Fedora Commons Users List for FEDORA Repository Architecture ()

Serhiy Polyakov | 1 Jul 2011 05:03

Re: [fcrepo-user] Extracting all audit records with iTQL

Egbert,

Thanks. I rebuilt resource index and now those records are shown once
in iTQL as it should be. Will work with foxml of objects directly to
get audit.

Serhiy

On Thu, Jun 30, 2011 at 4:44 AM, Egbert Gramsbergen
<E.F.Gramsbergen@...> wrote:
> Hello,
>
> The RI index does not keep information from old versions of objects so I would expect each object once in
your iTQL result regardless the number of audits. That is, unless there are accidentally two titles in the
DC datastream after the first correction. To do it right, you would have to do an iTQL query to find all pid's
and then extract the audit records and datastream versions from the object xml (foxml) of each object separately.
>
> Egbert Gramsbergen
> -----Original Message-----
> From: Serhiy Polyakov [mailto:sp0055@...]
> Sent: donderdag 30 juni 2011 10:04
> To: fedora-commons-users@...
> Subject: [fcrepo-user] Extracting all audit records with iTQL
>
> Hello,
>
> I am extracting basic medtadata from fedora repository with iTQL using myhost:8080/fedora/risearch
>
> Here is query:
>

(Continue reading)

headers

Carol Minton Morris | 6 Jul 2011 16:48

[fcrepo-user] POSITION: Associate Dean for Research and Informatics at Virginia Tech Libraries

----Posted on behalf of Tyler Walters, Dean, University Libraries, Virginia Tech; E-Mail tyler.walters-PjAqaU27lzQ@public.gmane.org----

Online: http://www.arl.org/resources/careers/positions/details.shtml?form=763770&page=50894276

The Associate Dean for Research and Informatics (AD-RI) reports to the Dean of University Libraries and has responsibility for integrating and mapping the Virginia Tech Libraries -- its services, resources, and consultative expertise – with the university’s research enterprise, which includes the latter’s policies, planning, processes, and sponsored research initiatives. The AD-RI will work collegially, collaboratively, and effectively with library directors in pursuit of developing the Libraries’ research engagement program, including the application of library and information science to collaborate on and solve problems in the academic disciplines. The position also serves as a member of the Libraries’ senior management team, contributing to the Libraries’ strategic visioning, program development and assessment, technology strategies and directions, and organizational transformation in support of its evolving goals and objectives.

The AD-RI: assumes a leadership role in fostering collaboration between VT library directors, librarians and researchers in regards to researchers’ content/information/data management, virtual research community activities, and other informatics-related needs; takes the lead in effecting the Libraries’ contribution to the university’s research-related information policies, such as open access-related policies and policies responding to research-sponsoring organization’s information management, preservation, and access directives; interacts chiefly with the colleges’ associate deans for research, research institute and center directors/associate directors, department chairs, faculty, the office of the vice president for research, and other research administrators. Moreover, the AD-RI has lead responsibility on behalf of the Libraries for developing successful and productive campus relationships in research programs. The AD-RI also: serves as a liaison with the office of sponsored programs and represents the Dean of University Libraries when needed in research administration matters; enables and fosters research programs within the Libraries and in partnership with other informatics-related VT research units as well as with other universities and government agencies in pursuit of grants, grant proposals, and attendance at multi-institutional pre-proposal planning meetings.

Additional details relating to the position’s responsibilities include: overall development and direction of the Libraries’ research engagement program, with a focus on contributing to the strategic research directions and program goals of the university; support of the Libraries and its faculty in assertively pursuing grant funds as well as providing general coordination for the Libraries’ sponsored projects; development of productive relationships with public and private grantsmaking agencies Seek collaborative opportunities with all manner of VT research units, including its newly formed VT Carilion School of Medicine and Research Institute as well as with research entities in the Virginia Tech Corporate Research Park; cultivation of positive Libraries – campus research unit/faculty relationships; work with associate deans and faculty to increase participation in collaborative research and facilitate partnerships between university research programs and the Libraries; leadership in advancing new forms of research and scholarship; assertive and significant contributions to the Libraries’ organizational learning and development agenda.

