I'd honestly prefer to have the FESL mapped values be an independent attribute, but (as noted) that will break existing FESL policies.
On Thu, Oct 4, 2012 at 4:49 PM, aj...@virginia.edu <aj...@virginia.edu> wrote: > I'm not strongly against it, and it seemed (from the comments at the issue) > that Steve Bayliss thought that the best compromise, but I am a little > troubled by the fact that two values with recognizably different semantics > will be under the same attribute ID. > > What do you think of doing as you say (putting both values in the bag) but > also introducing a new FESL attribute ID and also putting the FESL value in > there? Would that not enable policies to distinguish a little better what's > going on? It might leave some room for eventual migration... > > --- > A. Soroka > Software & Systems Engineering :: Online Library Environment > the University of Virginia Library > > On Oct 4, 2012, at 12:59 PM, Benjamin Armintor wrote: > >> Yes, putting both values in the bag. >> >> On Thu, Oct 4, 2012 at 12:30 PM, aj...@virginia.edu <aj...@virginia.edu> >> wrote: >>> To be clear, you're talking about including both the old-school Fedora >>> action value, and the mapped FESL action value, under the same attribute ID? >>> >>> --- >>> A. Soroka >>> Software & Systems Engineering :: Online Library Environment >>> the University of Virginia Library >>> >>> On Oct 4, 2012, at 11:58 AM, Benjamin Armintor wrote: >>> >>>> I don't think the fix indicated in that ticket would be too hard to >>>> implement, although writing the tests might be tricky. Maybe we >>>> should get it on the committer call next week? >>>> >>>> On Thu, Oct 4, 2012 at 11:47 AM, David Lacy <david.l...@villanova.edu> >>>> wrote: >>>>> Thanks, I saw that in the ticket. As you said, not ideal, but not a >>>>> problem either as I'm not planning to use the condensed terms. I tested >>>>> the map-to-self solution and it does work. >>>>> >>>>> Thanks a lot for your help. >>>>> >>>>> David Lacy >>>>> Falvey Library Technology Services >>>>> Villanova University >>>>> library.villanova.edu >>>>> >>>>> >>>>>> -----Original Message----- >>>>>> From: Benjamin Armintor [mailto:armin...@gmail.com] >>>>>> Sent: Thursday, October 04, 2012 11:26 AM >>>>>> To: Support and info exchange list for Fedora users. >>>>>> Subject: Re: [fcrepo-user] FESLPOLICY with ActionAttributeDesignator >>>>>> action:id >>>>>> problem >>>>>> >>>>>> Okay, so the way that you can fix this (forgive how hacky this looks) >>>>>> is to edit the mapping file to map the listDatastreams action to >>>>>> itself, and not to read (though this will have to be accomodated in >>>>>> your other policies). >>>>>> >>>>>> On Thu, Oct 4, 2012 at 11:22 AM, David Lacy <david.l...@villanova.edu> >>>>>> wrote: >>>>>>> Turns out it is a known issue: >>>>>>> https://jira.duraspace.org/browse/FCREPO-1063 >>>>>>> >>>>>>> David Lacy >>>>>>> Falvey Library Technology Services >>>>>>> Villanova University >>>>>>> library.villanova.edu >>>>>>> >>>>>>> >>>>>>>> -----Original Message----- >>>>>>>> From: David Lacy [mailto:david.l...@villanova.edu] >>>>>>>> Sent: Thursday, October 04, 2012 11:15 AM >>>>>>>> To: Support and info exchange list for Fedora users. >>>>>>>> Subject: Re: [fcrepo-user] FESLPOLICY with ActionAttributeDesignator >>>>>> action:id >>>>>>>> problem >>>>>>>> >>>>>>>> It is a 2.0 policy, which I believe is required for FESLPOLICY's, >>>>>>>> correct? Also, I >>>>>>>> noticed that AnySubject and AnyResource tags cause validation errors, >>>>>>>> and >>>>>> were >>>>>>>> omitted intentionally. >>>>>>>> >>>>>>>> David Lacy >>>>>>>> Falvey Library Technology Services >>>>>>>> Villanova University >>>>>>>> library.villanova.edu >>>>>>>> >>>>>>>>> -----Original Message----- >>>>>>>>> From: Benjamin Armintor [mailto:armin...