Is this action running from the same client ip as all of the correctly-functioning actions?
On Tue, Oct 9, 2012 at 12:00 PM, David Lacy <david.l...@villanova.edu> wrote: > <Policy xmlns="urn:oasis:names:tc:xacml:2.0:policy:schema:os" > > xmlns:xacml-context="urn:oasis:names:tc:xacml:2.0:context:schema:os" > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; > > xsi:schemaLocation="urn:oasis:names:tc:xacml:2.0:policy:schema:os > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-policy-schema-os.xsd > urn:oasis:names:tc:xacml:2.0:context:schema:os > http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-context-schema-os.xsd"; > PolicyId="permit-apia-to-localhost" > > RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" > > > <Description>A Policy that grants read access to localhost (or the > VU Subnet)</Description> > <Target> > > <Actions> > > <!-- Match API attribute --> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue> > <ActionAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:action:api" > DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator> > </ActionMatch> > </Action> > > <!-- OR, Generic Read (this is probably redundant) --> > <Action> > <ActionMatch > MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>read</AttributeValue> > <ActionAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:action:id" > DataType="http://www.w3.org/2001/XMLSchema#string";></ActionAttributeDesignator> > </ActionMatch> > </Action> > > </Actions> > </Target> > > <Rule Effect="Permit" > RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"> > <Condition> > <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or"> > <!-- Permit this Bag --> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> > <EnvironmentAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>127.0.0.1</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>::1</AttributeValue> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>0:0:0:0:0:0:0:1</AttributeValue> > </Apply> > </Apply> > <!-- OR, Permit this subnet string --> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match"> > <AttributeValue > DataType="http://www.w3.org/2001/XMLSchema#string";>XXX\.XXX\.\d{1,3}\.\d{1,3}</AttributeValue> > <!-- Villanova Subnet --> > <Apply > FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> > <EnvironmentAttributeDesignator > AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress" > DataType="http://www.w3.org/2001/XMLSchema#string"/> > </Apply> > </Apply> > > </Apply> > </Condition> > </Rule> > </Policy> > > David Lacy > Falvey Library Technology Services > Villanova University > library.villanova.edu > >> -----Original Message----- >> From: Benjamin Armintor [mailto:armin...@gmail.com] >> Sent: Tuesday, October 09, 2012 11:47 AM >> To: Support and info exchange list for Fedora users. >> Subject: Re: [fcrepo-user] findObjects REST API and 3.6 problem >> >> I'm pretty sure findObjects is handled by the same REST resource now. >> I thought messages like this meant that a request matched a policy >> target, but not any of its rule targets. David, can you link a copy >> of the policy somewhere, or is it just matching the API attribute? >> >> - Ben >> > > > ------------------------------------------------------------------------------ > Don't let slow site performance ruin your business. Deploy New Relic APM > Deploy New Relic app performance management and know exactly > what is happening inside your Ruby, Python, PHP, Java, and .NET app > Try New Relic at no cost today and get our sweet Data Nerd shirt too! > http://p.sf.net/sfu/newrelic-dev2dev > _______________________________________________ > Fedora-commons-users mailing list > Fedora-commons-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ Fedora-commons-users mailing list Fedora-commons-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
