FeSL Authorization

FeSL Authorization is based on XACML version 2. XACML policies are stored in the Fedora repository as FESLPOLICY datastreams on Fedora objects. These datastreams can be either inline XML ("X") or managed content ("M").

A set of bootstrap system policy objects are created when Fedora first starts, from the policies in the $FEDORA_HOME/pdp/policies directory. If you need to amend any of these boostrap policies you will need to edit the Fedora objects created. These objects have a fedora-policy PID namespace.

Configuration

Policy evaluation results caching.

Results of previous policy evaluations are cached. This can mean that if you update an existing policy, an entry already stored in the cache from a previous request may be returned rather than results based on the evaluation of the updated policy.

If you wish to disable caching, set the environment variable:

PEP_NOCACHE=true

Otherwise it is currently necessary to restart Fedora to clear the policy evaluation cache.

Configuration files

Configuration files are located in FEDORA_HOME/pdp/conf

• config-pdp.xml
  This is the dynamic configuration file for the Sun XACML PDP Evaluation Engine. This file is used to register PolicyFinder modules, AttributeFinder modules and ResourceFinder modules

• config-policy-manager.xml
  This file configures the Policy Manager. This components specifies which which PolicyDataIndex (component that indexes/searches/retrieves policies) to use. The default one that is used with the FeSL PDP is the DbXmlPolicyDataIndex. This uses Oracle DBXML as a back-end policy management system. In addition, this configuration file is used to specify which policy combination algorithm to use when multiple policies are retrieved.

• config-dbxml.xml
  These settings are for the Oracle DBXML database. They specify where the database is to e located and what it is to be called. It also specifies whether to validate policies against a schema when they are being added or not. In addition you can specify a custom index map. This lets you select which attributes in an XACML Policy Target you are going to be indexing your policies on.

• config-pdm-fedora.xml
  This file contains settings for how Fedora policy objects are created through a PolicyDataManager - however the methods of this are not externally exposed, and so are only relevant to testing.

• config-attribute-finder.xml
  This config file is for the Fedora RISearch Attribute finder. When policies need additional information from Fedora that was not provided in the XACML Request, they can be retrieved by custom AttributeFinders. This module uses the Fedora RISearch interface to fetch additional attributes for policies. You can specify which attributes to look for in this file as well as what URL, username and password to use for the RISearch.