--
Carol Minton Morris
DuraSpace
Director of Marketing and Communications
cmmorris-RMZ2BmOfPoTNLxjTenLetw@public.gmane.org
Skype: carolmintonmorris
607 592-3135
Twitter <at> DuraSpace
Twitter <at> DuraCloud
http://DuraSpace.org

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@...
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

headers

Stuart Chalk | 7 Jul 2011 13:24

[fcrepo-user] ownerId not working via REST API ingest

I cannot get the ingest method of the ingest method of the REST API to accept a value in get variable. I send the
following rest request via PHP

Array
(
    [method] => POST
    [uri] => Array
        (
            [host] => localhost
            [port] => 8080
            [path] => /fedora/objects/eureka:exp10
            [query] => Array
                (
                    [label] => Test experiment
                    [ownerId] => Stuart Chalk
                    [namespace] => eureka
                    [format] => info:fedora/fedora-system:FOXML-1.1
                    [logMessage] => Change made using pHedora
                )
        )
    [auth] => Array
        (
            [method] => Basic
            [user] => fedoraAdmin
            [pass] => ********
        )
    [body] => 
)

In fedora.log I get

INFO 2011-07-07 07:00:38.339 [http-8080-2] (DefaultManagement) Completed ingest(objectXML,
format: info:fedora/fedora-system:FOXML-1.1, encoding: UTF-8, pid	: eureka:exp10, logMessage:
Change made using pHedora)

i.e. no mention of the ownerId.  Is it even being used?

Any thoughts appreciated...

Stuart Chalk, Ph.D.
Associate Professor of Chemistry
Department of Chemistry, University of North Florida
1 UNF Drive, Jacksonville FL 32224
P: 904-620-1938
F: 904-620-3535
E: schalk@...
W: http://www.unf.edu/coas/chemistry/

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

headers

Benjamin Armintor | 7 Jul 2011 18:18

Re: [fcrepo-user] ownerId not working via REST API ingest

Stuart-
  Does the resulting object have no ownerId at all, or is fedoraAdmin
listed as the ownerId?

- Ben

On 7/7/11, Stuart Chalk <schalk@...> wrote:
> I cannot get the ingest method of the ingest method of the REST API to
> accept a value in get variable. I send the following rest request via PHP
>
> Array
> (
>     [method] => POST
>     [uri] => Array
>         (
>             [host] => localhost
>             [port] => 8080
>             [path] => /fedora/objects/eureka:exp10
>             [query] => Array
>                 (
>                     [label] => Test experiment
>                     [ownerId] => Stuart Chalk
>                     [namespace] => eureka
>                     [format] => info:fedora/fedora-system:FOXML-1.1
>                     [logMessage] => Change made using pHedora
>                 )
>         )
>     [auth] => Array
>         (
>             [method] => Basic
>             [user] => fedoraAdmin
>             [pass] => ********
>         )
>     [body] =>
> )
>
> In fedora.log I get
>
> INFO 2011-07-07 07:00:38.339 [http-8080-2] (DefaultManagement) Completed
> ingest(objectXML, format: info:fedora/fedora-system:FOXML-1.1, encoding:
> UTF-8, pid	: eureka:exp10, logMessage: Change made using pHedora)
>
> i.e. no mention of the ownerId.  Is it even being used?
>
> Any thoughts appreciated...
>
> Stuart Chalk, Ph.D.
> Associate Professor of Chemistry
> Department of Chemistry, University of North Florida
> 1 UNF Drive, Jacksonville FL 32224
> P: 904-620-1938
> F: 904-620-3535
> E: schalk@...
> W: http://www.unf.edu/coas/chemistry/
>
>
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security
> threats, fraudulent activity, and more. Splunk takes this data and makes
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Fedora-commons-users mailing list
> Fedora-commons-users@...
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

headers

Stephen Bayliss | 8 Jul 2011 08:55

Re: [fcrepo-user] ownerId not working via REST API ingest

I've replicated this, it does look like a bug.

In the REST API code, the ownerId query parameter for new, empty objects is
ignored and instead the value of the user making the request is used.

Instead it should only use the value of the user making the request if the
value is not supplied as a query string parameter.

Stuart - would you like to raise a JIRA issue for this?

