Versions Compared

Old Version 3

changes.mady.by.user Chris Wilper

Saved on

compared with

New Version Current

changes.mady.by.user Chris Wilper

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

By default, Fedora XACML-based authorization is enabled. Configuration of the Fedora XACML-based Policy Enforcement Module is done in the Fedora server configuration file (fedora.fcfg). Depicted below is the section of the configuration file for the Authorization module that controls XACML-based policy enforcement.

Code Block
xml
xml
borderStylesolidxml
<module role="fedora.server.security.Authorization"
        class="fedora.server.security.DefaultAuthorization">
    <comment>Builds and manages Fedora's authorization structure.</comment>
    <param name="REPOSITORY-POLICIES-DIRECTORY"
           value="/fedora-xacml-policies/repository-policies"/>
    <param name="XACML-COMBINING-ALGORITHM"
           value="com.sun.xacml.combine.OrderedDenyOverridesPolicyAlg"/>
    <param name="ENFORCE-MODE" value="enforce-policies"/>
    <param name="POLICY-SCHEMA-PATH" value="xsd/cs-xacml-schema-policy-01.xsd"/>
    <param name="VALIDATE-REPOSITORY-POLICIES" value="true"/>
    <param name="VALIDATE-OBJECT-POLICIES-FROM-DATASTREAM" value="false"/>
    <param name="OWNER-ID-SEPARATOR" value=","/>
</module>

...

To enable/disable XACML policy enforcement in Fedora, use the Fedora configuration file (fedora.fcfg). Whether Fedora uses XACML for authorization decisions is controlled by the ENFORCE-MODE parameter in the Authorization module:

Code Block
xml
xml
borderStylesolidxml
<param name="ENFORCE-MODE" value="enforce-policies"/>

...

In the Authorization module section of the Fedora server configuration file (fedora.fcfg), there are parameters to set the storage location for active repository-wide policies. The Fedora repository will only know about policies that are stored within the configured policy directory location. Policies stored in any other location will be invisible to the repository and will not be loaded into the repository upon server startup! The storage location for active repository-wide policies can be set by the repository administrator using the follow parameter in Authorization module (in fedora.fcfg):

Code Block
xml
xml
borderStylesolidxml
<param name="REPOSITORY-POLICIES-DIRECTORY" value="/fedora-xacml-policies/repository-policies"/>

...

Simply add the new IP address to the policy rule as follows:

Code Block
xml
xml
borderStylesolidxml
<Rule RuleId="1" Effect="Deny">
  <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <EnvironmentAttributeDesignator
          AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
          DataType="http://www.w3.org/2001/XMLSchema#string"/>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">127.0.0.1</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">::1</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">111.22.333.4</AttributeValue>
        </Apply>
      </Apply>
    </Apply>
  </Condition>
</Rule>

...

There are several parameters in the Authorization module configuration that control whether Fedora will attempt to validate policies against the XML schema for XACML.

Code Block
xml
xml
borderStylesolidxml
<param name="POLICY-SCHEMA-PATH" value="xsd/cs-xacml-schema-policy-01.xsd"
<param name="VALIDATE-REPOSITORY-POLICIES" value="true"/>
<param name="VALIDATE-OBJECT-POLICIES-FROM-DATASTREAM" value="false"/>
<param name="VALIDATE-SURROGATE-POLICIES" value="false"/>

...

Policy writers must understand the interaction effect of multiple XACML policies that are in scope for any particular action. The Fedora configuration file (fedora.fcfg) sets the policy combining algorithm that will be used by the Policy Enforcement Module in evaluating sets of policies. In the the Fedora server configuration file (fedora.fcfg) note the following parameter in the section for the Authorization module::

Code Block
xml
xml
borderStylesolidxml
<param name="XACML-COMBINING-ALGORITHM" value="com.sun.xacml.combine.OrderedDenyOverridesPolicyAlg"/>

...

