...
- Copy disable-writes.xml (see below) into your $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/directory
- Run $FEDORA_HOME/server/bin/fedora-reload-policies.sh http reloadpolicies https admin-user admin-pass (this immediately makes any repo-wide policy changes active without requiring a restart; change https to http if your server only supports http)
- Wait a few minutes to let any in-progress writes complete.
- Do a database+filesystem backup (see this page for the files involved)
- Remove disable-writes.xml
- Run fedora-reload-policies again
This could be scripted as part of a regular backup process. Step 3 is not perfect, however: if you wait 5 minutes but someone is in the middle of upload a multi-GB file to the repository, you might still get an inconsistent backup. You could also watch the low level system activity (thread dump, strace, lsof, etc) to see if there are any ongoing writes.
| Code Block | ||||
|---|---|---|---|---|
| ||||
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="disable-writes"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>disable writes</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:api-m</AttributeValue>
<ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
AttributeId="urn:fedora:names:fedora:2.1:action:api"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Rule RuleId="1" Effect="Deny"/>
</Policy>
|