Discussion:
[fcrepo-user] POLICY datastream
Swithun Crowe
2011-04-21 14:00:21 UTC
Permalink
Hello

I solved my managed DC/RELS-EXT datastreams in METS worries - they are
just regular datastreams, but with the particular ID attributes.

Now I'm stuck on using an external POLICY datastream. In a METS document,
I have:

<mets OBJID="alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf" ...>
...
<fileGrp ID="POLICY" VERSIONABLE="true" STATUS="A">
<file ID="POLICY.0" MIMETYPE="text/xml" OWNERID="E">
<FLocat xmlns:xlink="http://www.w3.org/1999/xlink" LOCTYPE="URL"
xlink:href="http://itspc-cs2/~archive/policy_service/policy_rps_data.xml"/>
</file>
</fileGrp>

The URL resolves to this document:

<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="deny-data-access-if-not-rps_reader"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Description>A policy to provide access to users with the rps_reader role</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
</Target>
<Rule RuleId="rps_data_rul1" Effect="Deny">
<Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">rps_reader</AttributeValue>
<SubjectAttributeDesignator AttributeId="fedoraRole" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
</Policy>

If I go to the object in a browser or a particular datastream, e.g.

http://.../fedora/objects/alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf or
http://.../fedora/objects/alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf/DS1,

then there is no prompting for authentication. If I then try to view the
/datastreams for the object, then I am prompted for authentication. But
the user who has "rps_reader" in their fedoraRole can't view the
datastreams (getting Fedora: 403 NOTAPPLICABLE), only fedoraAdmin can.

Looking at fedora.log and fesl.log (both set to DEBUG), it doesn't look
like my external policy is being used, let alone whether the XACML does
what I want it to do.

Does anyone have a working example of an external policy covering many
objects?

Thanks.

Swithun.
--
The University of St Andrews is a charity registered in Scotland: SC013532
Steve Bayliss
2011-04-21 14:50:25 UTC
Permalink
Hi Swithun

Are you using FeSL AuthZ? What does your
$FEDORA_HOME/install/install.properties have for

xacml.enabled
fesl.authz.enabled

Steve
-----Original Message-----
Sent: 21 April 2011 15:00
To: Support and info exchange list for Fedora users.
Subject: [fcrepo-user] POLICY datastream
Hello
I solved my managed DC/RELS-EXT datastreams in METS worries -
they are
just regular datastreams, but with the particular ID attributes.
Now I'm stuck on using an external POLICY datastream. In a
METS document,
<mets OBJID="alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf" ...>
...
<fileGrp ID="POLICY" VERSIONABLE="true" STATUS="A">
<file ID="POLICY.0" MIMETYPE="text/xml" OWNERID="E">
<FLocat xmlns:xlink="http://www.w3.org/1999/xlink"
LOCTYPE="URL"
xlink:href="http://itspc-cs2/~archive/policy_service/policy_rp
s_data.xml"/>
</file>
</fileGrp>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
PolicyId="deny-data-access-if-not-rps_reader"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combinin
g-algorithm:first-applicable">
<Description>A policy to provide access to users with the
rps_reader role</Description>
<Target>
<Subjects>
<AnySubject/>
</Subjects>
</Target>
<Rule RuleId="rps_data_rul1" Effect="Deny">
<Condition
FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply
FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">rps_reader<
/AttributeValue>
<SubjectAttributeDesignator AttributeId="fedoraRole"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
</Policy>
If I go to the object in a browser or a particular datastream, e.g.
http://.../fedora/objects/alfresco:a8d5f33f-b5d7-4a50-bb2f-d45
acbbbd5bf or
http://.../fedora/objects/alfresco:a8d5f33f-b5d7-4a50-bb2f-d45acbbbd5bf/DS1,

then there is no prompting for authentication. If I then try to view the
/datastreams for the object, then I am prompted for authentication. But
the user who has "rps_reader" in their fedoraRole can't view the
datastreams (getting Fedora: 403 NOTAPPLICABLE), only fedoraAdmin can.

Looking at fedora.log and fesl.log (both set to DEBUG), it doesn't look
like my external policy is being used, let alone whether the XACML does
what I want it to do.

Does anyone have a working example of an external policy covering many
objects?

Thanks.

Swithun.
--
The University of St Andrews is a charity registered in Scotland: SC013532

----------------------------------------------------------------------------
--
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users-5NWGOfrQmneRv+***@public.gmane.org
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
Swithun Crowe
2011-04-22 12:07:05 UTC
Permalink
Hello

SB> Are you using FeSL AuthZ? What does your
SB> $FEDORA_HOME/install/install.properties have for
SB> xacml.enabled
SB> fesl.authz.enabled

I have fesl.authz enabled, but xacml.enabled is false (how can it be made
true on install?). But I have been modifying ENFORCE-MODE in fedora.fcfg.

There are no errors when it is set to "permit-all-requests", but now, when
I set it to "enforce-policies", I get an AuthzDeniedException thrown.

I've included the output from fesl.log below. This is for running an empty
search to get all objects. Round about line 2011-04-22 12:24:16.691, the
request is permitted. But then, at line 2011-04-22 12:24:17.026, it all
starts to go pear shaped, with an "Error finding parents".

This is on a fresh install of Fedora 3.5 snapshot, with demo objects
loaded.

Has anyone got any ideas?

Thanks.

Swithun.

DEBUG 2011-04-22 12:24:16.452 [TP-Processor12] (PEP) Incoming URI: /fedora/objects
DEBUG 2011-04-22 12:24:16.452 [TP-Processor12] (PEP) Incoming servletPath: /objects
DEBUG 2011-04-22 12:24:16.453 [TP-Processor12] (PEP) obtaining filter: org.fcrepo.server.security.xacml.pep.rest.filters.ObjectsFilter
DEBUG 2011-04-22 12:24:16.457 [TP-Processor12] (PEP) Filtering URI: [/fedora/objects] with: [org.fcrepo.server.security.xacml.pep.rest.filters.ObjectsFilter]
DEBUG 2011-04-22 12:24:16.457 [TP-Processor12] (ObjectsFilter) objectsHandler path:
DEBUG 2011-04-22 12:24:16.457 [TP-Processor12] (ObjectsFilter) objectsHandler method: GET
DEBUG 2011-04-22 12:24:16.457 [TP-Processor12] (ObjectsFilter) objectsHandler part:
DEBUG 2011-04-22 12:24:16.457 [TP-Processor12] (ObjectsFilter) activating handler: findObjects
DEBUG 2011-04-22 12:24:16.458 [TP-Processor12] (ContextUtil) Building request!
DEBUG 2011-04-22 12:24:16.460 [TP-Processor12] (RelationshipResolverImpl) Obtaining parents for: FedoraRepository
INFO 2011-04-22 12:24:16.461 [TP-Processor12] (LogUtil) 20110422 12:24:16.461 fedoraAdmin urn:fedora:names:fedora:2.1:action:id-findObjects FedoraRepository
DEBUG 2011-04-22 12:24:16.461 [TP-Processor12] (EvaluationEngineImpl) evaluating RequestCtx request
DEBUG 2011-04-22 12:24:16.462 [TP-Processor12] (EvaluationEngineImpl) evaluating String request
DEBUG 2011-04-22 12:24:16.462 [TP-Processor12] (EvaluationEngineImpl) evaluating array of String requests
DEBUG 2011-04-22 12:24:16.466 [TP-Processor12] (ResponseCacheImpl) Getting Cache Item (0/0/0): 5f4655f5eb63aeec0ab7db77cf2d684d
DEBUG 2011-04-22 12:24:16.466 [TP-Processor12] (EvaluationEngineImpl) No item found in cache. Sending to PDP for evaluation.
DEBUG 2011-04-22 12:24:16.467 [TP-Processor12] (DirectPDPClient) Resolving String request:
<Request>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:fedora:names:fedora:2.1:subject:loginId" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:fedora:names:fedora:2.1:subject:subjectRepresented" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"><AttributeValue>/FedoraRepository</AttributeValue></Attribute>
<Attribute AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>FedoraRepository</AttributeValue></Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>read</AttributeValue></Attribute>
<Attribute AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue></Attribute>
</Action>
<Environment>
<Attribute AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>138.251.115.124</AttributeValue></Attribute>
</Environment>
</Request>

