If that policy (or something close to it) works, then I think your problem was that the datastream id attribute wasn't marked as optional in your Targets, which would mean that requests that didn't include that attribute would get an indeterminate result from this policy, which (by default) is considered a denial.
- Ben On Tue, Jul 3, 2012 at 10:33 AM, Benjamin Armintor <armin...@gmail.com> wrote: > Carlos: > > I just noticed that your Rules have Targets instead of Conditions and > Applys. Could you try re-writing them so that it's more like this: > > <Policy PolicyId="pid" > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" > xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" > xmlns:schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"; > xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:policy:schema:os" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> > <Description>FESLPOLICY for empid:1001</Description> > <!-- This policy applies to the resource empid:1001 --> > <Target> > <Resources> > <Resource> > <ResourceMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> > <ResourceAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </ResourceMatch> > </Resource> > </Resources> > </Target> > > <!-- The object is visible to any subject --> > <Rule Effect="Permit" RuleId="public-object"> > <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> > <ResourceAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </Apply> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> > <ActionAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:action:id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </Apply> > </Condition> > </Rule> > > <!-- The meta datastreams are public --> > <Rule Effect="Permit" RuleId="public-meta"> > <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> > <ResourceAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>EM</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>DC</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>Request</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>RELS-EXT</AttributeValue> > </Apply> > </Apply> > <Apply MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>readds</AttributeValue> > <ActionAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:action:id" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </Apply> > </Condition> > </Rule> > <!-- Deny everything else --> > <Rule Effect="Deny" RuleId="3"/> > </Policy> > > On Tue, Jul 3, 2012 at 10:14 AM, Carlos Santos > <csan...@lasige.di.fc.ul.pt> wrote: >> FYI I'm using Fedora3.4 >> >> >> 2012/7/3 Carlos Santos <csan...@lasige.di.fc.ul.pt> >>> >>> >>> >>> 2012/7/2 Benjamin Armintor <armin...@gmail.com> >>>> >>>> João- >>>> I hadn't even thought about the FESL action mapping, that's a great >>>> point. You would have had to customize the mapping to get a value of >>>> "readds", though. >>>> >>>> I don't think the third rule should be a problem: The rule combining >>>> algorithm for the policy should mean that a match against the >>>> "public-meta" rule takes precedence over the subsequent rule "3". The >>>> "deny takes precedence" configuration has to do with multiple policy >>>> responses, not multiple rules within a policy. >>>> >>>> - Ben >>>> >>>> On Mon, Jul 2, 2012 at 12:52 PM, João Miguel Quintino de Morais Zamite >>>> <zam...@xldb.di.fc.ul.pt> wrote: >>>> > Hi carlos, >>>> > >>>> > There's action mapping in fedora in the config file >>>> > config-melcoe-pep-mapping.xml so the action might not be your issue. >>>> > >>>> > It could be the case that you end the rule by using a "Deny" that >>>> > applies to everything and if you have "Deny Takes Precedence" you >>>> > might be overriding all the permit rules. >>>> > >>>> > Best, >>>> > João Zamite >>>> > >>>> > Quoting Benjamin Armintor <armin...@gmail.com>: >>>> > >>>> >> Carlos: >>>> >> I think your action id value (readds) looks suspicious: The action >>>> >> id is going to be something like >>>> >> "urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination" if >>>> >> you're fetching the datastream content. >>> >>> @Benjamin The action isn't the problem because we defined action-mapping >>> and it works well when in separate policy objects. It only fails when I put >>> all these rules together in the same policy object. >>>> >>>> >> >>>> >> Also, and this is just a matter of aesthetics: You don't need to >>>> >> reproduce the attribute matches from the policy target in each rule, >>>> >> so you could remove the later references to the object's pid. You >>>> >> might also consider using a string bag for all those datastream ids >>>> >> rather than separate matches: There's an example of this in the >>>> >> default policies ('deny-apim-if-not-localhost.xml'). >>> >>> @Benjamin So, I removed the repeated resource references to empid:1001, >>> but still I have the same problem. >>>> >>>> >> >>>> >> regards, >>>> >> Ben >>>> >> >>>> >> On Mon, Jul 2, 2012 at 11:53 AM, Carlos Santos >>>> >> <csan...@lasige.di.fc.ul.pt> wrote: >>>> >>> Greetings, >>>> >>> >>>> >>> I am trying to define multiple rules in a FESLPOLICY datastream but >>>> >>> it isn't >>>> >>> working (the policies aren't applied). The following is the content >>>> >>> of the >>>> >>> policy ds: >>>> >>> >>>> >>>> <Policy PolicyId="pid" >>>> >>>> >>>> >>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" >>>> >>>> xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >>>> >>>> >>>> >>>> xmlns:schemaLocation="http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"; >>>> >>>> xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >>>> >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";> >>>> >>>> <Description>FESLPOLICY for empid:1001</Description> >>>> >>>> <!-- This policy applies to the resource empid:1001 --> >>>> >>>> <Target> >>>> >>>> <Resources> >>>> >>>> <Resource> >>>> >>>> <ResourceMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> >>>> <ResourceAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ResourceMatch> >>>> >>>> </Resource> >>>> >>>> </Resources> >>>> >>>> </Target> >>>> >>>> >>>> >>>> <!