By default, the fedora-users file contains the following users, passwords, and attributes:

Code Block
xml
xml
borderStylesolidxml
<users>
  <user name="fedoraAdmin" password="fedoraAdmin">
    <attribute name="fedoraRole">
      <value>administrator</value>
    </attribute>
  </user>
  <user name="fedoraIntCallUser" password="changeme">
    <attribute name="fedoraRole">
      <value>fedoraInternalCall-1</value>
      <value>fedoraInternalCall-2</value>
    </attribute>
  </user>
</users>

Notice that each attribute has a name and can have multiple values. The cases of one or two values are shown; not shown here is that an attribute can have any number of values, including none, depending on your need. The second of these entries is for Fedora internal use, and should be left intact as installed. You will probably leave the first entry in place, also as-is. But if you change the default policies, you may require additional values of the fedoraRole attribute, or additional named attributes with their own values. Additional users (with unique names) can be added with attributes as needed. This is a convenient place to define repository managers, a small number of users, or a surrogate user. An example of an additional user follows:

Code Block
xml
xml
borderStylesolidxml
<users>
  <user name="testuser1" password="testuser1">
    <attribute name="someAttribute">
      <value>xyz</value>
    </attribute>
    <attribute name="fedoraRole">
      <value>researcher</value>
    </attribute>
  </user>
</users>

The above example indicates that the user has two attributes (an attribute named* "someAttriibute"* whose value is xyz, and an attribute named* "fedoraRole"* whose value is researcher). These attribute names can be used in SubjectAttributeDesignator specifications in XACML policies and the values can be used in AttributeValue specifications in policies. Below is a snippet of an XACML policy that refers to attributes from fedora-users (refer to the Fedora XACML Policy Guide for more info on policy syntax):

Code Block
xml
xml
borderStylesolidxml
<Subjects>
  <Subject>
    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
        administrator
      </AttributeValue>
      <SubjectAttributeDesignator AttributeId="*fedoraRole*" MustBePresent="false"
                                  DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </SubjectMatch>
  </Subject>
</Subjects>

...

In Fedora, XACML policies can refer to user attribute names and values that are registered in an LDAP that is configured with Fedora's Ldap servlet filter. Refer to the Authentication and User Attributes section of the Securing Your Repository guide for information on servlet filter configuration options. Given that an LDAP is properly configured with Fedora, the Fedora XACML-based Policy Enforcement module will be able to access LDAP user attributes, which means that you can refer to LDAP attributes in reference to a Subject in a policy, as shown in the following XACML snippet (refer to the Fedora XACML Policy Guide for more info on policy syntax):

Code Block
xml
xml
borderStylesolidxml
<Rule RuleId="1" Effect="Deny">
  <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
    <SubjectAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="*ou*"/>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
        Lb-Info Technology
      </AttributeValue>
      <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
        Lb-Univ Librarian-General
      </AttributeValue>
    </Apply>
  </Condition>
</Rule>

...

The first time the Fedora repository server is started, these policies will be automatically copied into the official repository-wide policy storage location that was specified in the Fedora configuration file (fedora.fcfg). The policies are activated once they are copied into this location.