DEBUG 2011-04-22 12:24:16.473 [TP-Processor12] (FedoraPolicyStore) Total memory: 429440
DEBUG 2011-04-22 12:24:16.473 [TP-Processor12] (FedoraPolicyStore) Free memory: 196671
DEBUG 2011-04-22 12:24:16.473 [TP-Processor12] (FedoraPolicyStore) Max memory: 699072
INFO 2011-04-22 12:24:16.474 [TP-Processor12] (FedoraPolicyStore) Loading config file: /opt/fedora35_2/pdp/conf/config-pdm-fedora.xml
INFO 2011-04-22 12:24:16.475 [TP-Processor12] (FedoraPolicyStore) Initialising validation
DEBUG 2011-04-22 12:24:16.566 [TP-Processor12] (PopulatePolicyDatabase) Policy database already contains fedora-policy:public-demo_demoObjectCollection (public-demoObjectCollection.xml). Skipping.
DEBUG 2011-04-22 12:24:16.573 [TP-Processor12] (PopulatePolicyDatabase) Policy database already contains fedora-policy:access-public (access-public.xml). Skipping.
DEBUG 2011-04-22 12:24:16.591 [TP-Processor12] (PopulatePolicyDatabase) Policy database already contains fedora-policy:access-staff (access-staff.xml). Skipping.
DEBUG 2011-04-22 12:24:16.599 [TP-Processor12] (PopulatePolicyDatabase) Policy database already contains fedora-policy:access-fedora-internal-call (access-fedora-internal-call.xml). Skipping.
DEBUG 2011-04-22 12:24:16.618 [TP-Processor12] (PopulatePolicyDatabase) Policy database already contains fedora-policy:access-admin (access-admin.xml). Skipping.
DEBUG 2011-04-22 12:24:16.631 [TP-Processor12] (PopulatePolicyDatabase) Policy database already contains fedora-policy:access-teacher (access-teacher.xml). Skipping.
DEBUG 2011-04-22 12:24:16.638 [TP-Processor12] (PopulatePolicyDatabase) Policy database already contains fedora-policy:access-student (access-student.xml). Skipping.
INFO 2011-04-22 12:24:16.638 [TP-Processor12] (MelcoePDPImpl) Loading config file: /opt/fedora35_2/pdp/conf/config-pdp.xml
INFO 2011-04-22 12:24:16.654 [TP-Processor12] (AttributeFinderConfigUtil) Loading attribute finder config file: /opt/fedora35_2/pdp/conf/config-attribute-finder.xml
INFO 2011-04-22 12:24:16.655 [TP-Processor12] (FedoraRIAttributeFinder) Initialised AttributeFinder:org.fcrepo.server.security.xacml.pdp.finder.attribute.FedoraRIAttributeFinder
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12] (FedoraRIAttributeFinder) registering the following attributes:
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12] (FedoraRIAttributeFinder) 1: info:fedora/fedora-system:def/model#ownerId
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12] (FedoraRIAttributeFinder) 1: http://www.w3.org/1999/02/22-rdf-syntax-ns#type
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12] (FedoraRIAttributeFinder) 1: info:fedora/fedora-system:def/model#createdDate
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12] (FedoraRIAttributeFinder) 1: info:fedora/fedora-system:def/view#mimeType
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12] (FedoraRIAttributeFinder) 1: http://muradora.ramp.org.au/sf#isSmartFolder
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12] (FedoraRIAttributeFinder) 1: info:fedora/fedora-system:def/model#label
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12] (FedoraRIAttributeFinder) 1: info:fedora/fedora-system:def/model#state
INFO 2011-04-22 12:24:16.656 [TP-Processor12] (AttributeFinderConfigUtil) Loading attribute finder config file: /opt/fedora35_2/pdp/conf/config-attribute-finder.xml
DEBUG 2011-04-22 12:24:16.657 [TP-Processor12] (AttributeFinderConfigUtil) Located AttributeFinder: org.fcrepo.server.security.xacml.pdp.finder.attribute.FedoraRIAttributeFinder
DEBUG 2011-04-22 12:24:16.657 [TP-Processor12] (FedoraRIAttributeFinder) username:
DEBUG 2011-04-22 12:24:16.657 [TP-Processor12] (FedoraRIAttributeFinder) password:
DEBUG 2011-04-22 12:24:16.657 [TP-Processor12] (FedoraRIAttributeFinder) url: http://localhost:5743/fedora/melcoerisearch
INFO 2011-04-22 12:24:16.661 [TP-Processor12] (FilePolicyIndex) Starting FilePolicyIndex
DEBUG 2011-04-22 12:24:16.662 [TP-Processor12] (FilePolicyIndex) Total memory: 429440
DEBUG 2011-04-22 12:24:16.662 [TP-Processor12] (FilePolicyIndex) Free memory: 185569
DEBUG 2011-04-22 12:24:16.662 [TP-Processor12] (FilePolicyIndex) Max memory: 699072
INFO 2011-04-22 12:24:16.662 [TP-Processor12] (FilePolicyIndex) Loading config file: /opt/fedora35_2/pdp/conf/config-pdm-file.xml
DEBUG 2011-04-22 12:24:16.663 [TP-Processor12] (FilePolicyIndex) [config] directory: /opt/fedora35_2/pdp/policy-db
INFO 2011-04-22 12:24:16.663 [TP-Processor12] (FilePolicyIndex) Populating FeSL File policy index cache
INFO 2011-04-22 12:24:16.663 [TP-Processor12] (FilePolicyIndex) Loading FeSL policy from cache directory: /opt/fedora35_2/pdp/policy-db/fedora-policy_access-staff.xml
INFO 2011-04-22 12:24:16.664 [TP-Processor12] (FilePolicyIndex) Loading FeSL policy from cache directory: /opt/fedora35_2/pdp/policy-db/fedora-policy_access-fedora-internal-call.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12] (FilePolicyIndex) Loading FeSL policy from cache directory: /opt/fedora35_2/pdp/policy-db/fedora-policy_access-teacher.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12] (FilePolicyIndex) Loading FeSL policy from cache directory: /opt/fedora35_2/pdp/policy-db/fedora-policy_access-public.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12] (FilePolicyIndex) Loading FeSL policy from cache directory: /opt/fedora35_2/pdp/policy-db/fedora-policy_access-admin.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12] (FilePolicyIndex) Loading FeSL policy from cache directory: /opt/fedora35_2/pdp/policy-db/fedora-policy_public-demo_demoObjectCollection.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12] (FilePolicyIndex) Loading FeSL policy from cache directory: /opt/fedora35_2/pdp/policy-db/fedora-policy_access-student.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12] (FilePolicyIndex) Populated cache with 7 files
INFO 2011-04-22 12:24:16.668 [TP-Processor12] (MelcoePDPImpl) PDP Instantiated and initialised!
DEBUG 2011-04-22 12:24:16.668 [TP-Processor12] (MelcoePDPImpl) evaluating request: <Request>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:fedora:names:fedora:2.1:subject:loginId" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Subject SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:fedora:names:fedora:2.1:subject:subjectRepresented" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Resource>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI"><AttributeValue>/FedoraRepository</AttributeValue></Attribute>
<Attribute AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>FedoraRepository</AttributeValue></Attribute>
</Resource>
<Action>
<Attribute AttributeId="urn:fedora:names:fedora:2.1:action:id" DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>read</AttributeValue></Attribute>
<Attribute AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue></Attribute>
</Action>
<Environment>
<Attribute AttributeId="urn:fedora:names:fedora:2.1:environment:httpRequest:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeValue>138.251.115.124</AttributeValue></Attribute>
</Environment>
</Request>

DEBUG 2011-04-22 12:24:16.671 [TP-Processor12] (PolicyManager) Obtained policies: 7
DEBUG 2011-04-22 12:24:16.679 [TP-Processor12] (PolicyManager) Matched policy: fedora-policy:access-admi
DEBUG 2011-04-22 12:24:16.691 [TP-Processor12] (PolicyManager) Matched policies and created abstract policy.
DEBUG 2011-04-22 12:24:16.691 [TP-Processor12] (MelcoePDPImpl) response is: <Response>
<Result ResourceId="/FedoraRepository">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
</Result>
</Response>

DEBUG 2011-04-22 12:24:16.691 [TP-Processor12] (EvaluationEngineImpl) Adding PDP evaluation results to cache
DEBUG 2011-04-22 12:24:16.693 [TP-Processor12] (ResponseCacheImpl) Adding Cache Item (1/1/1): 5f4655f5eb63aeec0ab7db77cf2d684d
DEBUG 2011-04-22 12:24:16.693 [TP-Processor12] (EvaluationEngineImpl) Time taken for XACML Evaluation: 231ms
DEBUG 2011-04-22 12:24:16.694 [TP-Processor12] (PEP) Permitting access!
DEBUG 2011-04-22 12:24:16.981 [TP-Processor12] (ObjectsFilter) objectsHandler path:
DEBUG 2011-04-22 12:24:16.981 [TP-Processor12] (ObjectsFilter) objectsHandler method: GET
DEBUG 2011-04-22 12:24:16.981 [TP-Processor12] (ObjectsFilter) objectsHandler part:
DEBUG 2011-04-22 12:24:16.982 [TP-Processor12] (ObjectsFilter) activating handler: findObjects
DEBUG 2011-04-22 12:24:16.982 [TP-Processor12] (FindObjects) filtering html
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12] (FindObjects) Checking: fedora-policy:access-student
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12] (ContextUtil) Building request!
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12] (RelationshipResolverImpl) Obtaining parents for: fedora-policy:access-student
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12] (RelationshipResolverImpl) relationship query: fedora-policy:access-student, info:fedora/fedora-system:def/relations-external#isMemberOf
INFO 2011-04-22 12:24:17.015 [TP-Processor12] (FilePolicyIndex) Starting FilePolicyIndex
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12] (FilePolicyIndex) Total memory: 429440
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12] (FilePolicyIndex) Free memory: 168943
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12] (FilePolicyIndex) Max memory: 699072
INFO 2011-04-22 12:24:17.015 [TP-Processor12] (FilePolicyIndex) Loading config file: /opt/fedora35_2/pdp/conf/config-pdm-file.xml
DEBUG 2011-04-22 12:24:17.016 [TP-Processor12] (FilePolicyIndex) [config] directory: /opt/fedora35_2/pdp/policy-db
ERROR 2011-04-22 12:24:17.026 [TP-Processor12] (ContextUtil) Error finding parents.
org.fcrepo.server.security.xacml.MelcoeXacmlException:
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.getRelationships(RelationshipResolverImpl.java:210) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.getParents(RelationshipResolverImpl.java:132) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.buildRESTParentHierarchy(RelationshipResolverImpl.java:99) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.ContextUtil.setupResources(ContextUtil.java:325) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.ContextUtil.buildRequest(ContextUtil.java:444) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.ContextHandlerImpl.buildRequest(ContextHandlerImpl.java:111) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.objectshandlers.FindObjects.evaluatePids(FindObjects.java:456) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.objectshandlers.FindObjects.filterHTML(FindObjects.java:379) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.objectshandlers.FindObjects.handleResponse(FindObjects.java:192) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.filters.ObjectsFilter.handleResponse(ObjectsFilter.java:109) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.PEP.doFilter(PEP.java:162) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.26]
at org.fcrepo.server.security.jaas.AuthFilterJAAS.doFilter(AuthFilterJAAS.java:295) [fcrepo-security-jaas-3.5-SNAPSHOT.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.26]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:558) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.26]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.26]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina.jar:6.0.26]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) [tomcat-coyote.jar:6.0.26]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:6.0.26]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
Caused by: org.fcrepo.server.errors.authorization.AuthzDeniedException:
at org.fcrepo.server.security.PolicyEnforcementPoint.enforce(PolicyEnforcementPoint.java:422) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.DefaultAuthorization.enforceGetRelationships(DefaultAuthorization.java:1570) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.management.DefaultManagement.getRelationships(DefaultManagement.java:1639) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [na:1.6.0_24]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [na:1.6.0_24]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597) [na:1.6.0_24]
at org.fcrepo.server.messaging.NotificationInvocationHandler.invoke(NotificationInvocationHandler.java:68) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [na:1.6.0_24]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [na:1.6.0_24]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597) [na:1.6.0_24]
at org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvocationHandler.invokeTarget(PolicyIndexInvocationHandler.java:334) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvocationHandler.invoke(PolicyIndexInvocationHandler.java:106) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at org.fcrepo.server.management.ManagementModule.getRelationships(ManagementModule.java:335) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.getRelationships(RelationshipResolverImpl.java:202) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 29 common frames omitted
ERROR 2011-04-22 12:24:17.027 [TP-Processor12] (ContextUtil) Error creating request.
org.fcrepo.server.security.xacml.MelcoeXacmlException: Error finding parents.
at org.fcrepo.server.security.xacml.util.ContextUtil.setupResources(ContextUtil.java:341) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.ContextUtil.buildRequest(ContextUtil.java:444) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.ContextHandlerImpl.buildRequest(ContextHandlerImpl.java:111) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.objectshandlers.FindObjects.evaluatePids(FindObjects.java:456) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.objectshandlers.FindObjects.filterHTML(FindObjects.java:379) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.objectshandlers.FindObjects.handleResponse(FindObjects.java:192) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.filters.ObjectsFilter.handleResponse(ObjectsFilter.java:109) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.PEP.doFilter(PEP.java:162) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.26]
at org.fcrepo.server.security.jaas.AuthFilterJAAS.doFilter(AuthFilterJAAS.java:295) [fcrepo-security-jaas-3.5-SNAPSHOT.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.26]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:558) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.26]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.26]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina.jar:6.0.26]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) [tomcat-coyote.jar:6.0.26]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:6.0.26]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
Caused by: org.fcrepo.server.security.xacml.MelcoeXacmlException:
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.getRelationships(RelationshipResolverImpl.java:210) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.getParents(RelationshipResolverImpl.java:132) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.buildRESTParentHierarchy(RelationshipResolverImpl.java:99) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.ContextUtil.setupResources(ContextUtil.java:325) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 26 common frames omitted
Caused by: org.fcrepo.server.errors.authorization.AuthzDeniedException:
at org.fcrepo.server.security.PolicyEnforcementPoint.enforce(PolicyEnforcementPoint.java:422) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.DefaultAuthorization.enforceGetRelationships(DefaultAuthorization.java:1570) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.management.DefaultManagement.getRelationships(DefaultManagement.java:1639) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [na:1.6.0_24]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [na:1.6.0_24]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597) [na:1.6.0_24]
at org.fcrepo.server.messaging.NotificationInvocationHandler.invoke(NotificationInvocationHandler.java:68) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [na:1.6.0_24]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [na:1.6.0_24]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597) [na:1.6.0_24]
at org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvocationHandler.invokeTarget(PolicyIndexInvocationHandler.java:334) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvocationHandler.invoke(PolicyIndexInvocationHandler.java:106) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at org.fcrepo.server.management.ManagementModule.getRelationships(ManagementModule.java:335) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.getRelationships(RelationshipResolverImpl.java:202) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 29 common frames omitted
ERROR 2011-04-22 12:24:17.028 [TP-Processor12] (FindObjects) org.fcrepo.server.security.xacml.MelcoeXacmlException: Error creating request
org.fcrepo.server.security.xacml.pep.PEPException: org.fcrepo.server.security.xacml.MelcoeXacmlException: Error creating request
at org.fcrepo.server.security.xacml.pep.ContextHandlerImpl.buildRequest(ContextHandlerImpl.java:116) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.objectshandlers.FindObjects.evaluatePids(FindObjects.java:456) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.objectshandlers.FindObjects.filterHTML(FindObjects.java:379) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.objectshandlers.FindObjects.handleResponse(FindObjects.java:192) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.filters.ObjectsFilter.handleResponse(ObjectsFilter.java:109) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.rest.PEP.doFilter(PEP.java:162) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.26]
at org.fcrepo.server.security.jaas.AuthFilterJAAS.doFilter(AuthFilterJAAS.java:295) [fcrepo-security-jaas-3.5-SNAPSHOT.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.26]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:558) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.26]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.26]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.26]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) [catalina.jar:6.0.26]
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:769) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:698) [tomcat-coyote.jar:6.0.26]
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:891) [tomcat-coyote.jar:6.0.26]
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690) [tomcat-coyote.jar:6.0.26]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
Caused by: org.fcrepo.server.security.xacml.MelcoeXacmlException: Error creating request
at org.fcrepo.server.security.xacml.util.ContextUtil.buildRequest(ContextUtil.java:451) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pep.ContextHandlerImpl.buildRequest(ContextHandlerImpl.java:111) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
... 24 common frames omitted
Caused by: org.fcrepo.server.security.xacml.MelcoeXacmlException: Error finding parents.
at org.fcrepo.server.security.xacml.util.ContextUtil.setupResources(ContextUtil.java:341) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.ContextUtil.buildRequest(ContextUtil.java:444) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 25 common frames omitted
Caused by: org.fcrepo.server.security.xacml.MelcoeXacmlException:
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.getRelationships(RelationshipResolverImpl.java:210) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.getParents(RelationshipResolverImpl.java:132) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.buildRESTParentHierarchy(RelationshipResolverImpl.java:99) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.ContextUtil.setupResources(ContextUtil.java:325) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 26 common frames omitted
Caused by: org.fcrepo.server.errors.authorization.AuthzDeniedException:
at org.fcrepo.server.security.PolicyEnforcementPoint.enforce(PolicyEnforcementPoint.java:422) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.DefaultAuthorization.enforceGetRelationships(DefaultAuthorization.java:1570) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.management.DefaultManagement.getRelationships(DefaultManagement.java:1639) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [na:1.6.0_24]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [na:1.6.0_24]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597) [na:1.6.0_24]
at org.fcrepo.server.messaging.NotificationInvocationHandler.invoke(NotificationInvocationHandler.java:68) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [na:1.6.0_24]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [na:1.6.0_24]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597) [na:1.6.0_24]
at org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvocationHandler.invokeTarget(PolicyIndexInvocationHandler.java:334) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvocationHandler.invoke(PolicyIndexInvocationHandler.java:106) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at org.fcrepo.server.management.ManagementModule.getRelationships(ManagementModule.java:335) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at org.fcrepo.server.security.xacml.util.RelationshipResolverImpl.getRelationships(RelationshipResolverImpl.java:202) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 29 common frames omitted
[
--
The University of St Andrews is a charity registered in Scotland: SC013532
Steve Bayliss
2011-04-22 17:39:05 UTC
Permalink
Hi Swithun

The legacy XACML engine and FeSL AuthZ are alternatives, they won't work
together properly - I think what may have happened here is you have turned
on the legacy XACML engine and that's upsetting FeSL.

Is it your intent to use FeSL AuthZ?

If so, you'll need FESLPOLICY datastreams rather than POLICY datastreams.
Also, by default the policy in an object's datastream will not apply to that
object - you will need to specify the policy in the Resources target. And
FeSL expects XACML 2.0 policies.

