Uploaded image for project: 'Fedora Repository Project'
  1. Fedora Repository Project
  2. FCREPO-577

Make XACML policies first-class Fedora digital objects

    Details

      Description

      Currently, policies are stored in dbxml. Policies should be first-class Fedora objects in the repository.

      General feedback about the namespace for policy objects would be most welcome.

        Attachments

          Issue Links

            Activity

            Hide
            penthes Stephen Bayliss added a comment - - edited

            Implementation notes:

            • Any Fedora object can have a FESLPOLICY datastream with a XACML policy
            • Policy management is through the Fedora API, modifying these FESLPOLICY datastreams
            • There is no implicit relationship between the FESLPOLICY datastream and the object containing the datastream - the XACML policy must specify resources to which it applies explicitly (this is different to the existing XACML implementation, where a XACML POLICY datastream implicitly refers to the object containing the datastream)
            • Policies can be disabled by setting the object or datastream state to deleted
            • If FeSL AuthZ is installed, a new management decorator is installed (fedora.fcfg) so that any modifications to FESLPOLICY datastreams are propagated to DBXML and thus available to the XACML PolicyFinderModule
            • Bootstrap (system) policies are loaded when the PDP is instantiated, from the same directory as before. Fedora objects are created in the "fedora-policy" namespace with FESLPOLICY datastreams containing the policies from the pdp/policies directory
            • Rebuilder now includes a policy index rebuilder, so if DBXML becomes corrupt the database can be deleted and the rebuilder used to rebuild the DBXML database from Fedora objects with FESLPOLICY datastreams
            Show
            penthes Stephen Bayliss added a comment - - edited Implementation notes: Any Fedora object can have a FESLPOLICY datastream with a XACML policy Policy management is through the Fedora API, modifying these FESLPOLICY datastreams There is no implicit relationship between the FESLPOLICY datastream and the object containing the datastream - the XACML policy must specify resources to which it applies explicitly (this is different to the existing XACML implementation, where a XACML POLICY datastream implicitly refers to the object containing the datastream) Policies can be disabled by setting the object or datastream state to deleted If FeSL AuthZ is installed, a new management decorator is installed (fedora.fcfg) so that any modifications to FESLPOLICY datastreams are propagated to DBXML and thus available to the XACML PolicyFinderModule Bootstrap (system) policies are loaded when the PDP is instantiated, from the same directory as before. Fedora objects are created in the "fedora-policy" namespace with FESLPOLICY datastreams containing the policies from the pdp/policies directory Rebuilder now includes a policy index rebuilder, so if DBXML becomes corrupt the database can be deleted and the rebuilder used to rebuild the DBXML database from Fedora objects with FESLPOLICY datastreams
            Hide
            penthes Stephen Bayliss added a comment -

            Permissions:

            • in addition to the usual permissions to modify the FESLPOLICY datastream itself, admin permission is required to modify policies (ie the "admin" action must be specified in the Actions section of a policy to grant this permission). Care must be taken granting this permission - there are currently no restrictions on what resources are specified in FESLPOLICY,
            Show
            penthes Stephen Bayliss added a comment - Permissions: in addition to the usual permissions to modify the FESLPOLICY datastream itself, admin permission is required to modify policies (ie the "admin" action must be specified in the Actions section of a policy to grant this permission). Care must be taken granting this permission - there are currently no restrictions on what resources are specified in FESLPOLICY,

              People

              • Assignee:
                penthes Stephen Bayliss
                Reporter:
                eddie Edwin Shin
              • Votes:
                1 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: