Versions Compared

Old Version 33

changes.mady.by.user Andrew Woods

Saved on

compared with

New Version 34

changes.mady.by.user Scott Prater

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Policy sets will contain Fedora URI references to other policy sets and policies. Policy sets can define a tree structure of policies.

Policy URIs have the form info:fedora/path/to/PolicyNode. These URIs are the IDs of the Policies and PolicySets in the XACML datastream.

NICE TO HAVE: Referential integrity between policy sets and policies will be maintained via a ModeShape Sequencer. It will maintain a set of REFERENCE properties on the policy set node, pointing to the policy nodes mentioned in XACML. This will prevent any policies still referenced from being deleted.

...

  • org.jboss.security.xacml.sunxacml.finder.PolicyFinderModule is used to find a policy (or policy set) that matches the request evaluation context. Also used to lookup a policy that is referenced within a policy set by ID.
  • org.jboss.security.xacml.sunxacml.finder.AttributeFinderModule is used to find attribute values when evaluating a policy.
  • Constructing a policy set for the JBOSS engine:
    • see JCR 2.0 16.3 and JBossLDAPPolicyLocator as an example.

Sun XACML Javadoc:  http://sunxacml.sourceforge.net/javadoc/

Propose Yes

The Sun XACML engine has been around for a while and seen plenty of production use. The JBoss project is also relied upon by a larger security framework.

...

EnvironmentAttributeFinderModule

XACML Role-Based Access Control

Fedora implements the XACML 2.0 Role-Based Access Control profile out-of-the-box.  Under the profile, policies are divided into two types:  Roles and Permissions.  Role policies only define Subjects, then link to Permission policies.  Permission policies only define permission sets:  Rules that apply to Resources and Actions.  Policies are grouped into PolicySets.  Permission policy sets are never referenced directly, but only through Role policy sets.

This model makes it simple to assign multiple roles to intersecting sets of permissions, and to allow for hierarchical roles:  more powerful roles can inherit the permissions of lesser roles, then extend them in their own permission policy.  Thus, an admin role inherits the permissions of both reader and writer roles.

The Fedora default policies implement the roles admin, writer, and reader.  See Fedora Basic Roles - ModeShape Permission for a mapping of roles to ModeShape actions and permissions..

Fedora XACML RBAC policies on github

Some notes on identifier conventions:

  • PolicySetId identifiers will be URIs of the form info:fedora/policies/PolicyNode.  This identifier will be resolvable to the path to the policy object in the repository.

  • Internal policy element identifiers for the XACML elements PolicyId and RuleId will have the urn prefix fcrepo-xacml.