Regards
Steve
-----Original Message-----
Sent: 22 April 2011 13:07
To: Support and info exchange list for Fedora users.
Subject: Re: [fcrepo-user] POLICY datastream
Hello
SB> Are you using FeSL AuthZ? What does your
SB> $FEDORA_HOME/install/install.properties have for
SB> xacml.enabled
SB> fesl.authz.enabled
I have fesl.authz enabled, but xacml.enabled is false (how
can it be made
true on install?). But I have been modifying ENFORCE-MODE in
fedora.fcfg.
There are no errors when it is set to "permit-all-requests",
but now, when
I set it to "enforce-policies", I get an AuthzDeniedException thrown.
I've included the output from fesl.log below. This is for
running an empty
search to get all objects. Round about line 2011-04-22
12:24:16.691, the
request is permitted. But then, at line 2011-04-22
12:24:17.026, it all
starts to go pear shaped, with an "Error finding parents".
This is on a fresh install of Fedora 3.5 snapshot, with demo objects
loaded.
Has anyone got any ideas?
Thanks.
Swithun.
DEBUG 2011-04-22 12:24:16.452 [TP-Processor12] (PEP) Incoming
URI: /fedora/objects
DEBUG 2011-04-22 12:24:16.452 [TP-Processor12] (PEP) Incoming
servletPath: /objects
DEBUG 2011-04-22 12:24:16.453 [TP-Processor12] (PEP)
org.fcrepo.server.security.xacml.pep.rest.filters.ObjectsFilter
DEBUG 2011-04-22 12:24:16.457 [TP-Processor12] (PEP)
[org.fcrepo.server.security.xacml.pep.rest.filters.ObjectsFilter]
DEBUG 2011-04-22 12:24:16.457 [TP-Processor12]
DEBUG 2011-04-22 12:24:16.457 [TP-Processor12]
(ObjectsFilter) objectsHandler method: GET
DEBUG 2011-04-22 12:24:16.457 [TP-Processor12]
DEBUG 2011-04-22 12:24:16.457 [TP-Processor12]
(ObjectsFilter) activating handler: findObjects
DEBUG 2011-04-22 12:24:16.458 [TP-Processor12] (ContextUtil)
Building request!
DEBUG 2011-04-22 12:24:16.460 [TP-Processor12]
(RelationshipResolverImpl) Obtaining parents for: FedoraRepository
INFO 2011-04-22 12:24:16.461 [TP-Processor12] (LogUtil)
20110422 12:24:16.461 fedoraAdmin
urn:fedora:names:fedora:2.1:action:id-findObjects
FedoraRepository
DEBUG 2011-04-22 12:24:16.461 [TP-Processor12]
(EvaluationEngineImpl) evaluating RequestCtx request
DEBUG 2011-04-22 12:24:16.462 [TP-Processor12]
(EvaluationEngineImpl) evaluating String request
DEBUG 2011-04-22 12:24:16.462 [TP-Processor12]
(EvaluationEngineImpl) evaluating array of String requests
DEBUG 2011-04-22 12:24:16.466 [TP-Processor12]
5f4655f5eb63aeec0ab7db77cf2d684d
DEBUG 2011-04-22 12:24:16.466 [TP-Processor12]
(EvaluationEngineImpl) No item found in cache. Sending to PDP
for evaluation.
DEBUG 2011-04-22 12:24:16.467 [TP-Processor12]
<Request>
<Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category
:access-subject">
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category
:access-subject">
<Attribute
AttributeId="urn:fedora:names:fedora:2.1:subject:loginId"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category
:access-subject">
<Attribute
AttributeId="urn:fedora:names:fedora:2.1:subject:subjectRepres
ented"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Resource>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id
"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"><AttributeV
alue>/FedoraRepository</AttributeValue></Attribute>
<Attribute
AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>FedoraRepository</AttributeValue></Attribute>
</Resource>
<Action>
<Attribute
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>read</AttributeValue></Attribute>
<Attribute AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
</Attribute>
</Action>
<Environment>
<Attribute
AttributeId="urn:fedora:names:fedora:2.1:environment:httpReque
st:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>138.251.115.124</AttributeValue></Attribute>
</Environment>
</Request>
DEBUG 2011-04-22 12:24:16.473 [TP-Processor12]
(FedoraPolicyStore) Total memory: 429440
DEBUG 2011-04-22 12:24:16.473 [TP-Processor12]
(FedoraPolicyStore) Free memory: 196671
DEBUG 2011-04-22 12:24:16.473 [TP-Processor12]
(FedoraPolicyStore) Max memory: 699072
INFO 2011-04-22 12:24:16.474 [TP-Processor12]
/opt/fedora35_2/pdp/conf/config-pdm-fedora.xml
INFO 2011-04-22 12:24:16.475 [TP-Processor12]
(FedoraPolicyStore) Initialising validation
DEBUG 2011-04-22 12:24:16.566 [TP-Processor12]
(PopulatePolicyDatabase) Policy database already contains
fedora-policy:public-demo_demoObjectCollection
(public-demoObjectCollection.xml). Skipping.
DEBUG 2011-04-22 12:24:16.573 [TP-Processor12]
(PopulatePolicyDatabase) Policy database already contains
fedora-policy:access-public (access-public.xml). Skipping.
DEBUG 2011-04-22 12:24:16.591 [TP-Processor12]
(PopulatePolicyDatabase) Policy database already contains
fedora-policy:access-staff (access-staff.xml). Skipping.
DEBUG 2011-04-22 12:24:16.599 [TP-Processor12]
(PopulatePolicyDatabase) Policy database already contains
fedora-policy:access-fedora-internal-call
(access-fedora-internal-call.xml). Skipping.
DEBUG 2011-04-22 12:24:16.618 [TP-Processor12]
(PopulatePolicyDatabase) Policy database already contains
fedora-policy:access-admin (access-admin.xml). Skipping.
DEBUG 2011-04-22 12:24:16.631 [TP-Processor12]
(PopulatePolicyDatabase) Policy database already contains
fedora-policy:access-teacher (access-teacher.xml). Skipping.
DEBUG 2011-04-22 12:24:16.638 [TP-Processor12]
(PopulatePolicyDatabase) Policy database already contains
fedora-policy:access-student (access-student.xml). Skipping.
INFO 2011-04-22 12:24:16.638 [TP-Processor12] (MelcoePDPImpl)
Loading config file: /opt/fedora35_2/pdp/conf/config-pdp.xml
INFO 2011-04-22 12:24:16.654 [TP-Processor12]
(AttributeFinderConfigUtil) Loading attribute finder config
file: /opt/fedora35_2/pdp/conf/config-attribute-finder.xml
INFO 2011-04-22 12:24:16.655 [TP-Processor12]
(FedoraRIAttributeFinder) Initialised
AttributeFinder:org.fcrepo.server.security.xacml.pdp.finder.at
tribute.FedoraRIAttributeFinder
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12]
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12]
info:fedora/fedora-system:def/model#ownerId
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12]
http://www.w3.org/1999/02/22-rdf-syntax-ns#type
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12]
info:fedora/fedora-system:def/model#createdDate
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12]
info:fedora/fedora-system:def/view#mimeType
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12]
http://muradora.ramp.org.au/sf#isSmartFolder
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12]
(FedoraRIAttributeFinder) 1: info:fedora/fedora-system:def/model#label
DEBUG 2011-04-22 12:24:16.655 [TP-Processor12]
(FedoraRIAttributeFinder) 1: info:fedora/fedora-system:def/model#state
INFO 2011-04-22 12:24:16.656 [TP-Processor12]
(AttributeFinderConfigUtil) Loading attribute finder config
file: /opt/fedora35_2/pdp/conf/config-attribute-finder.xml
DEBUG 2011-04-22 12:24:16.657 [TP-Processor12]
org.fcrepo.server.security.xacml.pdp.finder.attribute.FedoraRI
AttributeFinder
DEBUG 2011-04-22 12:24:16.657 [TP-Processor12]
DEBUG 2011-04-22 12:24:16.657 [TP-Processor12]
DEBUG 2011-04-22 12:24:16.657 [TP-Processor12]
http://localhost:5743/fedora/melcoerisearch
INFO 2011-04-22 12:24:16.661 [TP-Processor12]
(FilePolicyIndex) Starting FilePolicyIndex
DEBUG 2011-04-22 12:24:16.662 [TP-Processor12]
(FilePolicyIndex) Total memory: 429440
DEBUG 2011-04-22 12:24:16.662 [TP-Processor12]
(FilePolicyIndex) Free memory: 185569
DEBUG 2011-04-22 12:24:16.662 [TP-Processor12]
(FilePolicyIndex) Max memory: 699072
INFO 2011-04-22 12:24:16.662 [TP-Processor12]
/opt/fedora35_2/pdp/conf/config-pdm-file.xml
DEBUG 2011-04-22 12:24:16.663 [TP-Processor12]
(FilePolicyIndex) [config] directory: /opt/fedora35_2/pdp/policy-db
INFO 2011-04-22 12:24:16.663 [TP-Processor12]
(FilePolicyIndex) Populating FeSL File policy index cache
INFO 2011-04-22 12:24:16.663 [TP-Processor12]
/opt/fedora35_2/pdp/policy-db/fedora-policy_access-staff.xml
INFO 2011-04-22 12:24:16.664 [TP-Processor12]
/opt/fedora35_2/pdp/policy-db/fedora-policy_access-fedora-inte
rnal-call.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12]
/opt/fedora35_2/pdp/policy-db/fedora-policy_access-teacher.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12]
/opt/fedora35_2/pdp/policy-db/fedora-policy_access-public.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12]
/opt/fedora35_2/pdp/policy-db/fedora-policy_access-admin.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12]
/opt/fedora35_2/pdp/policy-db/fedora-policy_public-demo_demoOb
jectCollection.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12]
/opt/fedora35_2/pdp/policy-db/fedora-policy_access-student.xml
INFO 2011-04-22 12:24:16.665 [TP-Processor12]
(FilePolicyIndex) Populated cache with 7 files
INFO 2011-04-22 12:24:16.668 [TP-Processor12] (MelcoePDPImpl)
PDP Instantiated and initialised!
DEBUG 2011-04-22 12:24:16.668 [TP-Processor12]
(MelcoePDPImpl) evaluating request: <Request>
<Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category
:access-subject">
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category
:access-subject">
<Attribute
AttributeId="urn:fedora:names:fedora:2.1:subject:loginId"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Subject
SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category
:access-subject">
<Attribute
AttributeId="urn:fedora:names:fedora:2.1:subject:subjectRepres
ented"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>fedoraAdmin</AttributeValue></Attribute>
</Subject>
<Resource>
<Attribute
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id
"
DataType="http://www.w3.org/2001/XMLSchema#anyURI"><AttributeV
alue>/FedoraRepository</AttributeValue></Attribute>
<Attribute
AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>FedoraRepository</AttributeValue></Attribute>
</Resource>
<Action>
<Attribute
AttributeId="urn:fedora:names:fedora:2.1:action:id"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>read</AttributeValue></Attribute>
<Attribute AttributeId="urn:fedora:names:fedora:2.1:action:api"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>urn:fedora:names:fedora:2.1:action:api-a</AttributeValue>
</Attribute>
</Action>
<Environment>
<Attribute
AttributeId="urn:fedora:names:fedora:2.1:environment:httpReque
st:clientIpAddress"
DataType="http://www.w3.org/2001/XMLSchema#string"><AttributeV
alue>138.251.115.124</AttributeValue></Attribute>
</Environment>
</Request>
DEBUG 2011-04-22 12:24:16.671 [TP-Processor12]
(PolicyManager) Obtained policies: 7
DEBUG 2011-04-22 12:24:16.679 [TP-Processor12]
(PolicyManager) Matched policy: fedora-policy:access-admi
DEBUG 2011-04-22 12:24:16.691 [TP-Processor12]
(PolicyManager) Matched policies and created abstract policy.
DEBUG 2011-04-22 12:24:16.691 [TP-Processor12]
(MelcoePDPImpl) response is: <Response>
<Result ResourceId="/FedoraRepository">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:ok"/>
</Status>
</Result>
</Response>
DEBUG 2011-04-22 12:24:16.691 [TP-Processor12]
(EvaluationEngineImpl) Adding PDP evaluation results to cache
DEBUG 2011-04-22 12:24:16.693 [TP-Processor12]
5f4655f5eb63aeec0ab7db77cf2d684d
DEBUG 2011-04-22 12:24:16.693 [TP-Processor12]
(EvaluationEngineImpl) Time taken for XACML Evaluation: 231ms
DEBUG 2011-04-22 12:24:16.694 [TP-Processor12] (PEP)
Permitting access!
DEBUG 2011-04-22 12:24:16.981 [TP-Processor12]
DEBUG 2011-04-22 12:24:16.981 [TP-Processor12]
(ObjectsFilter) objectsHandler method: GET
DEBUG 2011-04-22 12:24:16.981 [TP-Processor12]
DEBUG 2011-04-22 12:24:16.982 [TP-Processor12]
(ObjectsFilter) activating handler: findObjects
DEBUG 2011-04-22 12:24:16.982 [TP-Processor12] (FindObjects)
filtering html
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12] (FindObjects)
Checking: fedora-policy:access-student
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12] (ContextUtil)
Building request!
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12]
fedora-policy:access-student
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12]
fedora-policy:access-student,
info:fedora/fedora-system:def/relations-external#isMemberOf
INFO 2011-04-22 12:24:17.015 [TP-Processor12]
(FilePolicyIndex) Starting FilePolicyIndex
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12]
(FilePolicyIndex) Total memory: 429440
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12]
(FilePolicyIndex) Free memory: 168943
DEBUG 2011-04-22 12:24:17.015 [TP-Processor12]
(FilePolicyIndex) Max memory: 699072
INFO 2011-04-22 12:24:17.015 [TP-Processor12]
/opt/fedora35_2/pdp/conf/config-pdm-file.xml
DEBUG 2011-04-22 12:24:17.016 [TP-Processor12]
(FilePolicyIndex) [config] directory: /opt/fedora35_2/pdp/policy-db
ERROR 2011-04-22 12:24:17.026 [TP-Processor12] (ContextUtil)
Error finding parents.
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.getRelationships(RelationshipResolverImpl.java:210)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.getParents(RelationshipResolverImpl.java:132)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.buildRESTParentHierarchy(RelationshipResolverImpl.java:99)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.ContextUtil.setupResourc
es(ContextUtil.java:325) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.ContextUtil.buildRequest
(ContextUtil.java:444) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.ContextHandlerImpl.buildR
equest(ContextHandlerImpl.java:111)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.objectshandlers.Find
Objects.evaluatePids(FindObjects.java:456)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.objectshandlers.Find
Objects.filterHTML(FindObjects.java:379)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.objectshandlers.Find
Objects.handleResponse(FindObjects.java:192)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.filters.ObjectsFilte
r.handleResponse(ObjectsFilter.java:109)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.PEP.doFilter(PEP.jav
a:162) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
