[fcrepo-user] xacml policy to restrict OAI service

Brian Sheppard Thu, 09 Feb 2012 11:40:36 -0800

I'm trying to restrict OAI access to certain objects using the policy below 
(stored as a referenced datastream). It has the intended effect re API-A, but 
is permitting OAI requests.


(As in, 
...fedora/oai?verb=GetRecord&identifier=oai:example.org:1711.dl:XTA6NVZWV6UTA8K&metadataPrefix=oai_dc)

Thinking the default oai policy may be overriding the object's policy, I've 
tried both removing the default policy and editing it in place so that the Rule 
Effect attribute is set to "Deny." No difference.

$FEDORA_HOME/server/fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/permit-oai-unrestricted.xml

Each time I restarted fedora and even reloaded policies for good measure. Am I 
missing something obvious? Thanks for any perspective.
-Brian


<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicyId="PolicyEmbargo" 
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
  <Description>Policy for embargoed objects.</Description>
  <Target>
    <Subjects>
      <AnySubject></AnySubject>
    </Subjects>
    <Resources>
      <AnyResource></AnyResource>
    </Resources>
    <Actions>
      <Action>
        <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:id-oai</AttributeValue>
          <ActionAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:action:id" 
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
        </ActionMatch>
      </Action>
      <Action>
        <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
          <ActionAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:action:api" 
DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator>
        </ActionMatch>
      </Action>
    </Actions>
  </Target>
  <Rule Effect="Deny" RuleId="1">
    <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
      <Apply 
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <SubjectAttributeDesignator AttributeId="fedoraRole" 
DataType="http://www.w3.org/2001/XMLSchema#string"; 
MustBePresent="false"></SubjectAttributeDesignator>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>pooh-bah</AttributeValue>
          <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>honcho</AttributeValue>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
</Policy>


--------------------------------------------------
Brian Sheppard
University of Wisconsin Digital Collections Center
bshepp...@library.wisc.edu    (608) 262-3349




------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

[fcrepo-user] xacml policy to restrict OAI service

Reply via email to