Latest 3.x Release

This documentation covers the latest release of the legacy 3.x Fedora. Looking for another version? See all documentation.

Fedora 4 Development

Looking for Fedora's currently active development?

Question

I would like to prevent changes to my repository for some period of time.  Is there a way to go "read-only" and disable API-M?

Answer

Yes; if you have XACML policy enforcement enabled, you can disable all API-M requests to your repository via policy.  While disabled, all API-M requests will result in an "Authorization Denied" message for the requesting user or application. As with all XACML policy changes, it is not necessary to restart your repository to put the new rules into effect.

Instructions:

  1. Ensure you have XACML policy enforcement enabled. This is the default option with Fedora 3.x, so it is likely already enabled for you. You can verify by opening your $FEDORA_HOME/server/config/fedora.fcfg, and checking the value of the ENFORCE_MODE parameter. The value should be be "enforce-policies". If it is not, you will need to change it, then restart Fedora.
  2. Create a new file at $FEDORA_HOME/data/fedora-xacml-policies/repository-policies/default/read-only.xml with the following content: 
    <?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       PolicyId="disable-writes"
       RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
 <Description>disable writes</Description>
 <Target>
   <Subjects>
     <AnySubject/>
   </Subjects>
   <Resources>
     <AnyResource/>
   </Resources>
   <Actions>
     <Action>
       <ActionMatch
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
         <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">urn:fedora:names:fedora:2.1:action:api-m</AttributeValue>
         <ActionAttributeDesignator
DataType="http://www.w3.org/2001/XMLSchema#string"
           AttributeId="urn:fedora:names:fedora:2.1:action:api"/>
       </ActionMatch>
     </Action>
   </Actions>
 </Target>
 <Rule RuleId="1" Effect="Deny"/>
</Policy>
  3. Run $FEDORA_HOME/server/bin/fedora-reload-policies.sh http username password (in Windows, the path to the script is %FEDORA_HOME%\server\bin\fedora-reload-policies.bat)
  4. When you want to re-enable API-M access, simply delete the file and run fedora-reload-policies again.
  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.