er(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
cationFilterChain.java:206) [catalina.jar:6.0.26]
at
org.fcrepo.server.security.jaas.AuthFilterJAAS.doFilter(AuthFi
lterJAAS.java:295) [fcrepo-security-jaas-3.5-SNAPSHOT.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
er(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
cationFilterChain.java:206) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardW
rapperValve.java:233) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardC
ontextValve.java:191) [catalina.jar:6.0.26]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Aut
henticatorBase.java:558) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHost
Valve.java:127) [catalina.jar:6.0.26]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReport
Valve.java:102) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEn
gineValve.java:109) [catalina.jar:6.0.26]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdap
ter.java:298) [catalina.jar:6.0.26]
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.ja
va:190) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java
:291) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:7
69) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSo
cket.java:698) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(Chan
nelSocket.java:891) [tomcat-coyote.jar:6.0.26]
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
ThreadPool.java:690) [tomcat-coyote.jar:6.0.26]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
at
org.fcrepo.server.security.PolicyEnforcementPoint.enforce(Poli
cyEnforcementPoint.java:422) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.DefaultAuthorization.enforceGetRela
tionships(DefaultAuthorization.java:1570)
[fcrepo-server-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.management.DefaultManagement.getRelationship
s(DefaultManagement.java:1639) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[na:1.6.0_24]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
orImpl.java:39) [na:1.6.0_24]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
odAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597)
[na:1.6.0_24]
at
org.fcrepo.server.messaging.NotificationInvocationHandler.invo
ke(NotificationInvocationHandler.java:68)
[fcrepo-server-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[na:1.6.0_24]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
orImpl.java:39) [na:1.6.0_24]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
odAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597)
[na:1.6.0_24]
at
org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvo
cationHandler.invokeTarget(PolicyIndexInvocationHandler.java:3
34) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvo
cationHandler.invoke(PolicyIndexInvocationHandler.java:106)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at
org.fcrepo.server.management.ManagementModule.getRelationships
(ManagementModule.java:335) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.getRelationships(RelationshipResolverImpl.java:202)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 29 common frames omitted
ERROR 2011-04-22 12:24:17.027 [TP-Processor12] (ContextUtil)
Error creating request.
org.fcrepo.server.security.xacml.MelcoeXacmlException: Error
finding parents.
at
org.fcrepo.server.security.xacml.util.ContextUtil.setupResourc
es(ContextUtil.java:341) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.ContextUtil.buildRequest
(ContextUtil.java:444) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.ContextHandlerImpl.buildR
equest(ContextHandlerImpl.java:111)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.objectshandlers.Find
Objects.evaluatePids(FindObjects.java:456)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.objectshandlers.Find
Objects.filterHTML(FindObjects.java:379)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.objectshandlers.Find
Objects.handleResponse(FindObjects.java:192)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.filters.ObjectsFilte
r.handleResponse(ObjectsFilter.java:109)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.PEP.doFilter(PEP.jav
a:162) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
er(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
cationFilterChain.java:206) [catalina.jar:6.0.26]
at
org.fcrepo.server.security.jaas.AuthFilterJAAS.doFilter(AuthFi
lterJAAS.java:295) [fcrepo-security-jaas-3.5-SNAPSHOT.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
er(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
cationFilterChain.java:206) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardW
rapperValve.java:233) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardC
ontextValve.java:191) [catalina.jar:6.0.26]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Aut
henticatorBase.java:558) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHost
Valve.java:127) [catalina.jar:6.0.26]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReport
Valve.java:102) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEn
gineValve.java:109) [catalina.jar:6.0.26]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdap
ter.java:298) [catalina.jar:6.0.26]
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.ja
va:190) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java
:291) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:7
69) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSo
cket.java:698) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(Chan
nelSocket.java:891) [tomcat-coyote.jar:6.0.26]
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
ThreadPool.java:690) [tomcat-coyote.jar:6.0.26]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.getRelationships(RelationshipResolverImpl.java:210)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.getParents(RelationshipResolverImpl.java:132)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.buildRESTParentHierarchy(RelationshipResolverImpl.java:99)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.ContextUtil.setupResourc
es(ContextUtil.java:325) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 26 common frames omitted
at
org.fcrepo.server.security.PolicyEnforcementPoint.enforce(Poli
cyEnforcementPoint.java:422) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.DefaultAuthorization.enforceGetRela
tionships(DefaultAuthorization.java:1570)
[fcrepo-server-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.management.DefaultManagement.getRelationship
s(DefaultManagement.java:1639) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[na:1.6.0_24]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
orImpl.java:39) [na:1.6.0_24]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
odAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597)
[na:1.6.0_24]
at
org.fcrepo.server.messaging.NotificationInvocationHandler.invo
ke(NotificationInvocationHandler.java:68)
[fcrepo-server-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[na:1.6.0_24]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
orImpl.java:39) [na:1.6.0_24]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
odAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597)
[na:1.6.0_24]
at
org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvo
cationHandler.invokeTarget(PolicyIndexInvocationHandler.java:3
34) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvo
cationHandler.invoke(PolicyIndexInvocationHandler.java:106)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at
org.fcrepo.server.management.ManagementModule.getRelationships
(ManagementModule.java:335) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.getRelationships(RelationshipResolverImpl.java:202)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 29 common frames omitted
ERROR 2011-04-22 12:24:17.028 [TP-Processor12] (FindObjects)
org.fcrepo.server.security.xacml.MelcoeXacmlException: Error
creating request
org.fcrepo.server.security.xacml.MelcoeXacmlException: Error
creating request
at
org.fcrepo.server.security.xacml.pep.ContextHandlerImpl.buildR
equest(ContextHandlerImpl.java:116)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.objectshandlers.Find
Objects.evaluatePids(FindObjects.java:456)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.objectshandlers.Find
Objects.filterHTML(FindObjects.java:379)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.objectshandlers.Find
Objects.handleResponse(FindObjects.java:192)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.filters.ObjectsFilte
r.handleResponse(ObjectsFilter.java:109)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.rest.PEP.doFilter(PEP.jav
a:162) [fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
er(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
cationFilterChain.java:206) [catalina.jar:6.0.26]
at
org.fcrepo.server.security.jaas.AuthFilterJAAS.doFilter(AuthFi
lterJAAS.java:295) [fcrepo-security-jaas-3.5-SNAPSHOT.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilt
er(ApplicationFilterChain.java:235) [catalina.jar:6.0.26]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(Appli
cationFilterChain.java:206) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardW
rapperValve.java:233) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardC
ontextValve.java:191) [catalina.jar:6.0.26]
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Aut
henticatorBase.java:558) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHost
Valve.java:127) [catalina.jar:6.0.26]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReport
Valve.java:102) [catalina.jar:6.0.26]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEn
gineValve.java:109) [catalina.jar:6.0.26]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdap
ter.java:298) [catalina.jar:6.0.26]
at
org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.ja
va:190) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java
:291) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:7
69) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.ChannelSocket.processConnection(ChannelSo
cket.java:698) [tomcat-coyote.jar:6.0.26]
at
org.apache.jk.common.ChannelSocket$SocketConnection.runIt(Chan
nelSocket.java:891) [tomcat-coyote.jar:6.0.26]
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(
ThreadPool.java:690) [tomcat-coyote.jar:6.0.26]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
org.fcrepo.server.security.xacml.MelcoeXacmlException: Error
creating request
at
org.fcrepo.server.security.xacml.util.ContextUtil.buildRequest
(ContextUtil.java:451) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pep.ContextHandlerImpl.buildR
equest(ContextHandlerImpl.java:111)
[fcrepo-security-pep-3.5-SNAPSHOT.jar:na]
... 24 common frames omitted
org.fcrepo.server.security.xacml.MelcoeXacmlException: Error
finding parents.
at
org.fcrepo.server.security.xacml.util.ContextUtil.setupResourc
es(ContextUtil.java:341) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.ContextUtil.buildRequest
(ContextUtil.java:444) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 25 common frames omitted
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.getRelationships(RelationshipResolverImpl.java:210)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.getParents(RelationshipResolverImpl.java:132)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.buildRESTParentHierarchy(RelationshipResolverImpl.java:99)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.ContextUtil.setupResourc
es(ContextUtil.java:325) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 26 common frames omitted
at
org.fcrepo.server.security.PolicyEnforcementPoint.enforce(Poli
cyEnforcementPoint.java:422) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.DefaultAuthorization.enforceGetRela
tionships(DefaultAuthorization.java:1570)
[fcrepo-server-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.management.DefaultManagement.getRelationship
s(DefaultManagement.java:1639) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[na:1.6.0_24]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
orImpl.java:39) [na:1.6.0_24]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
odAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597)
[na:1.6.0_24]
at
org.fcrepo.server.messaging.NotificationInvocationHandler.invo
ke(NotificationInvocationHandler.java:68)
[fcrepo-server-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
[na:1.6.0_24]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccess
orImpl.java:39) [na:1.6.0_24]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMeth
odAccessorImpl.java:25) [na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597)
[na:1.6.0_24]
at
org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvo
cationHandler.invokeTarget(PolicyIndexInvocationHandler.java:3
34) [fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.pdp.decorator.PolicyIndexInvo
cationHandler.invoke(PolicyIndexInvocationHandler.java:106)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
at $Proxy433.getRelationships(Unknown Source) [na:na]
at
org.fcrepo.server.management.ManagementModule.getRelationships
(ManagementModule.java:335) [fcrepo-server-3.5-SNAPSHOT.jar:na]
at
org.fcrepo.server.security.xacml.util.RelationshipResolverImpl
.getRelationships(RelationshipResolverImpl.java:202)
[fcrepo-security-pdp-3.5-SNAPSHOT.jar:na]
... 29 common frames omitted
[
--
The University of St Andrews is a charity registered in
Scotland: SC013532
--------------------------------------------------------------
----------------
Fulfilling the Lean Software Promise
Lean software platforms are now widely adopted and the
benefits have been
demonstrated beyond question. Learn why your peers are replacing JEE
containers with lightweight application servers - and what
you can gain
from the move. http://p.sf.net/sfu/vmware-sfemails
_______________________________________________
Fedora-commons-users mailing list
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
Swithun Crowe
2011-05-04 11:53:28 UTC
Permalink
Hello