It should be a relatively trivial code change - see:

https://github.com/fcrepo/fcrepo/blob/master/fcrepo-server/src/main/java/org
/fcrepo/server/rest/FedoraObjectResource.java#L284

(line 284)

Steve

> -----Original Message-----
> From: Benjamin Armintor [mailto:armintor@...] 
> Sent: 07 July 2011 17:18
> To: Support and info exchange list for Fedora users.
> Subject: Re: [fcrepo-user] ownerId not working via REST API ingest
> 
> 
> Stuart-
>   Does the resulting object have no ownerId at all, or is 
> fedoraAdmin listed as the ownerId?
> 
> - Ben
> 
> On 7/7/11, Stuart Chalk <schalk@...> wrote:
> > I cannot get the ingest method of the ingest method of the 
> REST API to 
> > accept a value in get variable. I send the following rest 
> request via 
> > PHP
> >
> > Array
> > (
> >     [method] => POST
> >     [uri] => Array
> >         (
> >             [host] => localhost
> >             [port] => 8080
> >             [path] => /fedora/objects/eureka:exp10
> >             [query] => Array
> >                 (
> >                     [label] => Test experiment
> >                     [ownerId] => Stuart Chalk
> >                     [namespace] => eureka
> >                     [format] => info:fedora/fedora-system:FOXML-1.1
> >                     [logMessage] => Change made using pHedora
> >                 )
> >         )
> >     [auth] => Array
> >         (
> >             [method] => Basic
> >             [user] => fedoraAdmin
> >             [pass] => ********
> >         )
> >     [body] =>
> > )
> >
> > In fedora.log I get
> >
> > INFO 2011-07-07 07:00:38.339 [http-8080-2] (DefaultManagement) 
> > Completed ingest(objectXML, format: 
> info:fedora/fedora-system:FOXML-1.1, encoding:
> > UTF-8, pid	: eureka:exp10, logMessage: Change made using pHedora)
> >
> > i.e. no mention of the ownerId.  Is it even being used?
> >
> > Any thoughts appreciated...
> >
> > Stuart Chalk, Ph.D.
> > Associate Professor of Chemistry
> > Department of Chemistry, University of North Florida
> > 1 UNF Drive, Jacksonville FL 32224
> > P: 904-620-1938
> > F: 904-620-3535
> > E: schalk@...
> > W: http://www.unf.edu/coas/chemistry/
> >
> >
> > 
> ----------------------------------------------------------------------
> > --------
> > All of the data generated in your IT infrastructure is 
> seriously valuable.
> > Why? It contains a definitive record of application 
> performance, security
> > threats, fraudulent activity, and more. Splunk takes this 
> data and makes
> > sense of it. IT sense. And common sense.
> > http://p.sf.net/sfu/splunk-d2d-c2
> > _______________________________________________
> > Fedora-commons-users mailing list
> > Fedora-commons-users@...
> > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
> >
> 
> --------------------------------------------------------------
> ----------------
> All of the data generated in your IT infrastructure is 
> seriously valuable. Why? It contains a definitive record of 
> application performance, security 
> threats, fraudulent activity, and more. Splunk takes this 
> data and makes 
> sense of it. IT sense. And common sense. 
> http://p.sf.net/sfu/splunk-d2d-c2 
> _______________________________________________
> Fedora-commons-users mailing list 
> Fedora-commons-users@...
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
> 

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

headers

Stuart Chalk | 8 Jul 2011 11:37

Re: [fcrepo-user] ownerId not working via REST API ingest

I get fedoraAdmin not an empty field.
I have reported this as FCREPO-963.

Stuart

On Jul 7, 2011, at 12:18 PM, Benjamin Armintor wrote:

> Stuart-
>  Does the resulting object have no ownerId at all, or is fedoraAdmin
> listed as the ownerId?
> 
> - Ben
> 
> On 7/7/11, Stuart Chalk <schalk@...> wrote:
>> I cannot get the ingest method of the ingest method of the REST API to
>> accept a value in get variable. I send the following rest request via PHP
>> 
>> Array
>> (
>>    [method] => POST
>>    [uri] => Array
>>        (
>>            [host] => localhost
>>            [port] => 8080
>>            [path] => /fedora/objects/eureka:exp10
>>            [query] => Array
>>                (
>>                    [label] => Test experiment
>>                    [ownerId] => Stuart Chalk
>>                    [namespace] => eureka
>>                    [format] => info:fedora/fedora-system:FOXML-1.1
>>                    [logMessage] => Change made using pHedora
>>                )
>>        )
>>    [auth] => Array
>>        (
>>            [method] => Basic
>>            [user] => fedoraAdmin
>>            [pass] => ********
>>        )
>>    [body] =>
>> )
>> 
>> In fedora.log I get
>> 
>> INFO 2011-07-07 07:00:38.339 [http-8080-2] (DefaultManagement) Completed
>> ingest(objectXML, format: info:fedora/fedora-system:FOXML-1.1, encoding:
>> UTF-8, pid	: eureka:exp10, logMessage: Change made using pHedora)
>> 
>> i.e. no mention of the ownerId.  Is it even being used?
>> 
>> Any thoughts appreciated...
>> 
>> Stuart Chalk, Ph.D.
>> Associate Professor of Chemistry
>> Department of Chemistry, University of North Florida
>> 1 UNF Drive, Jacksonville FL 32224
>> P: 904-620-1938
>> F: 904-620-3535
>> E: schalk@...
>> W: http://www.unf.edu/coas/chemistry/
>> 
>> 
>> ------------------------------------------------------------------------------
>> All of the data generated in your IT infrastructure is seriously valuable.
>> Why? It contains a definitive record of application performance, security
>> threats, fraudulent activity, and more. Splunk takes this data and makes
>> sense of it. IT sense. And common sense.
>> http://p.sf.net/sfu/splunk-d2d-c2
>> _______________________________________________
>> Fedora-commons-users mailing list
>> Fedora-commons-users@...
>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>> 
> 
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security 
> threats, fraudulent activity, and more. Splunk takes this data and makes 
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Fedora-commons-users mailing list
> Fedora-commons-users@...
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

headers

Stuart Chalk | 8 Jul 2011 11:38

Re: [fcrepo-user] ownerId not working via REST API ingest

Yes, I have reported this as FCREPO-963.  Thanks for verifying as I thought I was going crazy :)

Stuart

On Jul 8, 2011, at 2:55 AM, Stephen Bayliss wrote:

> I've replicated this, it does look like a bug.
> 
> In the REST API code, the ownerId query parameter for new, empty objects is
> ignored and instead the value of the user making the request is used.
> 
> Instead it should only use the value of the user making the request if the
> value is not supplied as a query string parameter.
> 
> Stuart - would you like to raise a JIRA issue for this?
> 
> It should be a relatively trivial code change - see:
> 
> https://github.com/fcrepo/fcrepo/blob/master/fcrepo-server/src/main/java/org
> /fcrepo/server/rest/FedoraObjectResource.java#L284
> 
> (line 284)
> 
> Steve
> 
> 
> 
>> -----Original Message-----
>> From: Benjamin Armintor [mailto:armintor@...] 
>> Sent: 07 July 2011 17:18
>> To: Support and info exchange list for Fedora users.
>> Subject: Re: [fcrepo-user] ownerId not working via REST API ingest
>> 
>> 
>> Stuart-
>>  Does the resulting object have no ownerId at all, or is 
>> fedoraAdmin listed as the ownerId?
>> 
>> - Ben
>> 
>> On 7/7/11, Stuart Chalk <schalk@...> wrote:
>>> I cannot get the ingest method of the ingest method of the 
>> REST API to 
>>> accept a value in get variable. I send the following rest 
>> request via 
>>> PHP
>>> 
>>> Array
>>> (
>>>    [method] => POST
>>>    [uri] => Array
>>>        (
>>>            [host] => localhost
>>>            [port] => 8080
>>>            [path] => /fedora/objects/eureka:exp10
>>>            [query] => Array
>>>                (
>>>                    [label] => Test experiment
>>>                    [ownerId] => Stuart Chalk
>>>                    [namespace] => eureka
>>>                    [format] => info:fedora/fedora-system:FOXML-1.1
>>>                    [logMessage] => Change made using pHedora
>>>                )
>>>        )
>>>    [auth] => Array
>>>        (
>>>            [method] => Basic
>>>            [user] => fedoraAdmin
>>>            [pass] => ********
>>>        )
>>>    [body] =>
>>> )
>>> 
>>> In fedora.log I get
>>> 
>>> INFO 2011-07-07 07:00:38.339 [http-8080-2] (DefaultManagement) 
>>> Completed ingest(objectXML, format: 
>> info:fedora/fedora-system:FOXML-1.1, encoding:
>>> UTF-8, pid	: eureka:exp10, logMessage: Change made using pHedora)
>>> 
>>> i.e. no mention of the ownerId.  Is it even being used?
>>> 
>>> Any thoughts appreciated...
>>> 
>>> Stuart Chalk, Ph.D.
>>> Associate Professor of Chemistry
>>> Department of Chemistry, University of North Florida
>>> 1 UNF Drive, Jacksonville FL 32224
>>> P: 904-620-1938
>>> F: 904-620-3535
>>> E: schalk@...
>>> W: http://www.unf.edu/coas/chemistry/
>>> 
>>> 
>>> 
>> ----------------------------------------------------------------------
>>> --------
>>> All of the data generated in your IT infrastructure is 
>> seriously valuable.
>>> Why? It contains a definitive record of application 
>> performance, security
>>> threats, fraudulent activity, and more. Splunk takes this 
>> data and makes
>>> sense of it. IT sense. And common sense.
>>> http://p.sf.net/sfu/splunk-d2d-c2
>>> _______________________________________________
>>> Fedora-commons-users mailing list
>>> Fedora-commons-users@...
>>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>>> 
>> 
>> --------------------------------------------------------------
>> ----------------
>> All of the data generated in your IT infrastructure is 
>> seriously valuable. Why? It contains a definitive record of 
>> application performance, security 
>> threats, fraudulent activity, and more. Splunk takes this 
>> data and makes 
>> sense of it. IT sense. And common sense. 
>> http://p.sf.net/sfu/splunk-d2d-c2 
>> _______________________________________________
>> Fedora-commons-users mailing list 
>> Fedora-commons-users@...
>> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
>> 
> 
> 
> ------------------------------------------------------------------------------
> All of the data generated in your IT infrastructure is seriously valuable.
> Why? It contains a definitive record of application performance, security 
> threats, fraudulent activity, and more. Splunk takes this data and makes 
> sense of it. IT sense. And common sense.
> http://p.sf.net/sfu/splunk-d2d-c2
> _______________________________________________
> Fedora-commons-users mailing list
> Fedora-commons-users@...
> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