HTML Table
border1
Table Row (tr)
bgcolor#c0c0c0
aligncenter
Table Cell (td)
Rule
Table Cell (td)
Service
Table Cell (td)
XACML Policy File
Table Cell (td)
Policy Description
Wiki Markup
{table:border=1} {tr:align=center|bgcolor=#c0c0c0} {td}*Rule*{td} {td}*Service*{td} {td}*XACML Policy File*{td} {td}*Policy Description*{td} {tr} {tr:bgcolor=#ffffff} {td}1{td} {td}any{td} {td}[
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
1
Table Cell (td)
any
Table Cell (td)
permit-anything-to-administrator.xml
|XACML Policy Enforcement^permit-anything-to-administrator.xml]{td} {td}This is a "positive policy" that permits the Fedora administrator to have access to any operation on any Fedora repository service
Table Cell (td)
This is a "positive policy" that permits the Fedora administrator to have access to any operation on any Fedora repository service (API-M,
API-A,
OAI,
RISearch).
By
default
the
Fedora
administrator
is
configured
in
the
default
Tomcat
user
credentials
file
(tomcat-users.xml).
{td} {tr} {tr:bgcolor=#ffffff} {td}2{td} {td}API-M{td} {td}[
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
2
Table Cell (td)
API-M
Table Cell (td)
deny-apim-if-not-localhost.xml
|XACML Policy Enforcement^deny-apim-if-not-localhost.xml]{td} {td}This is a "negative policy" that denies access to API-M operations that are not made from the IP address of the machine on which the Fedora repository is running on. In other words, the policy will not allow API-M requests from hosts other than "localhost."{td} {tr} {tr:bgcolor=#ffffff} {td}3{td} {td}API-A{td} {td}[
Table Cell (td)
This is a "negative policy" that denies access to API-M operations that are not made from the IP address of the machine on which the Fedora repository is running on. In other words, the policy will not allow API-M requests from hosts other than "localhost."
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
3
Table Cell (td)
API-A
Table Cell (td)
permit-apia-unrestricted.xml
|XACML Policy Enforcement^permit-apia-unrestricted.xml]{td} {td}This is a "positive policy" that permits unrestricted access to
Table Cell (td)
This is a "positive policy" that permits unrestricted access to API-A.
In
other
words,
API-A
operations
are
completely
open
for
use
by
any
user/agent.
{td} {tr} {tr:bgcolor=#ffffff} {td}4{td} {td}OAI{td} {td}[
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
4
Table Cell (td)
OAI
Table Cell (td)
permit-oai-unrestricted.xml
|XACML Policy Enforcement^permit-oai-unrestricted.xml]{td} {td}This is a "positive policy" that permits unrestricted access to the default OAI provider interface to the Fedora repository. In other words, OAI-PMH operations are completely open for use by any user/agent. (Note, this does not control access to the stand-alone PROAI service that is distributed with Fedora 2.1. PROAI is a stand-alone web application that must be secured separately.{td} {tr} {table}
Table Cell (td)
This is a "positive policy" that permits unrestricted access to the default OAI provider interface to the Fedora repository. In other words, OAI-PMH operations are completely open for use by any user/agent. (Note, this does not control access to the stand-alone PROAI service that is distributed with Fedora 2.1. PROAI is a stand-alone web application that must be secured separately.

A A review of how the policy combining algorithm works, will reveal that access to a service operation cannot occur unless access is expressly permitted. The net effect of the default access control policies is that the administrator is expressly permitted to do anything (with the restriction of having to make API-M requests from the same IP address that the server runs on), and all users are expressly permitted access to API-A and OAI service requests.

...

Generally, the default repository utility policies should not be removed. They enforce core and crucial protections of the repository. Considerate understanding of how they work should proceed any (unlikely) needed editing. For example, consider and edit to permit other IPs than localhost, as opposed simply to deleting the policy.

HTML Table
border1
Table Row (tr)
bgcolor#c0c0c0
aligncenter
Table Cell (td)
Rule
Table Cell (td)
Service
Table Cell (td)
XACML Policy File
Table Cell (td)
Policy Description
Wiki Markup
{table:border=1} {tr:align=center|bgcolor=#c0c0c0} {td}*Rule*{td} {td}*Service*{td} {td}*XACML Policy File*{td} {td}*Policy Description*{td} {tr} {tr:bgcolor=#ffffff} {td:align=center}1{td} {td}serverAdmin{td} {td}[
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
aligncenter
1
Table Cell (td)
serverAdmin
Table Cell (td)
deny-policy-management-if-not-administrator.xml
|XACML Policy Enforcement^deny-policy-management-if-not-administrator.xml]{td} {td} {td} {tr} {tr:bgcolor=#ffffff} {td:align=center}2{td} {td}any{td} {td}[
Table Cell (td)