Sorry about the delay in getting back about this - holidays got in the
way.

SB> Is it your intent to use FeSL AuthZ?

Yes, I want to use the new FeSL authZ (among other authz mechanisms).

SB> If so, you'll need FESLPOLICY datastreams rather than POLICY datastreams.

OK. I have a policy which works if I copy it to pdp/policy-db, but not
when it is referenced as an E(xternal) datastream, which is what you say
below:

SB> Also, by default the policy in an object's datastream will not apply
SB> to that object - you will need to specify the policy in the Resources
SB> target.

I don't understand the bit about specifying a policy in the Resources
target. Are there any examples of an external FESLPOLICY datastream, or
something which has the same effect? What I would like to achieve is to
store my policies outside Fedora, and have many objects referencing the
same policy.

Thanks for all the help so far.

Swithun.
--
The University of St Andrews is a charity registered in Scotland: SC013532
Stephen Bayliss
2011-05-05 09:22:30 UTC
Permalink
Hi Swithun

Unfortunately FeSL isn't that well documented at present, I'm hoping to add
some additional documentation as part of the next release.

In FeSL, all XACML policies are stored as datastreams in Fedora objects. So
you can either have separate Fedora objects for each policy (with FESLPOLICY
datastreams), or you can add a FESLPOLICY datastream to existing objects.

The pdp/policies directory contains bootstrap policies that are loaded into
Fedora when the server first starts - if you do a search you should see
Fedora objects that are created with these policies. The intent isn't that
this directory should be used for your own policies, you should instead
create Fedora objects for these (as the server does for these policies when
it starts). Though in this case as you've discovered, adding a policy to
this directory will result in a policy object being created (but an
important caveat in using this directory is that if you modify a policy in
pdp/policies, the Fedora object will not be updated - the objects are
created once and only once when the server starts).

It is the XACML policy that specifies what resources it applies to, rather
than a Fedora object specifying which policies apply. This is somewhat
different to the existing XACML implementation, where, if a POLICY
datastream is added to an object there is an implied specification in the
policy that it applies to that object (that's not exactly the mechanism, but
the effect is the same). This is not the case in FeSL; where for instance
adding a FESLPOLICY datastream to an object where the Resources section of
the policy is not present will result in the policy applying to all objects.
To specify that the policy applies to the object containing the FESLPOLICY
datastream it is necessary to specify that in the policy.

XACML policies specify which resources they apply to using the Resources
sub-element of the XACML Target element.

FeSL uses the XACML hierarchical resources profile, so policies can be
applied to all members of a collection for example.

An example of this (actualy from the public-demoObjectCollection policy in
pdp/poi:

<Resources>
<Resource>
<!-- to view everything under the resource
collection -->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-match">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">/demo:demoObjectCollectio
n/.*</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</ResourceMatch>
</Resource>
<Resource>
<!-- to view the resource collection
itself-->
<ResourceMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#anyURI">/demo:demoObjectCollectio
n</AttributeValue>
<ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</ResourceMatch>
</Resource>
</Resources>

It is also possible to specify additional resource attributes such as the
PID of the resource, a datastream identifier etc.

In the forthcoming Fedora 3.5 release it is possible to define additional
XACML resource attributes sourced from object relationships (eg via the
resource index).

So for example it would be possible to define a XACML resource attribute
with an ID "http://example.org/objectProperties#policy", define this as a
relationship in RELS-EXT, and specify the target of the relationship as the
name of a policy.

Then in the XACML policy you could specify this as a
ResourceAttributeDesignator, and use an AttributeValue to specify the name
of the policy. Thus the policy resource attribute value matches this custom
object property; thus effectively the object can define which policies apply
to it.

What are your use cases for applying policies to objects? Maybe a few
examples might help and I can suggest some ways of implementing these.

