </Subjects>
>>>>> <Resources>
>>>>> <Resource>
>>>>> <ResourceMatch 
>>>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>>>>> <AttributeValue
>>>>> DataType="http://www.w3.org/2001/XMLSchema#string";>changeme:10059
>>>>> </AttributeValue>
>>>>> <ResourceAttributeDesignator
>>>>>
>>>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
>>>>>
>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; />
>>>>> </ResourceMatch>
>>>>> </Resource>
>>>>> </Resources>
>>>>> <Actions>
>>>>> <AnyAction />
>>>>> </Actions>
>>>>> </Target>
>>>>> <Rule RuleId="AdminRule" Effect="Permit">
>>>>> <Target>
>>>>> <Subjects>
>>>>> <Subject>
>>>>> <SubjectMatch 
>>>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>>>>> <AttributeValue
>>>>> DataType="http://www.w3.org/2001/XMLSchema#string";>administrator
>>>>> </AttributeValue>
>>>>> <SubjectAttributeDesignator
>>>>>                                  AttributeId="fedoraRole"
>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"; />
>>>>> </SubjectMatch>
>>>>> </Subject>
>>>>> </Subjects>
>>>>> <Resources>
>>>>> <AnyResource />
>>>>> </Resources>
>>>>> <Actions>
>>>>> <AnyAction />
>>>>> </Actions>
>>>>> </Target>
>>>>> </Rule>
>>>>> <Rule RuleId="FinalRule" Effect="Deny">
>>>>> </Rule>
>>>>> </Policy>
>>>>>
>>>>> As far as i understood this SHOULD constitute the same behaviour, but my
>>>>> policy doesn't shut anyone out. And i have no idea why not.
>>>>>
>>>>> greetings and thanks for any help,
>>>>> Jessi
>>>>>
>>>> ------------------------------------------------------------------------------
>>>> All of the data generated in your IT infrastructure is seriously valuable.
>>>> Why? It contains a definitive record of application performance, security
>>>> threats, fraudulent activity, and more. Splunk takes this data and makes
>>>> sense of it. IT sense. And common sense.
>>>> http://p.sf.net/sfu/splunk-d2d-c2
>>>> _______________________________________________
>>>> Fedora-commons-users mailing list
>>>> Fedora-commons-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>>> ------------------------------------------------------------------------------
>>> All of the data generated in your IT infrastructure is seriously valuable.
>>> Why? It contains a definitive record of application performance, security
>>> threats, fraudulent activity, and more. Splunk takes this data and makes
>>> sense of it. IT sense. And common sense.
>>> http://p.sf.net/sfu/splunk-d2d-c2
>>> _______________________________________________
>>> Fedora-commons-users mailing list
>>> Fedora-commons-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>>
>> ------------------------------------------------------------------------------
>> BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
>> The must-attend event for mobile developers. Connect with experts.
>> Get tools for creating Super Apps. See the latest technologies.
>> Sessions, hands-on labs, demos&   much more. Register early&   save!
>> http://p.sf.net/sfu/rim-blackberry-1
>> _______________________________________________
>> Fedora-commons-users mailing list
>> Fedora-commons-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
>
> ------------------------------------------------------------------------------
> BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos&  much more. Register early&  save!
> http://p.sf.net/sfu/rim-blackberry-1
> _______________________________________________
> Fedora-commons-users mailing list
> Fedora-commons-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users


------------------------------------------------------------------------------
BlackBerry&reg; DevCon Americas, Oct. 18-20, San Francisco, CA
The must-attend event for mobile developers. Connect with experts. 
Get tools for creating Super Apps. See the latest technologies.
Sessions, hands-on labs, demos & much more. Register early & save!
http://p.sf.net/sfu/rim-blackberry-1
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

Re: [fcrepo-user] What is wrong with my Policy?

Reply via email to