Skip to end of metadata
Go to start of metadata
Fedora Repository 3 Documentation
Page not found


I would like to prevent changes to my repository for some period of time.  Is there a way to go "read-only" and disable API-M?


Yes; if you have XACML policy enforcement enabled, you can disable all API-M requests to your repository via policy.  While disabled, all API-M requests will result in an "Authorization Denied" message for the requesting user or application. As with all XACML policy changes, it is not necessary to restart your repository to put the new rules into effect.


  1. Ensure you have XACML policy enforcement enabled. This is the default option with Fedora 3.x, so it is likely already enabled for you. You can verify by opening your $FEDORA_HOME/server/config/fedora.fcfg, and checking the value of the ENFORCE_MODE parameter. The value should be be "enforce-policies". If it is not, you will need to change it, then restart Fedora.
  2. Create a new file at $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/read-only.xml with the following content:
    <?xml version="1.0" encoding="UTF-8"?>
    <Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
     <Description>disable writes</Description>
     <Rule RuleId="1" Effect="Deny"/>
  3. Run $FEDORA_HOME/server/bin/ http username password (in Windows, the path to the script is %FEDORA_HOME%\server\bin\fedora-reload-policies.bat)
  4. When you want to re-enable API-M access, simply delete the file and run fedora-reload-policies again.
  • No labels