Regards
Steve



-----Original Message-----
From: Swithun Crowe [mailto:cs2-T7IeVJDLM9PtNP1Hz/***@public.gmane.org]
Sent: 04 May 2011 12:53
To: Support and info exchange list for Fedora users.
Subject: Re: [fcrepo-user] POLICY datastream


Hello

Sorry about the delay in getting back about this - holidays got in the
way.

SB> Is it your intent to use FeSL AuthZ?

Yes, I want to use the new FeSL authZ (among other authz mechanisms).

SB> If so, you'll need FESLPOLICY datastreams rather than POLICY
SB> datastreams.

OK. I have a policy which works if I copy it to pdp/policy-db, but not
when it is referenced as an E(xternal) datastream, which is what you say
below:

SB> Also, by default the policy in an object's datastream will not apply
SB> to that object - you will need to specify the policy in the Resources
SB> target.

I don't understand the bit about specifying a policy in the Resources
target. Are there any examples of an external FESLPOLICY datastream, or
something which has the same effect? What I would like to achieve is to
store my policies outside Fedora, and have many objects referencing the
same policy.

Thanks for all the help so far.

Swithun.
--
The University of St Andrews is a charity registered in Scotland: SC013532

----------------------------------------------------------------------------
--
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Fedora-commons-users mailing list Fedora-commons-users-5NWGOfrQmneRv+***@public.gmane.org
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
Swithun Crowe
2011-05-09 09:09:33 UTC
Permalink
Hello

SB> In FeSL, all XACML policies are stored as datastreams in Fedora
SB> objects. So you can either have separate Fedora objects for each
SB> policy (with FESLPOLICY datastreams), or you can add a FESLPOLICY
SB> datastream to existing objects.

Cool. I have something working now. It is an (E)xternal FESLPOLICY in its
own Fedora object, and which specifies resources. Other objects which
match these resources are then controlled by the policy.

One question is how I would go about triggering a reevaluation of an
external policy. The script fedora-reload-policies.sh doesn't seem to do
this. Even viewing the updated content of the external datastream in
Fedora doesn't make a difference.

SB> FeSL uses the XACML hierarchical resources profile, so policies can be
SB> applied to all members of a collection for example.

I didn't realise that this was hierarchical - I thought that
/demo:demoObjectCollection/.* was just describing pages below
/demo:demoObjectCollection - a URL hierarchy, rather than members of the
collection. That makes it a whole lot more interesting. Thanks.

If I can use existing RDF statements about membership of collections, then
I probably don't need to use another RDF statement just for the policy.

Thanks again.

Swithun.
--
The University of St Andrews is a charity registered in Scotland: SC013532
Stephen Bayliss
2011-05-09 09:24:19 UTC
Permalink
Hello Swithun
Post by Swithun Crowe
One question is how I would go about triggering a reevaluation of an
external policy. The script fedora-reload-policies.sh doesn't seem to do
this. Even viewing the updated content of the external datastream in
Fedora doesn't make a difference.
What you may be hitting here is the policy evaluation caching mechanism.
Currently there is nothing in place to clear the evaluation results cache
when a policy is modified, so the "old" evaluation results can result in
stale cache entries rather than evaluation based on modifications to the
policy.

Fedora-reload-policies operates only on the non-FeSL XACML policies.

The work-around currently is to set an environment variable
PEP_NOCACHE=true; which disables caching entirely, which is probably a good
idea whilst you are modifying policies (you can remove it once you have a
stable set).

See
https://wiki.duraspace.org/display/FCR30/FeSL+Authorization#FeSLAuthorizatio
n-Policyevaluationresultscaching.

We currently have a JIRA issue raised for this:
https://wiki.duraspace.org/display/FCR30/FeSL+Authorization

Steve



-----Original Message-----
From: Swithun Crowe [mailto:cs2-T7IeVJDLM9PtNP1Hz/***@public.gmane.org]
Sent: 09 May 2011 10:10
To: Support and info exchange list for Fedora users.
Subject: Re: [fcrepo-user] POLICY datastream


Hello

SB> In FeSL, all XACML policies are stored as datastreams in Fedora
SB> objects. So you can either have separate Fedora objects for each
SB> policy (with FESLPOLICY datastreams), or you can add a FESLPOLICY
SB> datastream to existing objects.

Cool. I have something working now. It is an (E)xternal FESLPOLICY in its
own Fedora object, and which specifies resources. Other objects which
match these resources are then controlled by the policy.

One question is how I would go about triggering a reevaluation of an
external policy. The script fedora-reload-policies.sh doesn't seem to do
this. Even viewing the updated content of the external datastream in
Fedora doesn't make a difference.

SB> FeSL uses the XACML hierarchical resources profile, so policies can
SB> be
SB> applied to all members of a collection for example.

I didn't realise that this was hierarchical - I thought that
/demo:demoObjectCollection/.* was just describing pages below
/demo:demoObjectCollection - a URL hierarchy, rather than members of the
collection. That makes it a whole lot more interesting. Thanks.

If I can use existing RDF statements about membership of collections, then
I probably don't need to use another RDF statement just for the policy.

Thanks again.

Swithun.
--
The University of St Andrews is a charity registered in Scotland: SC013532

----------------------------------------------------------------------------
--
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Fedora-commons-users mailing list Fedora-commons-users-5NWGOfrQmneRv+***@public.gmane.org
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
Swithun Crowe
2011-05-12 09:43:30 UTC
Permalink
Hello

SB> The work-around currently is to set an environment variable
SB> PEP_NOCACHE=true; which disables caching entirely, which is probably a
SB> good idea whilst you are modifying policies (you can remove it once
SB> you have a stable set).

Setting PEP_NOCACHE didn't seem to have any effect. I found that Fedora
was storing FESLPOLICY datastreams in pdp/policy-db/. If I deleted the
copy of my external FESLPOLICY, then it wasn't replaced, and Fedora
behaved as if the policy didn't exist. I had to purge the datastream and
add it again for it to appear and have an effect.

SB> See
SB> https://wiki.duraspace.org/display/FCR30/FeSL+Authorization#FeSLAuthorization-Policyevaluationresultscaching

This page only mentions inline and managed datastreams. I changed my
external datastream to managed, but again, I had to replace the content
for a change to appear.

I can't find a DBXML database file anywhere. I don't know if this is
significant, or if FeSL is doing OK without DBXML. I haven't seen anything
in the logs complaining about it.

I'm using version 3.5 SNAPSHOT. Below is my installer.properties.

Now that I know how to get policies refreshed, I could maybe even script
the actions, so it isn't a major problem. But I'm puzzled as to why it
doesn't behave in the way you described.

Swithun.

#Install Options
#Tue May 03 10:31:57 BST 2011
keystore.file=/home/archive/keystore/server.jks
ri.enabled=true
messaging.enabled=true
apia.auth.required=false
database.jdbcDriverClass=org.apache.derby.jdbc.EmbeddedDriver
tomcat.ssl.port=8443
ssl.available=true
database.jdbcURL=jdbc\:derby\:/opt/fedora35_2/derby/fedora3;create\=true
messaging.uri=vm\:(broker\:(tcp\://localhost\:61616))
database.password=fedoraAdmin
keystore.type=JKS
fesl.dbxml.home=/usr/local/BerkeleyDBXML.2.5.16
database.username=fedoraAdmin
fesl.authz.enabled=true
tomcat.shutdown.port=8005
deploy.local.services=true
xacml.enabled=false
tomcat.http.port=8080
fedora.serverHost=itspc-cs2.st-andrews.ac.uk
database=included
database.driver=included
fedora.serverContext=fedora
keystore.password=fedoraAdmin
llstore.type=akubra-fs
tomcat.home=/opt/alfresco/tomcat
fesl.authn.enabled=true
fedora.home=/opt/fedora35_2
install.type=custom
servlet.engine=existingTomcat
apim.ssl.required=true
fedora.admin.pass=fedoraAdmin
apia.ssl.required=false
--
The University of St Andrews is a charity registered in Scotland: SC013532
Stephen Bayliss
2011-05-12 10:31:02 UTC
Permalink
Hi Swithun

Do you have the date/time that you grabbed the source code for the
3.5-SNAPSHOT build that you are using?.

DBXML isn't required if you are using a build from master. Instead a
file-backed memory-based policy index is used (these are the files in the
pdp/policy-db/ folder). DBXML and eXist can optionally be used instead for
the policy index.

With external datastreams Fedora won't be aware when the content has
changed, hence the policy index won't be updated as you observe (I missed
this fact from your earlier message). Though the rebuilder has an option to
recreate the policy index from scratch. Also, setting the datastream state
to inactive/deleted then back to active should trigger an update of the
policy index.

However with managed content FESLPOLICY datastreams, a modification to the
datastream content should trigger an immediate change (providing PEP_NOCACHE
is true and exported); it sounds like this is not happening for you.

I'd like to investigate this further in case we have a bug.

Could you supply

1) The initial FESLPOLICY datastream
2) The modified FESLPOLICY datastream
3) A description of what changes you expect after the datastream is
modified, and what you actually observe.

We are currently doing some testing on master so it would be useful to
factor this in (and maybe add an automated test case for it).

Regards
Steve

-----Original Message-----
From: Swithun Crowe [mailto:cs2-T7IeVJDLM9PtNP1Hz/***@public.gmane.org]
Sent: 12 May 2011 10:44
To: Support and info exchange list for Fedora users.
Subject: Re: [fcrepo-user] POLICY datastream


Hello

SB> The work-around currently is to set an environment variable
SB> PEP_NOCACHE=true; which disables caching entirely, which is probably a
SB> good idea whilst you are modifying policies (you can remove it once
SB> you have a stable set).

