Versions Compared

Old Version 1

changes.mady.by.user Stephen Bayliss

Saved on

compared with

New Version Current

changes.mady.by.user Stephen Bayliss

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

FeSL supports a simplified set of action attribute values of create, read, update and delete, in addition to the above. The relationship of these values to the underlying API action attribute are specified in $FEDORA_HOME/server/config/config-melcoe-pep-mapping.xml.

Policies based on

...

relationships

FeSL supports the ability to "surface" values in the Resource Index as XACML resource attribute values. For instance define policies based on relationships expressed in the RELS-EXT and RELS-INT datastreams. The target of a relationship from an object or a datastream property can be defined in RELS-EXT or RELS-INT, and this value can be used in specifying a policy. as a XACML resource attribute.

As well as defining XACML resource attributes based on simple object or and datastream relationships as XACML resource attributes, more complex specifications can be defined using Resource Index queries.

...

  • XACML resource attribute ID: this is defined by the "name" attribute, in this case http://www.example.org/fedora/xacml/attributes/resource#rel-subjectImage Removed
  • Fedora RI relationship: this is defined by the "relationship" config element. In this case the relationship used is the dc:subject relationship, http://purl.org/dc/elements/1.1/subjectImage Removed
  • Subject of relationship query: The "target" configuration element specifies the subject of the RI query. In this case the value "object" is specified which means the RI query is based on the URI of the Digital Object containing the resource being accessed. This means that the dc:subject attribute of the digital object will be retrieved when both the object itself is accessed and when an object datastream is accessed. If this value is specified as "resource" (or is omitted) the URI of the resource (eg a datastream) being accessed will be used instead. Use "resource" where you want to base an attribute on a datastream property defined in RELS-INT.

If the "relationship" config element is omitted, the same value will be used for the Fedora RI relationship and the XACML resource attribute ID (for instance http://purl.org/dc/elements/1.1/subjectImage Removed could be defined as both the XACML resource attribute ID to be used in policies and the RI relationship to be used in retrieving attribute values.

...

When the datastream "DC" is accessed in the object "demo:1", a policy using the XACML resource attribute ID http://www.example.org/fedora/xacml/attributes/resource#collection-ownerImage Removed will be evaluated as follows:

...

The FunctionID "urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of" does a "bag" comparison - the function evaluates to true if there is at least one match in the two bags being compared. In this case the first bag is all of the ownerID attributes of all collections to which the resource belongs, and the second bag is the all of the role attributes of the subject.

Relationships and dependency on the Resource Index

By default, FeSL queries the Resource Index for relationship information. It does this when querying for parent/child relationships for policies based on the XACML hierarchical resource profile, and for policies based on resource attributes defined using SPO and more complex RI queries.

If you do not have the Resource Index enabled, you may instead configure FeSL to use RELS-EXT and RELS-INT datastreams directly to derive relationship information.

This is configured in $FEDORA_HOME/server/config/config-melcoe-pep.xml.

Change the class attribute of the relationship-resolver element to org.fcrepo.server.security.xacml.util.RELSRelationshipResolver to use the relationships datastreams directly.

Note that this introduces some restrictions on FeSL's features

  • Collection-based policies based on the XACML hierarchical resource profile will require that relationships are specified from the child object to the parent (eg isMember relationships in the child object)
  • Only simple datastream and object properties can be exposed as XACML resource attributes; the properties must be defined as relationships in the containing object

Disabling FeSL Authorization

If you encounter problems, such as creating a set of policies which lock out administrative access to the repository and thus prevent further changes to policies, you can disable FeSL AuthZ completely.

  1. Locate the file $FEDORA_HOME/server/config/spring/web/security.xml.
  2. Make a backup copy of this file
  3. For each of the <security:filter-chain>> elements, remove the value PEPFilter (and the preceeding comma) from the filters attribute.
  4. When you have finished correcting any problems, re-instate the backup copy of this file.