Drupal user authentication and Fedora XACML

  • without Drupal filter



Add drupal admin and anonymous users to fedora users:

nano -w /usr/local/fedora/server/config/fedora-users.xml
  <user name="drupaladmin" password="MySQLdbHashPassword">
    <attribute name="fedoraRole">
      <value>administrator</value>
    </attribute>
  </user>
  <user name="anonymous" password="anonymous">
    <attribute name="fedoraRole">
      <value>fedoraUser</value>
    </attribute>
  </user>
  <user name="fedoraIntCallUser" password="changeme">
    <attribute name="fedoraRole">
      <value>fedoraInternalCall-1</value>
      <value>fedoraInternalCall-2</value>
    </attribute>
  </user>



Add policy for getDatastreamHistory unrestricted:

nano -w /usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/permit-getDatastreamHistory-unrestricted.xml
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       PolicyId="permit-getDatastreamHistory-to-authenticated"
       RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
 <Description>Note that other policies may provide exceptions to this broad policy. This policy assumes api-m users have to be authenticated</Description>
 <Target>
   <Subjects>
     <AnySubject/>
   </Subjects>
   <Resources>
     <AnyResource/>
   </Resources>
   <Actions>
     <Action>
       <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
         <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-getDatastreamHistory</AttributeValue>
         <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string"
                                    AttributeId="urn:fedora:names:fedora:2.1:action:id"/>
       </ActionMatch>
     </Action>
   </Actions>
 </Target>
 <Rule RuleId="1" Effect="Permit"/>
</Policy>



Add back-end and front-end IP to apim policy:

nano -w /usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/deny-apim-if-not-localhost.xml
	<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">150.145.48.42
	<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">2a00:1620:0:0:0:0:0:42
	<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">150.145.48.44
	<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">2a00:1620:0:0:0:0:0:44



/etc/init.d/tomcat7 restart
 
 
repo/auth.txt ยท Last modified: 2013/04/11 15:33 by giancarlo

Developers: CNR Ceris IT Office and Library
Giancarlo Birello (g.birello _@_ ceris.cnr.it) and Anna Perin (a.perin _@_ ceris.cnr.it)
BioInfo@TO.CNR is licensed under: Creative Commons License
Recent changes RSS feed Creative Commons License Valid XHTML 1.0 Valid CSS Driven by DokuWiki
Drupal Garland Theme for Dokuwiki