@gmail.com] >>>>>>>>> Sent: Thursday, October 04, 2012 11:05 AM >>>>>>>>> To: Support and info exchange list for Fedora users. >>>>>>>>> Subject: Re: [fcrepo-user] FESLPOLICY with ActionAttributeDesignator >>>>>> action:id >>>>>>>>> problem >>>>>>>>> >>>>>>>>> David, >>>>>>>>> I'll try to look more closely at this later, but at a glance your >>>>>>>>> policy looks a lot like one that works in the test suite: >>>>>>>>> https://github.com/fcrepo/fcrepo/blob/master/fcrepo-integrationtest/fcrepo- >>>>>>>>> integrationtest-core/src/main/resources/XACMLTestPolicies/test- >>>>>> policies/deny- >>>>>>>>> unallowed-file-resolution.xml >>>>>>>>> >>>>>>>>> ... excepting the missing <AnySubject/> and <AnyResource/> tags. I'm >>>>>>>>> not sure that the XACML engine FCRepo uses has a very complete XACML 2 >>>>>>>>> implementation (I've noticed some missing functions in the past), so >>>>>>>>> those might be necessary. Could you add those in and try again, >>>>>>>>> assuming a XACML 1 engine? >>>>>>>>> >>>>>>>>> - Ben >>>>>>>>> >>>>>>>>> On Thu, Oct 4, 2012 at 10:35 AM, David Lacy <david.l...@villanova.edu> >>>>>> wrote: >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> I am trying to implement a repository-wide policy that allows access >>>>>>>>>> to >>>>>>>>>> certain functions within API-A, but I am not having luck targeting >>>>>>>>>> the >>>>>>>>>> urn:fedora:names:fedora:2.1:action:id designator. Here is my full >>>>>> FESLPOLICY >>>>>>>>>> datastream: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" >>>>>>>>>> >>>>>>>>>> xmlns:xacml- >>>>>> context="urn:oasis:names:tc:xacml:2.0:context:schema:os" >>>>>>>>>> >>>>>>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os >>>>>>>>>> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy- >>>>>> schema- >>>>>>>>> os.xsd >>>>>>>>>> urn:oasis:names:tc:xacml:2.0:context:schema:os >>>>>>>>>> http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context- >>>>>>>> schema- >>>>>>>>> os.xsd" >>>>>>>>>> >>>>>>>>>> PolicyId="permit-select-API-A-METHODS-to-all" >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining- >>>>>>>>> algorithm:first-applicable" >>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> <Description>A Policy that grants read access to select API-A-METHODS >>>>>> to >>>>>>>>>> all</Description> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> <Target> >>>>>>>>>> >>>>>>>>>> <Actions> >>>>>>>>>> >>>>>>>>>> <Action> >>>>>>>>>> >>>>>>>>>> <ActionMatch >>>>>>>>>> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> >>>>>>>>>> >>>>>>>>>> <AttributeValue >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>> DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora: >>>>>>>>> 2.1:action:id-listDatastreams</AttributeValue> >>>>>>>>>> >>>>>>>>>> <ActionAttributeDesignator >>>>>>>>>> AttributeId="urn:fedora:names:fedora:2.1:action:id" >>>>>>>>>> DataType="http://www.w3.org/2001/XMLSchema#string"/> >>>>>>>>>> >>>>>>>>>> </ActionMatch> >>>>>>>>>> >>>>>>>>>> </Action> >>>>>>>>>> >>>>>>>>>> </Actions> >>>>>>>>>> >>>>>>>>>> </Target> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> <Rule Effect="Permit" RuleId="allow_select_apia_functions"/> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> </Policy> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Here is the log when attempting access the listDatastreams function >>>>>>>>>> with >>>>>> the >>>>>>>>>> action:id-listDatastreams present in the FESLPOLICY. (note that it >>>>>>>>>> doesn't >>>>>>>>>> match the policy "permit-select-API-A-METHODS-to-all") >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:27:05.157 [http-8088-2] (PolicyManager) Obtained >>>>>>>>>> policies: 9 >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:27:05.159 [http-8088-2] (PolicyManager) Matched >>>>>>>> policy: >>>>>>>>>> demo-system:FESLPOLOCY-permit-apia-to-localhost >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:27:05.160 [http-8088-2] (PolicyManager) Matched >>>>>>>> policies >>>>>>>>>> and created abstract policy. >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:27:05.160 [http-8088-2] (MelcoePDPImpl) response >>>>>> is: >>>>>>>>>> <Response> >>>>>>>>>> >>>>>>>>>> <Result ResourceId="/demo:1"> >>>>>>>>>> >>>>>>>>>> <Decision>NotApplicable</Decision> >>>>>>>>>> >>>>>>>>>> <Status> >>>>>>>>>> >>>>>>>>>> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> >>>>>>>>>> >>>>>>>>>> </Status> >>>>>>>>>> >>>>>>>>>> </Result> >>>>>>>>>> >>>>>>>>>> </Response> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> If I change the ActionAttributeDesignator to >>>>>>>>>> urn:fedora:names:fedora:2.1:action:api, specifying api-a as a value, >>>>>>>>>> it >>>>>>>>>> works. (note that is does now match the policy >>>>>>>>>> "permit-select-API-A-METHODS-to-all") >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:28:08.163 [http-8088-3] (PolicyManager) Obtained >>>>>>>>>> policies: 9 >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:28:08.164 [http-8088-3] (PolicyManager) Matched >>>>>>>> policy: >>>>>>>>>> demo-system:FESLPOLOCY-permit-apia-to-localhost >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:28:08.165 [http-8088-3] (PolicyManager) Matched >>>>>>>> policy: >>>>>>>>>> demo-system:FESLPOLOCY-permit-select-API-A-METHODS-to-all >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:28:08.165 [http-8088-3] (PolicyManager) Matched >>>>>>>> policies >>>>>>>>>> and created abstract policy. >>>>>>>>>> >>>>>>>>>> INFO 2012-10-04 10:28:08.165 [http-8088-3] >>>>>>>>>> (HierarchicalLowestChildPermitOverridesPolicyAlg) Combining using: >>>>>>>>>> urn:oasis:names:tc:xacml:1.0:policy-combining-algorithm:hierarchical- >>>>>> lowest- >>>>>>>>> child-permit-overrides >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:28:08.165 [http-8088-3] >>>>>>>>>> (HierarchicalLowestChildPermitOverridesPolicyAlg) Length: null 0 >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:28:08.165 [http-8088-3] >>>>>>>>>> (HierarchicalLowestChildPermitOverridesPolicyAlg) Length: null 0 >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:28:08.165 [http-8088-3] >>>>>>>>>> (HierarchicalLowestChildPermitOverridesPolicyAlg) Applicable >>>>>>>>>> policies: >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:28:08.165 [http-8088-3] >>>>>>>>>> (HierarchicalLowestChildPermitOverridesPolicyAlg) permit-apia-to- >>>>>> localhost >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:28:08.165 [http-8088-3] >>>>>>>>>> (HierarchicalLowestChildPermitOverridesPolicyAlg) >>>>>>>>>> permit-select-API-A-METHODS-to-all >>>>>>>>>> >>>>>>>>>> DEBUG 2012-10-04 10:28:08.165 [http-8088-3] (MelcoePDPImpl) response >>>>>> is: >>>>>>>>>> <Response> >>>>>>>>>> >>>>>>>>>> <Result ResourceId="/demo:1"> >>>>>>>>>> >>>>>>>>>> <Decision>Permit</Decision> >>>>>>>>>> >>>>>>>>>> <Status> >>>>>>>>>> >>>>>>>>>> <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/> >>>>>>>>>> >>>>>>>>>> </Status> >>>>>>>>>> >>>>>>>>>> </Result> >>>>>>>>>> >>>>>>>>>> </Response> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Thanks in advance... >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> David Lacy >>>>>>>>>> >>>>>>>>>> Falvey Library Technology Services >>>>>>>>>> >>>>>>>>>> Villanova University >>>>>>>>>> >>>>>>>>>> library.villanova.edu >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>> Don't let slow site performance ruin your business. Deploy New Relic >>>>>>>>>> APM >>>>>>>>>> Deploy New Relic app performance management and know exactly >>>>>>>>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app >>>>>>>>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >>>>>>>>>> http://p.sf.net/sfu/newrelic-dev2dev >>>>>>>>>> _______________________________________________ >>>>>>>>>> Fedora-commons-users mailing list >>>>>>>>>> Fedora-commons-users@lists.sourceforge.net >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>>>>>>>>> >>>>>>>>> >>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>> Don't let slow site performance ruin your business. Deploy New Relic >>>>>>>>> APM >>>>>>>>> Deploy New Relic app performance management and know exactly >>>>>>>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app >>>>>>>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >>>>>>>>> http://p.sf.net/sfu/newrelic-dev2dev >>>>>>>>> _______________________________________________ >>>>>>>>> Fedora-commons-users mailing list >>>>>>>>> Fedora-commons-users@lists.sourceforge.net >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> Don't let slow site performance ruin your business. Deploy New Relic >>>>>>>> APM >>>>>>>> Deploy New Relic app performance management and know exactly >>>>>>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app >>>>>>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >>>>>>>> http://p.sf.net/sfu/newrelic-dev2dev >>>>>>>> _______________________________________________ >>>>>>>> Fedora-commons-users mailing list >>>>>>>> Fedora-commons-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Don't let slow site performance ruin your business. Deploy New Relic APM >>>>>>> Deploy New Relic app performance management and know exactly >>>>>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app >>>>>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >>>>>>> http://p.sf.net/sfu/newrelic-dev2dev >>>>>>> _______________________________________________ >>>>>>> Fedora-commons-users mailing list >>>>>>> Fedora-commons-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Don't let slow site performance ruin your business. Deploy New Relic APM >>>>>> Deploy New Relic app performance management and know exactly >>>>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app >>>>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >>>>>> http://p.sf.net/sfu/newrelic-dev2dev >>>>>> _______________________________________________ >>>>>> Fedora-commons-users mailing list >>>>>> Fedora-commons-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>>>> >>>>> ------------------------------------------------------------------------------ >>>>> Don't let slow site performance ruin your business. Deploy New Relic APM >>>>> Deploy New Relic app performance management and know exactly >>>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app >>>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >>>>> http://p.sf.net/sfu/newrelic-dev2dev >>>>> _______________________________________________ >>>>> Fedora-commons-users mailing list >>>>> Fedora-commons-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>>> >>>> ------------------------------------------------------------------------------ >>>> Don't let slow site performance ruin your business. Deploy New Relic APM >>>> Deploy New Relic app performance management and know exactly >>>> what is happening inside your Ruby, Python, PHP, Java, and .NET app >>>> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >>>> http://p.sf.net/sfu/newrelic-dev2dev >>>> _______________________________________________ >>>> Fedora-commons-users mailing list >>>> Fedora-commons-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >>> >>> >>> ------------------------------------------------------------------------------ >>> Don't let slow site performance ruin your business. Deploy New Relic APM >>> Deploy New Relic app performance management and know exactly >>> what is happening inside your Ruby, Python, PHP, Java, and .NET app >>> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >>> http://p.sf.net/sfu/newrelic-dev2dev >>> _______________________________________________ >>> Fedora-commons-users mailing list >>> Fedora-commons-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> >> ------------------------------------------------------------------------------ >> Don't let slow site performance ruin your business. Deploy New Relic APM >> Deploy New Relic app performance management and know exactly >> what is happening inside your Ruby, Python, PHP, Java, and .NET app >> Try New Relic at no cost today and get our sweet Data Nerd shirt too! >> http://p.sf.net/sfu/newrelic-dev2dev >> _______________________________________________ >> Fedora-commons-users mailing list >> Fedora-commons-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users