Drupal user authentication and Fedora XACML
nano -w /usr/local/fedora/server/config/fedora-users.xml <user name="drupaladmin" password="MySQLdbHashPassword"> <attribute name="fedoraRole"> <value>administrator</value> </attribute> </user> <user name="anonymous" password="anonymous"> <attribute name="fedoraRole"> <value>fedoraUser</value> </attribute> </user> <user name="fedoraIntCallUser" password="changeme"> <attribute name="fedoraRole"> <value>fedoraInternalCall-1</value> <value>fedoraInternalCall-2</value> </attribute> </user>
nano -w /usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/permit-getDatastreamHistory-unrestricted.xml <?xml version="1.0" encoding="UTF-8"?> <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="permit-getDatastreamHistory-to-authenticated" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"> <Description>Note that other policies may provide exceptions to this broad policy. This policy assumes api-m users have to be authenticated</Description> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:id-getDatastreamHistory</AttributeValue> <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:fedora:names:fedora:2.1:action:id"/> </ActionMatch> </Action> </Actions> </Target> <Rule RuleId="1" Effect="Permit"/> </Policy>
nano -w /usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/deny-apim-if-not-localhost.xml <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">150.145.48.42 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">2a00:1620:0:0:0:0:0:42 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">150.145.48.44 <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">2a00:1620:0:0:0:0:0:44
/etc/init.d/tomcat7 restart |