headers

Ludovic Deravet | 8 Jul 2011 17:08

[fcrepo-user] Instability under heavy load

Dear all,

We are experiencing a serious issue with Fedora when ingesting thousands of packages into the repository. Indeed, the development of our project is almost finished and our customer is trying to perform massive load of objects into Fedora before going into production.

However an instability problem that manifest itself through java heap out of memory errors appears when the customer wants to ingest about 10.000 of METS envelopes.

Internally, our application is transforming all METS envelopes into FOXML files that are then sent to the Fedora's REST's API. And documents are defined as content managed datastreams.

To give some figures about these envelopes:

A METS envelope defines in average 80 digital objects
10% of the envelopes reference documents where their total size is lower than 1MB
65% of the envelopes reference documents where their total size is between 1MB and 5MB
20% of the envelopes reference documents where their total size is between 5MB and 10MB
5% of the envelopes reference documents where their total size is bigger than 10MB

Fedora is installed on a production-like hardware:

Sun Oracle Enterprise M5000 - 2 clusters of 4 CPUs 2.53GHZ SPARC64 USVII (so 32 cores in total)
JVM is configured with 2GB of memory (-Xmx2048m)
JVM is in server mode on Solaris 10 (64bits)
Fedora-commons 3.4.2 with default configuration options activated

In a production-like environment, our application is in fact launching 10 threads where each thread is processing one METS envelope at a time. We realize that this is kind of stressful for Fedora but the customer is expecting us to ingest all their METS envelopes in a reasonable short period of time.

We have performed many different tests in our development environment (of course quite less powerful than the production-like environment) and cannot reproduce the instability problem we are experiencing in production.

We have analyzed in our development environment how Fedora is managing the memory and everything seems normal. The Garbage is working fine even if we set the heap size to 255MB and try to ingest several MB of data.

I really doubt that this problem lies within Fedora itself. Instead, I think that the problem is more a configuration issue somewhere but right now we don't know which one exactly. Is there someone that could share their experience with such issue and help us try to find a solution to this problem?

Thank you in advance for any help.

Kind regards,

--
Ludovic

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@...
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

headers

thio | 8 Jul 2011 17:24

[fcrepo-user] What is wrong with my Policy?

Hi!

Recently i was asked to build Policies for Fedora Objects.

I have looked at the policy writing guide, and so far doing it like THAT works, but i find this style kind of convoluted.

Since i only need simple rules i thought i could as well use the "straightforward" way, which is closer to the datamodel i get.

To give you an example, a policy that shuts everyone out but admins:

-guide:
<Policy PolicyId="demo" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Target>
    <Subjects>
      <AnySubject/>
    </Subjects>
    <Resources>
      <Resource>
        <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">changeme:10061</AttributeValue>
          <ResourceAttributeDesignator AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid" DataType="http://www.w3.org/2001/XMLSchema#string"/>
        </ResourceMatch>
      </Resource>
    </Resources>
    <Actions>
      <AnyAction/>
    </Actions>
</Target>
<Rule Effect="Deny" RuleId="1">
    <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
        <SubjectAttributeDesignator AttributeId="fedoraRole" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
        </Apply>
      </Apply>
    </Condition>
</Rule>
<Rule Effect="Permit" RuleId="3"/>
</Policy>

-mine:
<Policy PolicyId="changeme:10061:DenyAllDefaultPolicy"
    RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
    <Target>
        <Subjects>
            <AnySubject />
        </Subjects>
        <Resources>
            <Resource>
                <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">changeme:10059
                    </AttributeValue>
                    <ResourceAttributeDesignator
                        AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
                        DataType="http://www.w3.org/2001/XMLSchema#string" />
                </ResourceMatch>
            </Resource>
        </Resources>
        <Actions>
            <AnyAction />
        </Actions>
    </Target>
    <Rule RuleId="AdminRule" Effect="Permit">
        <Target>
            <Subjects>
                <Subject>
                    <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
                        <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">administrator
                        </AttributeValue>
                        <SubjectAttributeDesignator
                            AttributeId="fedoraRole" DataType="http://www.w3.org/2001/XMLSchema#string" />
                    </SubjectMatch>
                </Subject>
            </Subjects>
            <Resources>
                <AnyResource />
            </Resources>
            <Actions>
                <AnyAction />
            </Actions>
        </Target>
    </Rule>
    <Rule RuleId="FinalRule" Effect="Deny">
    </Rule>
</Policy>

As far as i understood this SHOULD constitute the same behaviour, but my policy doesn't shut anyone out. And i have no idea why not.

greetings and thanks for any help,
Jessi

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@...
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users

headers

Benjamin Armintor | 8 Jul 2011 17:53

Re: [fcrepo-user] What is wrong with my Policy?

Are the unexpected Permit results coming when a user is logged in, has
a fedoraRole, but it is not "administrator"? Or is it that no one is
logged in/the logged in user has no fedoraRole?

If the latter, the first thing I would try is adding
MustBePresent="false" to your subjectAttributeDesignator.  According
to the spec:
http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf

it effectively default to "true", and returns an Indeterminate result
in the event of a missing attribute.  Quoting from the rule evaluation
spec:
"If the target value is "No-match" or “Indeterminate” then the rule
value SHALL be “NotApplicable” or “Indeterminate”, respectively,
regardless of the value of the condition.  For these cases, therefore,
the condition need not be evaluated."

Since you have no condition, it may be applying that rule whenever the
fedoraRole attribute is missing.

