Re: [fcrepo-user] Problem to restrict access using XACML

Benjamin Armintor Fri, 27 Sep 2013 10:30:20 -0700

Renaud-
  I'll take a look at this soon, but I have a clarifying question: Are you
saying formatURI is not available as a property at all, or that it is not
available as a URI attribute? I was under the impression that it was
available as a String attribute.


- Ben


On Thu, Sep 26, 2013 at 10:38 AM, Renaud Michotte <
renaud.micho...@uclouvain.be> wrote:

>  Hi all,
>
> I'm using Fedora 3.5 and I tried to use XACML to restrict access for some
> datastream to a all IP address (except localhost and my IP).
> My condition use "altIds" attribute (as we can't use formatURI :
> https://jira.duraspace.org/browse/FCREPO-87)
>
> Despite many many tries, no restriction seems working using altIds,
> checksum and checksumType fields. (cfr XACML policy ; I use another IP
> adresse to test my policy ;) )
> It works with datastream id attribute... but it's not usable for us.
>
> Below you can find my XACML. Can you tell me if you found any problem
> with it ?
> Thanks a lot.
> Regards
>
> Renaud
>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi=
> "http://www.w3.org/2001/XMLSchema-instance";<http://www.w3.org/2001/XMLSchema-instance>PolicyId="deny-apia-uclprotected"
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
>   <Description>This Policy will denied access to "ucl:restricted"
> datastream for UCL network</Description>
>   <Target>
>     <Subjects>
>       <AnySubject/>
>     </Subjects>
>     <Resources>
>       <AnyResource/>
>     </Resources>
>     <Actions>
>       <AnyAction/>
>     </Actions>
>   </Target>
>
>   <Rule RuleId="1" Effect="Deny">
>       <Target>
>          <Subjects>
>             <AnySubject/>
>          </Subjects>
>          <Resources>
>
>             <!-- ON ALT_IDS : NOT WORKING (best solution if cannot use
> formatURI) ========================= -->
>            <Resource>
>              <ResourceMatch
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>                <AttributeValue DataType=
> "http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> >ucl\:protected</AttributeValue>
>                <!--<AttributeValue DataType=
> "http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>>ucl:protected</AttributeValue>
> NOT WORKING -->
>                <ResourceAttributeDesignator
> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:altIds"
> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> />
>              </ResourceMatch>
>            </Resource>
>
>            <!-- ON CHECKSUM TYPE : NOT WORKING
> =========================================================== -->
>            <!--<Resource>
>              <ResourceMatch
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>                <AttributeValue DataType=
> "http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> >MD5</AttributeValue>
>                <ResourceAttributeDesignator
> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:checksumType"
> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> />
>              </ResourceMatch>
>            </Resource> NOT WORKING -->
>
>            <!-- ON DS ID : WORKS BUT USABLE
> ============================================================== -->
>            <!--<Resource>
>              <ResourceMatch
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>                <AttributeValue DataType=
> "http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> >PDF_01</AttributeValue>
>                <ResourceAttributeDesignator
> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:id" DataType=
> "http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> />
>              </ResourceMatch>
>            </Resource>-->
>
>            <!-- REGEXP ON ID : WORKS BUT UNFORTUNATLY USABLE
> ============================================= -->
>            <!--<Resource>
>              <ResourceMatch
> MatchId="urn:oasis:names:tc:xacml:1.0:function:regexp-string-match">
>                <AttributeValue DataType=
> "http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> >^PDF</AttributeValue>
>                <ResourceAttributeDesignator
> AttributeId="urn:fedora:names:fedora:2.1:resource:datastream:altIds"
> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> />
>              </ResourceMatch>
>            </Resource>-->
>          </Resources>
>          <Actions>
>             <Action>
>                <ActionMatch
> MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
>                   <AttributeValue DataType=
> "http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> >urn:fedora:names:fedora:2.1:action:id-getDatastreamDissemination</AttributeValue>
>                   <ActionAttributeDesignator
> AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType=
> "http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> />
>                </ActionMatch>
>             </Action>
>          </Actions>
>       </Target>
>     <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
>         <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
>           <EnvironmentAttributeDesignator
> AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
> DataType="http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> />
>           <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
>             <AttributeValue DataType=
> "http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>
> >127.0.0.1</AttributeValue>
>             <AttributeValue DataType=
> "http://www.w3.org/2001/XMLSchema#string";<http://www.w3.org/2001/XMLSchema#string>>XXX.XXX.XXX.XXX</AttributeValue>
> <!-- my IP adress -->
>           </Apply>
>         </Apply>
>     </Condition>
>   </Rule>
>   <Rule RuleId="2" Effect="Permit"/>
> </Policy>
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Fedora-commons-users mailing list
> Fedora-commons-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>
>

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk

_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

Re: [fcrepo-user] Problem to restrict access using XACML

Reply via email to