[fcrepo-user] Problem to restrict access using XACML

Thu, 26 Sep 2013 07:50:20 -0700 

Hi all,
I'm using Fedora 3.5 and I tried to use XACML to restrict access for some datastream to a all IPaddress (except localhost and my IP). My condition use "altIds" attribute (as we can't use formatURI : https://jira.duraspace.org/browse/FCREPO-87) 


Despite many many tries, no restriction seems working usingaltIds, 
checksumand checksumTypefields.(cfr XACML policy ; I use another IP 
adresse to test my policy ;) )

It works with datastream id attribute... but it's not usable for us.


Below you can find my XACML. Can you tell me if you found any problem 
with it ?

Thanks a lot.
Regards

Renaud


<?xml version="1.0" encoding="UTF-8"?>

<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" 
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; 
PolicyId="deny-apia-uclprotected" 
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>This Policy will denied access to "ucl:restricted" 
datastream for UCL network</Description>

<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>

  <Rule RuleId="1" Effect="Deny">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>


<!-- ON ALT_IDS : NOT WORKING (best solution if cannot use formatURI) 
========================= -->

<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>ucl\:protected</AttributeValue>
<!--<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>ucl:protected</AttributeValue> 
NOT WORKING -->
<ResourceAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:altIds" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>

</ResourceMatch>
</Resource>


<!-- ON CHECKSUM TYPE : NOT WORKING 
=========================================================== -->

<!--<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>MD5</AttributeValue>
<ResourceAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:checksumType" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>

</ResourceMatch>
</Resource> NOT WORKING -->


<!-- ON DS ID : WORKS BUT USABLE 
============================================================== -->

<!--<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>PDF_01</AttributeValue>
<ResourceAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>

</ResourceMatch>
</Resource>-->


<!-- REGEXP ON ID : WORKS BUT UNFORTUNATLY USABLE 
============================================= -->

<!--<Resource>

<ResourceMatch 
MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>^PDF</AttributeValue>
<ResourceAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:altIds" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>

</ResourceMatch>
</Resource>-->
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">

<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination</AttributeValue>
<ActionAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:action:id" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>

</ActionMatch>
</Action>
</Actions>
</Target>
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">

<Apply 
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<EnvironmentAttributeDesignator 
AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress" 
DataType="http://www.w3.org/2001/XMLSchema#string"/>

<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">

<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>127.0.0.1</AttributeValue>
<AttributeValue 
DataType="http://www.w3.org/2001/XMLSchema#string";>XXX.XXX.XXX.XXX</AttributeValue> 
<!-- my IP adress -->

</Apply>
</Apply>
</Condition>
</Rule>
  <Rule RuleId="2" Effect="Permit"/>
</Policy>

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users






















					Reply via email to