On 7/8/11, thio <thio@...> wrote:
> Hi!
>
> Recently i was asked to build Policies for Fedora Objects.
>
> I have looked at the policy writing guide, and so far doing it like THAT
> works, but i find this style kind of convoluted.
>
> Since i only need simple rules i thought i could as well use the
> "straightforward" way, which is closer to the datamodel i get.
>
> To give you an example, a policy that shuts everyone out but admins:
>
> _*-guide:*_
> <Policy PolicyId="demo"
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable"
>    xmlns="urn:oasis:names:tc:xacml:1.0:policy"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <Target>
> <Subjects>
> <AnySubject/>
> </Subjects>
> <Resources>
> <Resource>
> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string">changeme:10061</AttributeValue>
> <ResourceAttributeDesignator
> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
> DataType="http://www.w3.org/2001/XMLSchema#string"/>
> </ResourceMatch>
> </Resource>
> </Resources>
> <Actions>
> <AnyAction/>
> </Actions>
> </Target>
> <Rule Effect="Deny" RuleId="1">
> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
> <Apply
> FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
> <SubjectAttributeDesignator AttributeId="fedoraRole"
> DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
> <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeValue>
> </Apply>
> </Apply>
> </Condition>
> </Rule>
> <Rule Effect="Permit" RuleId="3"/>
> </Policy>
> _*
> -mine:*_
> <Policy PolicyId="changeme:10061:DenyAllDefaultPolicy"
>
> RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
> <Target>
> <Subjects>
> <AnySubject />
> </Subjects>
> <Resources>
> <Resource>
> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string">changeme:10059
> </AttributeValue>
> <ResourceAttributeDesignator
>
> AttributeId="urn:fedora:names:fedora:2.1:resource:object:pid"
>
> DataType="http://www.w3.org/2001/XMLSchema#string" />
> </ResourceMatch>
> </Resource>
> </Resources>
> <Actions>
> <AnyAction />
> </Actions>
> </Target>
> <Rule RuleId="AdminRule" Effect="Permit">
> <Target>
> <Subjects>
> <Subject>
> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
> <AttributeValue
> DataType="http://www.w3.org/2001/XMLSchema#string">administrator
> </AttributeValue>
> <SubjectAttributeDesignator
>                              AttributeId="fedoraRole"
> DataType="http://www.w3.org/2001/XMLSchema#string" />
> </SubjectMatch>
> </Subject>
> </Subjects>
> <Resources>
> <AnyResource />
> </Resources>
> <Actions>
> <AnyAction />
> </Actions>
> </Target>
> </Rule>
> <Rule RuleId="FinalRule" Effect="Deny">
> </Rule>
> </Policy>
>
> As far as i understood this SHOULD constitute the same behaviour, but my
> policy doesn't shut anyone out. And i have no idea why not.
>
> greetings and thanks for any help,
> Jessi
>

------------------------------------------------------------------------------
All of the data generated in your IT infrastructure is seriously valuable.
Why? It contains a definitive record of application performance, security 
threats, fraudulent activity, and more. Splunk takes this data and makes 
sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-d2d-c2

29	May 2013
39	April 2013
61	March 2013
32	February 2013
73	January 2013
38	December 2012
37	November 2012
74	October 2012
84	September 2012
94	August 2012
57	July 2012
85	June 2012
43	May 2012
60	April 2012
85	March 2012
90	February 2012
122	January 2012
61	December 2011
113	November 2011
105	October 2011
74	September 2011
88	August 2011
84	July 2011
114	June 2011
135	May 2011
72	April 2011
103	March 2011
73	February 2011
114	January 2011
143	December 2010
146	November 2010
169	October 2010
70	September 2010
107	August 2010
60	July 2010
74	June 2010
84	May 2010
90	April 2010
90	March 2010
55	February 2010
49	January 2010
74	December 2009
29	November 2009
48	October 2009
88	September 2009
58	August 2009
83	July 2009
106	June 2009
109	May 2009
91	April 2009
93	March 2009
67	February 2009
67	January 2009
80	December 2008
86	November 2008
84	October 2008
58	September 2008
85	August 2008
64	July 2008
96	June 2008
66	May 2008
102	April 2008
58	March 2008
51	February 2008
117	January 2008
78	December 2007
51	November 2007
83	October 2007
60	September 2007
86	August 2007
101	July 2007
43	June 2007
77	May 2007
54	April 2007
54	March 2007
65	February 2007
83	January 2007
46	December 2006
88	November 2006
65	October 2006
103	September 2006
103	August 2006
86	July 2006
78	June 2006
160	May 2006
116	April 2006
120	March 2006
164	February 2006
69	January 2006
68	December 2005
143	November 2005
64	October 2005
51	September 2005
42	August 2005
49	July 2005
43	June 2005
80	May 2005
58	April 2005
35	March 2005
76	February 2005
7	January 2005
9	December 2004
11	November 2004
8	October 2004
17	September 2004
29	August 2004
28	July 2004
33	June 2004
23	May 2004
20	April 2004
37	March 2004
23	February 2004
31	January 2004
21	December 2003
30	November 2003
11	October 2003
34	September 2003
23	August 2003
9	July 2003
13	June 2003
7	May 2003

Mon	Tue	Wed	Thu	Fri	Sat	Sun

				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28	29	30	31