Another option would be to remove only the specific policy
("deny-apim-if-not-localhost.xml"). The effect of this would be to permit
(other conditions being favorable) API-M from any host. The advantage is if you
have several machines from which you expect to administer this repository-- you
needn't create and maintain a policy containing identities for all of them. The
disadvantage is that you've opened your repository up considerably, although
not nearly as much as by turning off all policy enforcement.
There are variations on this theme, such as allowing API-M access only from
certain ranges of IP or the like. XACML is wonderfully (and sometimes
forbiddingly) flexible.
---
A. Soroka
Online Library Environment
the University of Virginia Library
On Nov 9, 2011, at 2:33 PM, Scott Prater wrote:
> More than likely, you're being blocked by the default policies, which
> only allow certain API-M functions to the admin via localhost.
>
> This page should be able to help you out:
>
> https://wiki.duraspace.org/display/FEDORA34/XACML+Policy+Enforcement#XACMLPolicyEnforcement-DEFAULTPOLICIES
>
> You'll need to either turn off policy enforcement in fedora.fcfg, or put
> a policy in place that allows API-M access via your host.
>
> -- Scott
>
> On 11/09/2011 12:56 PM, Mark Jordan wrote:
>> Hello,
>>
>> I am setting up a new install of Fedora Repository 3.4.2 (as required by
>> Islandora) and cannot ingest objects directly into FR. I have verified that
>> the fedoraAdmin credentials I am using when I try to ingest the demo objects
>> using the CLI and objects using the web administrator are correct, as per
>> fedora-users.xml. I can also connect to the mysql database successfully. I
>> include my install.properties at the end of this message (fesl off, xacml
>> on). I am not using localhost as the fedora.serverHost, I am using the
>> public hostname for my test server (represented below as myhost.tld).
>>
>> Here's what happens:
>>
>> 1) When I try to ingest the demo objects using the following:
>>
>> sudo -i /usr/local/fedora/client/bin/fedora-ingest-demos.sh myhost.tld 8080
>> fedoraAdmin xxxxxx http
>>
>> I am told "WARNING: 41 of 41 objects failed. Check log.", which contains 41
>> errors like this:
>>
>> <failed
>> file="/usr/local/fedora/client/demo/foxml/local-server-demos/document-transform-demo/demo_XML_TO_HTMLDOC.xml">
>> org.fcrepo.server.errors.authorization.AuthzDeniedException:
>> </failed>
>>
>> 2) When I go to http://myhost.tld:8080/fedora, I am asked to authenticate
>> using HTTP basic from tomcat. I can do so using the fedoraAdmin credentials.
>> When I then go to http://myhost.tld:8080/fedora/admin, I see the Connect to
>> Repository dialog and can click through. I can search, but when I try to
>> ingest an object, I get a 401 error.
>>
>> Anybody got any suggestions as to why fedoraAdmin is not able to
>> authenticate?
>>
>> TIA,
>>
>> Mark
>>
>> #Install Options
>> #Tue Nov 08 19:59:40 PST 2011
>> ri.enabled=true
>> messaging.enabled=false
>> apia.auth.required=false
>> database.jdbcDriverClass=com.mysql.jdbc.Driver
>> ssl.available=false
>> database.jdbcURL=jdbc\:mysql\://localhost/fedora3?useUnicode\=true&characterEncoding\=UTF-8&autoReconnect\=true
>> database.password=XXXXX
>> database.mysql.driver=included
>> database.username=fedoraAdmin
>> fesl.authz.enabled=false
>> tomcat.shutdown.port=8005
>> deploy.local.services=true
>> xacml.enabled=true
>> database.mysql.jdbcDriverClass=com.mysql.jdbc.Driver
>> tomcat.http.port=8080
>> fedora.serverHost=myhost.tld
>> database=mysql
>> database.driver=included
>> fedora.serverContext=fedora
>> llstore.type=akubra-fs
>> tomcat.home=/usr/local/fedora/tomcat
>> fesl.authn.enabled=false
>> fedora.home=/usr/local/fedora
>> database.mysql.jdbcURL=jdbc\:mysql\://localhost/fedora3?useUnicode\=true&characterEncoding\=UTF-8&autoReconnect\=true
>> install.type=custom
>> servlet.engine=included
>> fedora.admin.pass=XXXXX
>>
>> ------------------------------------------------------------------------------
>> RSA(R) Conference 2012
>> Save $700 by Nov 18
>> Register now
>> http://p.sf.net/sfu/rsa-sfdev2dev1
>> _______________________________________________
>> Fedora-commons-users mailing list
>> Fedora-commons-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
>
> --
> Scott Prater
> Library, Instructional, and Research Applications (LIRA)
> Division of Information Technology (DoIT)
> University of Wisconsin - Madison
> pra...@wisc.edu
>
> ------------------------------------------------------------------------------
> RSA(R) Conference 2012
> Save $700 by Nov 18
> Register now
> http://p.sf.net/sfu/rsa-sfdev2dev1
> _______________________________________________
> Fedora-commons-users mailing list
> Fedora-commons-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