Table Row (tr)
bgcolor#ffffff
Table Cell (td)
aligncenter
2
Table Cell (td)
any
Table Cell (td)
deny-inactive-or-deleted-disseminations-if-not-administrator.xml
|XACML Policy Enforcement^deny-inactive-or-deleted-disseminations-if-not-administrator.xml]{td} {td}This is a "negative policy" that will deny all access to inactive/deleted disseminations if the user/agent is not the Fedora administrator. Unlike purged disseminations, inactive/deleted disseminations still exist, but they are just marked as inactive/deleted. As such they should not be available to users. The exception is that the Fedora administrator is allowed to access them.{td} {tr} {tr:bgcolor=#ffffff} {td:align=center}3{td} {td}any{td} {td}[
Table Cell (td)
This is a "negative policy" that will deny all access to inactive/deleted disseminations if the user/agent is not the Fedora administrator. Unlike purged disseminations, inactive/deleted disseminations still exist, but they are just marked as inactive/deleted. As such they should not be available to users. The exception is that the Fedora administrator is allowed to access them.
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
aligncenter
3
Table Cell (td)
any
Table Cell (td)
deny-inactive-or-deleted-objects-or-datastreams-if-not-administrator.xml
|XACML Policy Enforcement^deny-inactive-or-deleted-objects-or-datastreams-if-not-administrator.xml]{td} {td}This is a "negative policy" that will deny all access to inactive/deleted datastreams if the user/agent is not the Fedora administrator. Unlike purged objects/datastreams, inactive/deleted objects/datastreams still exist, but they are just marked as inactive/deleted. As such they should not be available to users. The exception is that the Fedora administrator is allowed to access them.{td} {tr} {tr:bgcolor=#ffffff} {td:align=center}4{td} {td}API-M{td} {td}[deny-purge-datastream-if-active-or-inactive.xml|XACML Policy Enforcement^deny
Table Cell (td)
This is a "negative policy" that will deny all access to inactive/deleted datastreams if the user/agent is not the Fedora administrator. Unlike purged objects/datastreams, inactive/deleted objects/datastreams still exist, but they are just marked as inactive/deleted. As such they should not be available to users. The exception is that the Fedora administrator is allowed to access them.
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
aligncenter
4
Table Cell (td)
API-M
Table Cell (td)
deny-purge-datastream-if-active-or-inactive.xml
] {td} {td}This is a "negative policy" that will ensure that datastreams cannot be purged (permanently removed) unless they are in the deleted state. Purging of active or inactive datastreams is not allowed. {td} {tr} {tr:bgcolor=#ffffff} {td:align=center}5{td} {td}API-M{td} {td}[
Table Cell (td)
This is a "negative policy" that will ensure that datastreams cannot be purged (permanently removed) unless they are in the deleted state. Purging of active or inactive datastreams is not allowed.
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
aligncenter
5
Table Cell (td)
API-M
Table Cell (td)
deny-purge-object-if-active-or-inactive.xml
|XACML Policy Enforcement^deny-purge-object-if-active-or-inactive.xml]{td} {td}This is a "negative policy" that will ensure that objects cannot be purged (permanently removed) unless they are in the "deleted" state. Purging of active or inactive objects not allowed.{td} {tr} {tr:bgcolor=#ffffff} {td:align=center}6{td} {td}serverAdmin{td} {td}[
Table Cell (td)
This is a "negative policy" that will ensure that objects cannot be purged (permanently removed) unless they are in the "deleted" state. Purging of active or inactive objects not allowed.
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
aligncenter
6
Table Cell (td)
serverAdmin
Table Cell (td)
deny-reloadPolicies-if-not-localhost.xml
|XACML Policy Enforcement^deny-reloadPolicies-if-not-localhost.xml]{td} {td}This is a "negative policy" that will deny requests to reload policies
Table Cell (td)
This is a "negative policy" that will deny requests to reload policies (i.e.,
policy
reactivation)
if
this
requests
is
not
initiated
from
the
IP
address
of
the
machine
on
which
the
repository
is
running
(i.e.,
localhost).
{td} {tr} {tr:bgcolor=#ffffff} {td:align=center}7{td} {td}serverAdmin{td} {td}[
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
aligncenter
7
Table Cell (td)
serverAdmin
Table Cell (td)
deny-serverShutdown-if-not-localhost.xml
|XACML Policy Enforcement^deny-serverShutdown-if-not-localhost.xml]{td} {td}This is a "negative policy" that will deny requests to shutdown the Fedora server if this requests is not initiated from the IP address of the machine on which the repository is running (i.e., localhost).{td} {tr} {tr:bgcolor=#ffffff} {td:align=center}9{td} {td}serverAdmin{td} {td}[
Table Cell (td)
This is a "negative policy" that will deny requests to shutdown the Fedora server if this requests is not initiated from the IP address of the machine on which the repository is running (i.e., localhost).
Table Row (tr)
bgcolor#ffffff
Table Cell (td)
aligncenter
9
Table Cell (td)
serverAdmin
Table Cell (td)
permit-serverStatus-unrestricted.xml
|XACML Policy Enforcement^permit-serverStatus-unrestricted.xml]{td} {td}This is a "positive policy" that permits unrestricted access for obtaining the Fedora server status.{td} {tr} {table}
Table Cell (td)
This is a "positive policy" that permits unrestricted access for obtaining the Fedora server status.

6 Sample Policies for Typical Fedora Use

...