-- The object is visible to any subject --> >>>> >>>> <Rule Effect="Permit" RuleId="public-object"> >>>> >>>> <Target> >>>> >>>> <Resources> >>>> >>>> <Resource> >>>> >>>> <ResourceMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> >>>> <ResourceAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ResourceMatch> >>>> >>>> </Resource> >>>> >>>> </Resources> >>>> >>>> <Actions> >>>> >>>> <Action> >>>> >>>> <ActionMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> >>>> >>>> <ActionAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:action:id" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ActionMatch> >>>> >>>> </Action> >>>> >>>> </Actions> >>>> >>>> </Target> >>>> >>>> </Rule> >>>> >>>> >>>> >>>> <!-- The meta datastreams are public --> >>>> >>>> <Rule Effect="Permit" RuleId="public-meta"> >>>> >>>> <Target> >>>> >>>> <Resources> >>>> >>>> <Resource> >>>> >>>> <ResourceMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> >>>> <ResourceAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ResourceMatch> >>>> >>>> <ResourceMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>EM</AttributeValue> >>>> >>>> <ResourceAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ResourceMatch> >>>> >>>> </Resource> >>>> >>>> <Resource> >>>> >>>> <ResourceMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> >>>> <ResourceAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ResourceMatch> >>>> >>>> <ResourceMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>DC</AttributeValue> >>>> >>>> <ResourceAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ResourceMatch> >>>> >>>> </Resource> >>>> >>>> <Resource> >>>> >>>> <ResourceMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> >>>> <ResourceAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ResourceMatch> >>>> >>>> <ResourceMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>Request</AttributeValue> >>>> >>>> <ResourceAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ResourceMatch> >>>> >>>> </Resource> >>>> >>>> <Resource> >>>> >>>> <ResourceMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>empid:1001</AttributeValue> >>>> >>>> <ResourceAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ResourceMatch> >>>> >>>> <ResourceMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>RELS-EXT</AttributeValue> >>>> >>>> <ResourceAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ResourceMatch> >>>> >>>> </Resource> >>>> >>>> </Resources> >>>> >>>> <Actions> >>>> >>>> <Action> >>>> >>>> <ActionMatch >>>> >>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>> >>>> <AttributeValue >>>> >>>> >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string";>readds</AttributeValue> >>>> >>>> <ActionAttributeDesignator >>>> >>>> AttributeId="urn:fedora:names:fedora:2.1:action:id" >>>> >>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>> >>>> </ActionMatch> >>>> >>>> </Action> >>>> >>>> </Actions> >>>> >>>> </Target> >>>> >>>> </Rule> >>>> >>>> <!-- Deny everything else --> >>>> >>>> <Rule Effect="Deny" RuleId="3"/> >>>> >>>> </Policy> >>>> >>> >>>> >>> >>>> >>> If anyone finds the problem I would be very grateful. >>>> >>> >>>> >>> >>>> >>> -- >>>> >>> cumprimentos, >>>> >>> Carlos Santos @ LaSIGE >>>> >>> >>>> >>> >>>> >>> ------------------------------------------------------------------------------ >>>> >>> Live Security Virtual Conference >>>> >>> Exclusive live event will cover all the ways today's security and >>>> >>> threat landscape has changed and how IT managers can respond. >>>> >>> Discussions >>>> >>> will include endpoint security, mobile security and the latest in >>>> >>> malware >>>> >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>> >>> _______________________________________________ >>>> >>> Fedora-commons-users mailing list >>>> >>> Fedora-commons-users@lists.sourceforge.net >>>> >>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>>> >>> >>>> >> >>>> >> >>>> >> ------------------------------------------------------------------------------ >>>> >> Live Security Virtual Conference >>>> >> Exclusive live event will cover all the ways today's security and >>>> >> threat landscape has changed and how IT managers can respond. >>>> >> Discussions >>>> >> will include endpoint security, mobile security and the latest in >>>> >> malware >>>> >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>> >> _______________________________________________ >>>> >> Fedora-commons-users mailing list >>>> >> Fedora-commons-users@lists.sourceforge.net >>>> >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>>> >> >>>> > >>>> > >>>> > >>>> > >>>> > ------------------------------------------------------------------------------ >>>> > Live Security Virtual Conference >>>> > Exclusive live event will cover all the ways today's security and >>>> > threat landscape has changed and how IT managers can respond. >>>> > Discussions >>>> > will include endpoint security, mobile security and the latest in >>>> > malware >>>> > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>> > _______________________________________________ >>>> > Fedora-commons-users mailing list >>>> > Fedora-commons-users@lists.sourceforge.net >>>> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> Live Security Virtual Conference >>>> Exclusive live event will cover all the ways today's security and >>>> threat landscape has changed and how IT managers can respond. Discussions >>>> will include endpoint security, mobile security and the latest in malware >>>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>>> _______________________________________________ >>>> Fedora-commons-users mailing list >>>> Fedora-commons-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>> >>> >>> >>> >>> -- >>> cumprimentos, >>> Carlos Santos @ LaSIGE >> >> >> >> >> -- >> cumprimentos, >> Carlos Santos @ LaSIGE >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
