[fcrepo-user] FESLPOLICY with ActionAttributeDesignator action:id problem

Thu, 04 Oct 2012 07:37:42 -0700 

Hello,

I am trying to implement a repository-wide policy that allows access to certain 
functions within API-A, but I am not having luck targeting the 
urn:fedora:names:fedora:2.1:action:id designator. Here is my full FESLPOLICY 
datastream:

<Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os"
        xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
        xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os 
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd
 urn:oasis:names:tc:xacml:2.0:context:schema:os 
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd";
        PolicyId="permit-select-API-A-METHODS-to-all"
        
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
        >
  <Description>A Policy that grants read access to select API-A-METHODS to 
all</Description>

  <Target>
    <Actions>
      <Action>
        <ActionMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:id-listDatastreams</AttributeValue>
          <ActionAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:action:id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </ActionMatch>
      </Action>
    </Actions>
  </Target>

  <Rule Effect="Permit" RuleId="allow_select_apia_functions"/>

</Policy>

Here is the log when attempting access the listDatastreams function with the 
action:id-listDatastreams present in the FESLPOLICY. (note that it doesn't 
match the policy "permit-select-API-A-METHODS-to-all")

DEBUG 2012-10-04 10:27:05.157 [http-8088-2] (PolicyManager) Obtained policies: 9
DEBUG 2012-10-04 10:27:05.159 [http-8088-2] (PolicyManager) Matched policy: 
demo-system:FESLPOLOCY-permit-apia-to-localhost
DEBUG 2012-10-04 10:27:05.160 [http-8088-2] (PolicyManager) Matched policies 
and created abstract policy.
DEBUG 2012-10-04 10:27:05.160 [http-8088-2] (MelcoePDPImpl) response is: 
<Response>
  <Result ResourceId="/demo:1">
    <Decision>NotApplicable</Decision>
    <Status>
      <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    </Status>
  </Result>
</Response>

If I change the ActionAttributeDesignator to 
urn:fedora:names:fedora:2.1:action:api, specifying api-a as a value, it works. 
(note that is does now match the policy "permit-select-API-A-METHODS-to-all")

DEBUG 2012-10-04 10:28:08.163 [http-8088-3] (PolicyManager) Obtained policies: 9
DEBUG 2012-10-04 10:28:08.164 [http-8088-3] (PolicyManager) Matched policy: 
demo-system:FESLPOLOCY-permit-apia-to-localhost
DEBUG 2012-10-04 10:28:08.165 [http-8088-3] (PolicyManager) Matched policy: 
demo-system:FESLPOLOCY-permit-select-API-A-METHODS-to-all
DEBUG 2012-10-04 10:28:08.165 [http-8088-3] (PolicyManager) Matched policies 
and created abstract policy.
INFO 2012-10-04 10:28:08.165 [http-8088-3] 
(HierarchicalLowestChildPermitOverridesPolicyAlg) Combining using: 
urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:hierarchical-lowest-child-permit-overrides
DEBUG 2012-10-04 10:28:08.165 [http-8088-3] 
(HierarchicalLowestChildPermitOverridesPolicyAlg) Length: null 0
DEBUG 2012-10-04 10:28:08.165 [http-8088-3] 
(HierarchicalLowestChildPermitOverridesPolicyAlg) Length: null 0
DEBUG 2012-10-04 10:28:08.165 [http-8088-3] 
(HierarchicalLowestChildPermitOverridesPolicyAlg) Applicable policies:
DEBUG 2012-10-04 10:28:08.165 [http-8088-3] 
(HierarchicalLowestChildPermitOverridesPolicyAlg)   permit-apia-to-localhost
DEBUG 2012-10-04 10:28:08.165 [http-8088-3] 
(HierarchicalLowestChildPermitOverridesPolicyAlg)   
permit-select-API-A-METHODS-to-all
DEBUG 2012-10-04 10:28:08.165 [http-8088-3] (MelcoePDPImpl) response is: 
<Response>
  <Result ResourceId="/demo:1">
    <Decision>Permit</Decision>
    <Status>
      <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
    </Status>
  </Result>
</Response>

Thanks in advance...

David Lacy
Falvey Library Technology Services
Villanova University
library.villanova.edu


------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

Reply via email to