headers
Brian Sheppard | 9 Feb 19:39
Picon
Favicon

[fcrepo-user] xacml policy to restrict OAI service

I'm trying to restrict OAI access to certain objects using the policy below (stored as a referenced
datastream). It has the intended effect re API-A, but is permitting OAI requests.

(As in, ...fedora/oai?verb=GetRecord&identifier=oai:example.org:1711.dl:XTA6NVZWV6UTA8K&metadataPrefix=oai_dc)

Thinking the default oai policy may be overriding the object's policy, I've tried both removing the
default policy and editing it in place so that the Rule Effect attribute is set to "Deny." No difference.

$FEDORA_HOME/server/fedora-internal-use/fedora-internal-use-repository-policies-approximating-2.0/permit-oai-unrestricted.xml

Each time I restarted fedora and even reloaded policies for good measure. Am I missing something obvious?
Thanks for any perspective.
-Brian

<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" PolicyId="PolicyEmbargo" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
  <Description>Policy for embargoed objects.</Description>
  <Target>
    <Subjects>
      <AnySubject></AnySubject>
    </Subjects>
    <Resources>
      <AnyResource></AnyResource>
    </Resources>
    <Actions>
      <Action>
        <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-oai</AttributeValue>
          <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"></ActionAttributeDesignator>
        </ActionMatch>
      </Action>
      <Action>
        <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
          <ActionAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:action:api" DataType="http://www.w3.org/2001/XMLSchema#string"></ActionAttributeDesignator>
        </ActionMatch>
      </Action>
    </Actions>
  </Target>
  <Rule Effect="Deny" RuleId="1">
    <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <SubjectAttributeDesignator AttributeId="fedoraRole"
DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></SubjectAttributeDesignator>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">pooh-bah</AttributeValue>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">honcho</AttributeValue>
        </Apply>
      </Apply>
    </Condition>
  </Rule>
</Policy>

--------------------------------------------------
Brian Sheppard
University of Wisconsin Digital Collections Center
bsheppard@...    (608) 262-3349

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
Permalink | Reply |

Gmane