I don't think the fix indicated in that ticket would be too hard to implement, although writing the tests might be tricky. Maybe we should get it on the committer call next week?
On Thu, Oct 4, 2012 at 11:47 AM, David Lacy <david.l...@villanova.edu> wrote: > Thanks, I saw that in the ticket. As you said, not ideal, but not a problem > either as I'm not planning to use the condensed terms. I tested the > map-to-self solution and it does work. > > Thanks a lot for your help. > > David Lacy > Falvey Library Technology Services > Villanova University > library.villanova.edu > > >> -----Original Message----- >> From: Benjamin Armintor [mailto:armin...@gmail.com] >> Sent: Thursday, October 04, 2012 11:26 AM >> To: Support and info exchange list for Fedora users. >> Subject: Re: [fcrepo-user] FESLPOLICY with ActionAttributeDesignator >> action:id >> problem >> >> Okay, so the way that you can fix this (forgive how hacky this looks) >> is to edit the mapping file to map the listDatastreams action to >> itself, and not to read (though this will have to be accomodated in >> your other policies). >> >> On Thu, Oct 4, 2012 at 11:22 AM, David Lacy <david.l...@villanova.edu> wrote: >> > Turns out it is a known issue: >> > https://jira.duraspace.org/browse/FCREPO-1063 >> > >> > David Lacy >> > Falvey Library Technology Services >> > Villanova University >> > library.villanova.edu >> > >> > >> >> -----Original Message----- >> >> From: David Lacy [mailto:david.l...@villanova.edu] >> >> Sent: Thursday, October 04, 2012 11:15 AM >> >> To: Support and info exchange list for Fedora users. >> >> Subject: Re: [fcrepo-user] FESLPOLICY with ActionAttributeDesignator >> action:id >> >> problem >> >> >> >> It is a 2.0 policy, which I believe is required for FESLPOLICY's, >> >> correct? Also, I >> >> noticed that AnySubject and AnyResource tags cause validation errors, and >> were >> >> omitted intentionally. >> >> >> >> David Lacy >> >> Falvey Library Technology Services >> >> Villanova University >> >> library.villanova.edu >> >> >> >> > -----Original Message----- >> >> > From: Benjamin Armintor [mailto:armin...@gmail.com] >> >> > Sent: Thursday, October 04, 2012 11:05 AM >> >> > To: Support and info exchange list for Fedora users. >> >> > Subject: Re: [fcrepo-user] FESLPOLICY with ActionAttributeDesignator >> action:id >> >> > problem >> >> > >> >> > David, >> >> > I'll try to look more closely at this later, but at a glance your >> >> > policy looks a lot like one that works in the test suite: >> >> > https://github.com/fcrepo/fcrepo/blob/master/fcrepo-integrationtest/fcrepo- >> >> > integrationtest-core/src/main/resources/XACMLTestPolicies/test- >> policies/deny- >> >> > unallowed-file-resolution.xml >> >> > >> >> > ... excepting the missing <AnySubject/> and <AnyResource/> tags. I'm >> >> > not sure that the XACML engine FCRepo uses has a very complete XACML 2 >> >> > implementation (I've noticed some missing functions in the past), so >> >> > those might be necessary. Could you add those in and try again, >> >> > assuming a XACML 1 engine? >> >> > >> >> > - Ben >> >> > >> >> > On Thu, Oct 4, 2012 at 10:35 AM, David Lacy <david.l...@villanova.edu> >> wrote: >> >> > > Hello, >> >> > > >> >> > > >> >> > > >> >> > > I am trying to implement a repository-wide policy that allows access >> >> > > to >> >> > > certain functions within API-A, but I am not having luck targeting the >> >> > > urn:fedora:names:fedora:2.1:action:id designator. Here is my full >> FESLPOLICY >> >> > > datastream: >> >> > > >> >> > > >> >> > > >> >> > > <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >> >> > > >> >> > > xmlns:xacml- >> context="urn:oasis:names:tc:xacml:2.0:context:schema:os" >> >> > > >> >> > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >> >> > > >> >> > > >> >> > > xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os >> >> > > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy- >> schema- >> >> > os.xsd >> >> > > urn:oasis:names:tc:xacml:2.0:context:schema:os >> >> > > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context- >> >> schema- >> >> > os.xsd" >> >> > > >> >> > > PolicyId="permit-select-API-A-METHODS-to-all" >> >> > > >> >> > > >> >> > > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining- >> >> > algorithm:first-applicable" >> >> > > >> >> > > > >> >> > > >> >> > > <Description>A Policy that grants read access to select >> >> > > API-A-METHODS >> to >> >> > > all</Description> >> >> > > >> >> > > >> >> > > >> >> > > <Target> >> >> > > >> >> > > <Actions> >> >> > > >> >> > > <Action> >> >> > > >> >> > > <ActionMatch >> >> > > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >> >> > > >> >> > > <AttributeValue >> >> > > >> >> > >> >> >> DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora: >> >> > 2.1:action:id-listDatastreams</AttributeValue> >> >> > > >> >> > > <ActionAttributeDesignator >> >> > > AttributeId="urn:fedora:names:fedora:2.1:action:id" >> >> > > DataType="http://www.w3.org/2001/XMLSchema#string"/> >> >> > > >> >> > > </ActionMatch> >> >> > > >> >> > > </Action> >> >> > > >> >> > > </Actions> >> >> > > >> >> > > </Target> >> >> > > >> >> > > >> >> > > >> >> > > <Rule Effect="Permit" RuleId="allow_select_apia_functions"/> >> >> > > >> >> > > >> >> > > >> >> > > </Policy> >> >> > > >> >> > > >> >> > > >> >> > > Here is the log when attempting access the listDatastreams function >> >> > > with >> the >> >> > > action:id-listDatastreams present in the FESLPOLICY. (note that it >> >> > > doesn't >> >> > > match the policy "permit-select-API-A-METHODS-to-all") >> >> > > >> >> > > >> >> > > >> >> > > DEBUG 2012-10-04 10:27:05.157 [http-8088-2] (PolicyManager) Obtained >> >> > > policies: 9 >> >> > > >> >> > > DEBUG 2012-10-04 10:27:05.159 [http-8088-2] (PolicyManager) Matched >> >> policy: >> >> > > demo-system:FESLPOLOCY-permit-apia-to-localhost >> >> > > >> >> > > DEBUG 2012-10-04 10:27:05.160 [http-8088-2] (PolicyManager) Matched >> >> policies >> >> > > and created abstract policy. >> >> > > >> >> > > DEBUG 2012-10-04 10:27:05.160 [http-8088-2] (MelcoePDPImpl) response >> is: >> >> > > <Response> >> >> > > >> >> > > <Result ResourceId="/demo:1"> >> >> > > >> >> > > <Decision>NotApplicable</Decision> >> >> > > >> >> > > <Status> >> >> > > >> >> > > <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> >> >> > > >> >> > > </Status> >> >> > > >> >> > > </Result> >> >> > > >> >> > > </Response> >> >> > > >> >> > > >> >> > > >> >> > > If I change the ActionAttributeDesignator to >> >> > > urn:fedora:names:fedora:2.1:action:api, specifying api-a as a value, >> >> > > it >> >> > > works. (note that is does now match the policy >> >> > > "permit-select-API-A-METHODS-to-all") >> >> > > >> >> > > >> >> > > >> >> > > DEBUG 2012-10-04 10:28:08.163 [http-8088-3] (PolicyManager) Obtained >> >> > > policies: 9 >> >> > > >> >> > > DEBUG 2012-10-04 10:28:08.164 [http-8088-3] (PolicyManager) Matched >> >> policy: >> >> > > demo-system:FESLPOLOCY-permit-apia-to-localhost >> >> > > >> >> > > DEBUG 2012-10-04 10:28:08.165 [http-8088-3] (PolicyManager) Matched >> >> policy: >> >> > > demo-system:FESLPOLOCY-permit-select-API-A-METHODS-to-all >> >> > > >> >> > > DEBUG 2012-10-04 10:28:08.165 [http-8088-3] (PolicyManager) Matched >> >> policies >> >> > > and created abstract policy. >> >> > > >> >> > > INFO 2012-10-04 10:28:08.165 [http-8088-3] >> >> > > (HierarchicalLowestChildPermitOverridesPolicyAlg) Combining using: >> >> > > urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:hierarchical- >> lowest- >> >> > child-permit-overrides >> >> > > >> >> > > DEBUG 2012-10-04 10:28:08.165 [http-8088-3] >> >> > > (HierarchicalLowestChildPermitOverridesPolicyAlg) Length: null 0 >> >> > > >> >> > > DEBUG 2012-10-04 10:28:08.165 [http-8088-3] >> >> > > (HierarchicalLowestChildPermitOverridesPolicyAlg) Length: null 0 >> >> > > >> >> > > DEBUG 2012-10-04 10:28:08.165 [http-8088-3] >> >> > > (HierarchicalLowestChildPermitOverridesPolicyAlg) Applicable policies: >> >> > > >> >> > > DEBUG 2012-10-04 10:28:08.165 [http-8088-3] >> >> > > (HierarchicalLowestChildPermitOverridesPolicyAlg) permit-apia-to- >> localhost >> >> > > >> >> > > DEBUG 2012-10-04 10:28:08.165 [http-8088-3] >> >> > > (HierarchicalLowestChildPermitOverridesPolicyAlg) >> >> > > permit-select-API-A-METHODS-to-all >> >> > > >> >> > > DEBUG 2012-10-04 10:28:08.165 [http-8088-3] (MelcoePDPImpl) response >> is: >> >> > > <Response> >> >> > > >> >> > > <Result ResourceId="/demo:1"> >> >> > > >> >> > > <Decision>Permit</Decision> >> >> > > >> >> > > <Status> >> >> > > >> >> > > <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> >> >> > > >> >> > > </Status> >> >> > > >> >> > > </Result> >> >> > > >> >> > > </Response> >> >> > > >> >> > > >> >> > > >> >> > > Thanks in advance... >> >> > > >> >> > > >> >> > > >> >> > > David Lacy >> >> > > >> >> > > Falvey Library Technology Services >> >> > > >> >> > > Villanova University >> >> > > >> >> > > library.villanova.edu >> >> > > >> >> > > >> >> > > >> >> > > >> >> > > ------------------------------------------------------------------------------ >> >> > > Don't let slow site performance ruin your business. Deploy New Relic >> >> > > APM >> >> > > Deploy New Relic app performance management and know exactly >> >> > > what is happening inside your Ruby, Python, PHP, Java, and .NET app >> >> > > Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> >> > > http://p.sf.net/sfu/newrelic-dev2dev >> >> > > _______________________________________________ >> >> > > Fedora-commons-users mailing list >> >> > > Fedora-commons-users@lists.sourceforge.net >> >> > > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> >> > > >> >> > >> >> > ------------------------------------------------------------------------------ >> >> > Don't let slow site performance ruin your business. Deploy New Relic APM >> >> > Deploy New Relic app performance management and know exactly >> >> > what is happening inside your Ruby, Python, PHP, Java, and .NET app >> >> > Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> >> > http://p.sf.net/sfu/newrelic-dev2dev >> >> > _______________________________________________ >> >> > Fedora-commons-users mailing list >> >> > Fedora-commons-users@lists.sourceforge.net >> >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> >> >> >> ------------------------------------------------------------------------------ >> >> Don't let slow site performance ruin your business. Deploy New Relic APM >> >> Deploy New Relic app performance management and know exactly >> >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> >> http://p.sf.net/sfu/newrelic-dev2dev >> >> _______________________________________________ >> >> Fedora-commons-users mailing list >> >> Fedora-commons-users@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> > >> > ------------------------------------------------------------------------------ >> > Don't let slow site performance ruin your business. Deploy New Relic APM >> > Deploy New Relic app performance management and know exactly >> > what is happening inside your Ruby, Python, PHP, Java, and .NET app >> > Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> > http://p.sf.net/sfu/newrelic-dev2dev >> > _______________________________________________ >> > Fedora-commons-users mailing list >> > Fedora-commons-users@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> >> ------------------------------------------------------------------------------ >> Don't let slow site performance ruin your business. Deploy New Relic APM >> Deploy New Relic app performance management and know exactly >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-dev2dev >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