Setting PEP_NOCACHE didn't seem to have any effect. I found that Fedora
was storing FESLPOLICY datastreams in pdp/policy-db/. If I deleted the
copy of my external FESLPOLICY, then it wasn't replaced, and Fedora
behaved as if the policy didn't exist. I had to purge the datastream and
add it again for it to appear and have an effect.

SB> See
SB> https://wiki.duraspace.org/display/FCR30/FeSL+Authorization#FeSLAuth
SB> orization-Policyevaluationresultscaching

This page only mentions inline and managed datastreams. I changed my
external datastream to managed, but again, I had to replace the content
for a change to appear.

I can't find a DBXML database file anywhere. I don't know if this is
significant, or if FeSL is doing OK without DBXML. I haven't seen anything
in the logs complaining about it.

I'm using version 3.5 SNAPSHOT. Below is my installer.properties.

Now that I know how to get policies refreshed, I could maybe even script
the actions, so it isn't a major problem. But I'm puzzled as to why it
doesn't behave in the way you described.

Swithun.

#Install Options
#Tue May 03 10:31:57 BST 2011
keystore.file=/home/archive/keystore/server.jks
ri.enabled=true
messaging.enabled=true
apia.auth.required=false
database.jdbcDriverClass=org.apache.derby.jdbc.EmbeddedDriver
tomcat.ssl.port=8443
ssl.available=true
database.jdbcURL=jdbc\:derby\:/opt/fedora35_2/derby/fedora3;create\=true
messaging.uri=vm\:(broker\:(tcp\://localhost\:61616))
database.password=fedoraAdmin
keystore.type=JKS fesl.dbxml.home=/usr/local/BerkeleyDBXML.2.5.16
database.username=fedoraAdmin
fesl.authz.enabled=true
tomcat.shutdown.port=8005
deploy.local.services=true
xacml.enabled=false
tomcat.http.port=8080 fedora.serverHost=itspc-cs2.st-andrews.ac.uk
database=included
database.driver=included
fedora.serverContext=fedora
keystore.password=fedoraAdmin
llstore.type=akubra-fs
tomcat.home=/opt/alfresco/tomcat
fesl.authn.enabled=true
fedora.home=/opt/fedora35_2
install.type=custom
servlet.engine=existingTomcat
apim.ssl.required=true
fedora.admin.pass=fedoraAdmin
apia.ssl.required=false
--
The University of St Andrews is a charity registered in Scotland: SC013532

----------------------------------------------------------------------------
--
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools to help
boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Fedora-commons-users mailing list Fedora-commons-users-5NWGOfrQmneRv+***@public.gmane.org
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
Swithun Crowe
2011-05-12 11:22:23 UTC
Permalink
Hello

SB> Do you have the date/time that you grabbed the source code for the
SB> 3.5-SNAPSHOT build that you are using?.

.git/logs/HEAD contains what looks like a timestamp. It translates to:

Tue Mar 22 2011 17:12:58 GMT+0000 (GMT)

which should be about right, I think.

SB> Also, setting the datastream state to inactive/deleted then back to
SB> active should trigger an update of the policy index.

That works, and with external datastreams too. Thanks.

SB> However with managed content FESLPOLICY datastreams, a modification to
SB> the datastream content should trigger an immediate change (providing
SB> PEP_NOCACHE is true and exported); it sounds like this is not
SB> happening for you.

The cached version is updated, if I modify the content of a managed
datastream - either editing the content or purging and adding again.

I was expecting external FESLPOLICY datastreams to be refreshed when the
external version was updated. But what I should expect is that datastreams
get refreshed if the local copy is modified (managed), or the datastream
changes state (managed/external).

SB> I'd like to investigate this further in case we have a bug.

Now that my expectations are realistic, I think it is working as it is to
be expected to.

Swithun.
--
The University of St Andrews is a charity registered in Scotland: SC013532
ajs6f-4Ng6DfrEGID2fBVCVOL8/
2011-05-12 12:28:01 UTC
Permalink
There is a general point here about external datastreams: Fedora has no way to know when they change. To my knowledge, it does not poll those URLs or maintain timestamping on them or the like. In a situation where Fedora is caching information derived from external datastreams (or some other part of a system is caching information derived from Fedora external datastreams) there is no immediate way to have changes propagate as appropriate without adding additional machinery. Fedora can't do it by itself.

---
A. Soroka
Online Library Environment
the University of Virginia Library
Post by Swithun Crowe
I was expecting external FESLPOLICY datastreams to be refreshed when the
external version was updated. But what I should expect is that datastreams
get refreshed if the local copy is modified (managed), or the datastream
changes state (managed/external).
Scott Prater
2011-05-12 13:37:40 UTC
Permalink
I wonder if this might be a good direction to extend the Fedora
messaging services? By default, the embedded activemq broker bundles
with Fedora sends messages, but does not set up a listener to receive
them; this could be modified, however, and Fedora could be wired up to
do something like monitor a filesystem or URL, and receive an update
notification when an external resource changes, which it could then act
upon to refersh its cache, recalculate datastream sizes and md5sums, etc.

Of course, for looser coupling, this could just as easily been done with
a message processing service/enterprise service bus outside of Fedora,
in which case the outside service would be responsible for sending
updates, deletes to Fedora via the usual API-M functions. That might be
preferable, especially as you'd want to account for outages of the
remote resource, other factors that make pointing to external resources
fragile.

-- Scott
Post by ajs6f-4Ng6DfrEGID2fBVCVOL8/
There is a general point here about external datastreams: Fedora has no way to know when they change. To my knowledge, it does not poll those URLs or maintain timestamping on them or the like. In a situation where Fedora is caching information derived from external datastreams (or some other part of a system is caching information derived from Fedora external datastreams) there is no immediate way to have changes propagate as appropriate without adding additional machinery. Fedora can't do it by itself.
---
A. Soroka
Online Library Environment
the University of Virginia Library
Post by Swithun Crowe
I was expecting external FESLPOLICY datastreams to be refreshed when the
external version was updated. But what I should expect is that datastreams
get refreshed if the local copy is modified (managed), or the datastream
changes state (managed/external).
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Fedora-commons-users mailing list
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
--
Scott Prater
Library, Instructional, and Research Applications (LIRA)
Division of Information Technology (DoIT)
University of Wisconsin - Madison
prater-***@public.gmane.org
João Miguel Quintino de Morais Zamite
2011-05-12 13:57:52 UTC
Permalink
Just an idea that came to me while looking at something else, not sure
if it applies well but here it goes.

Fedora could use an approach to synchronization/replication similar to
that done between LDAP servers but on an external datastream level.

Using the Master-Slave analogy lets assume Fedora is a slave or
consumer of external datastreams and there is a Master or provider.

Fedora could have a refreshAndPersist (from the syncrepl approach
http://www.openldap.org/doc/admin22/syncrepl.html ).

So Fedora would request the external datastream, and delegate the
provider with the responsibility of notifying on update/delete.
(similar to the aproach suggested by Scott)

The advantage of this is reducing unnecessary calls to external
resources (did it change? no) by giving the master the responsibility.
Of course a simple request every x time should also be possible but
results in more traffic.

Best Regards,
João Zamite
Post by Scott Prater
I wonder if this might be a good direction to extend the Fedora
messaging services? By default, the embedded activemq broker bundles
with Fedora sends messages, but does not set up a listener to receive
them; this could be modified, however, and Fedora could be wired up to
do something like monitor a filesystem or URL, and receive an update
notification when an external resource changes, which it could then act
upon to refersh its cache, recalculate datastream sizes and md5sums, etc.
Of course, for looser coupling, this could just as easily been done with
a message processing service/enterprise service bus outside of Fedora,
in which case the outside service would be responsible for sending
updates, deletes to Fedora via the usual API-M functions. That might be
preferable, especially as you'd want to account for outages of the
remote resource, other factors that make pointing to external resources
fragile.
-- Scott
Post by ajs6f-4Ng6DfrEGID2fBVCVOL8/
There is a general point here about external datastreams: Fedora
has no way to know when they change. To my knowledge, it does not
poll those URLs or maintain timestamping on them or the like. In a
situation where Fedora is caching information derived from external
datastreams (or some other part of a system is caching information
derived from Fedora external datastreams) there is no immediate way
to have changes propagate as appropriate without adding additional
machinery. Fedora can't do it by itself.
---
A. Soroka
Online Library Environment
the University of Virginia Library
Post by Swithun Crowe
I was expecting external FESLPOLICY datastreams to be refreshed when the
external version was updated. But what I should expect is that datastreams
get refreshed if the local copy is modified (managed), or the datastream
changes state (managed/external).
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Fedora-commons-users mailing list
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
--
Scott Prater
Library, Instructional, and Research Applications (LIRA)
Division of Information Technology (DoIT)
University of Wisconsin - Madison
------------------------------------------------------------------------------
Achieve unprecedented app performance and reliability
What every C/C++ and Fortran developer should know.
Learn how Intel has extended the reach of its next-generation tools
to help boost performance applications - inlcuding clusters.
http://p.sf.net/sfu/intel-dev2devmay
_______________________________________________
Fedora-commons-users mailing list
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
Continue reading on narkive:
Loading...