Versions Compared

Old Version 4

changes.mady.by.user Chris Wilper

Saved on

compared with

New Version Current

changes.mady.by.user Chris Wilper

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

Question

I would like to prevent changes to my repository for some period of time.  Is there a way to go "read-only" and disable API-M?

Answer

Yes; if you have XACML policy enforcement enabled, you can disable all API-M requests to your repository via policy.  While disabled, all API-M requests will result in an "Authorization Denied" message for the requesting user or application. As with all XACML policy changes, it is not necessary to restart your repository to put the new rules into effect.

Instructions:

  1. Ensure you have XACML policy enforcement enabled. This is the default option with Fedora 3.x, so it is likely already enabled for you. You can verify by opening your $FEDORA_HOME/server/config/fedora.fcfg, and checking the value of the ENFORCE_MODE parameter. The value should be be "enforce-policies". If it is not, you will need to change it, then restart Fedora.
  2. Create a new file at $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/read-only.xml with the following content:
    Code Block
    <?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       PolicyId="disable-writes"
       RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
 <Description>disable writes</Description>
 <Target>
   <Subjects>
     <AnySubject/>
   </Subjects>
   <Resources>
     <AnyResource/>
   </Resources>
   <Actions>
     <Action>
       <ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
         <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:api-m</AttributeValue>
         <ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"
           AttributeId="urn:fedora:names:fedora:2.1:action:api"/>
       </ActionMatch>
     </Action>
   </Actions>
 </Target>
 <Rule RuleId="1" Effect="Deny"/>
</Policy>
  3. Run $FEDORA_HOME/server/bin/fedora-reload-policies.sh http username password (in Windows, the path to the script is %FEDORA_HOME%\server\bin\fedora-reload-policies.bat)
  4. When you want to re-enable API-M access, simply delete the file and run fedora-reload-policies again.