Details

      Description

      Currently, policies are stored in dbxml. Policies should be first-class Fedora objects in the repository.

      General feedback about the namespace for policy objects would be most welcome.

        Issue Links

          Activity

          Hide
          Stephen Bayliss added a comment - - edited
          Implementation notes:
          * Any Fedora object can have a FESLPOLICY datastream with a XACML policy
          * Policy management is through the Fedora API, modifying these FESLPOLICY datastreams
          * There is no implicit relationship between the FESLPOLICY datastream and the object containing the datastream - the XACML policy must specify resources to which it applies explicitly (this is different to the existing XACML implementation, where a XACML POLICY datastream implicitly refers to the object containing the datastream)
          * Policies can be disabled by setting the object or datastream state to deleted
          * If FeSL AuthZ is installed, a new management decorator is installed (fedora.fcfg) so that any modifications to FESLPOLICY datastreams are propagated to DBXML and thus available to the XACML PolicyFinderModule
          * Bootstrap (system) policies are loaded when the PDP is instantiated, from the same directory as before. Fedora objects are created in the "fedora-policy" namespace with FESLPOLICY datastreams containing the policies from the pdp/policies directory
          * Rebuilder now includes a policy index rebuilder, so if DBXML becomes corrupt the database can be deleted and the rebuilder used to rebuild the DBXML database from Fedora objects with FESLPOLICY datastreams
          Show
          Stephen Bayliss added a comment - - edited Implementation notes: * Any Fedora object can have a FESLPOLICY datastream with a XACML policy * Policy management is through the Fedora API, modifying these FESLPOLICY datastreams * There is no implicit relationship between the FESLPOLICY datastream and the object containing the datastream - the XACML policy must specify resources to which it applies explicitly (this is different to the existing XACML implementation, where a XACML POLICY datastream implicitly refers to the object containing the datastream) * Policies can be disabled by setting the object or datastream state to deleted * If FeSL AuthZ is installed, a new management decorator is installed (fedora.fcfg) so that any modifications to FESLPOLICY datastreams are propagated to DBXML and thus available to the XACML PolicyFinderModule * Bootstrap (system) policies are loaded when the PDP is instantiated, from the same directory as before. Fedora objects are created in the "fedora-policy" namespace with FESLPOLICY datastreams containing the policies from the pdp/policies directory * Rebuilder now includes a policy index rebuilder, so if DBXML becomes corrupt the database can be deleted and the rebuilder used to rebuild the DBXML database from Fedora objects with FESLPOLICY datastreams
          Hide
          Stephen Bayliss added a comment -
          Permissions:
          * in addition to the usual permissions to modify the FESLPOLICY datastream itself, admin permission is required to modify policies (ie the "admin" action must be specified in the Actions section of a policy to grant this permission). Care must be taken granting this permission - there are currently no restrictions on what resources are specified in FESLPOLICY,
          Show
          Stephen Bayliss added a comment - Permissions: * in addition to the usual permissions to modify the FESLPOLICY datastream itself, admin permission is required to modify policies (ie the "admin" action must be specified in the Actions section of a policy to grant this permission). Care must be taken granting this permission - there are currently no restrictions on what resources are specified in FESLPOLICY,

            People

            • Assignee:
              Stephen Bayliss
              Reporter:
              Edwin Shin
            • Votes:
              1 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: