Log of the #duraspace-ff channel on chat.freenode.net

Using timezone: Eastern Standard Time
* ermadmix leaves07:31
* ermadmix joins07:34
* mikeAtUVa joins07:45
* dwilcox joins07:55
* ermadmix leaves08:06
* ermadmix joins08:10
* ermadmix leaves09:09
* ksclarke joins09:49
* scossu joins10:20
* scossu1 joins11:33
* scossu leaves11:34
<awoods>gregjansen: ping13:38
<gregjansen>awoods: PONG
<awoods>gregjansen: I am digging into the xacml...13:39
gregjansen: and trying to get the most basic scenario working:
gregjansen: create some objects
gregjansen: associate a reader policy with one of the objects
gregjansen: get an authenticated user to read the object.13:40
<gregjansen>ok, snds gd13:41
<awoods>gregjansen: It seems ACLs need to be in place on the object (or its tree) as input to the xacml processing.
<gregjansen>"associate a reader policy with one of the objects" is not entirely clear
if your policies make reference to the role attribute, then yes, roles will need to be assigned to principals in the tree13:42
<awoods>gregjansen: Associate an xacml policy with one of the objects that allows reading.
<gregjansen>but you can write other policies that hinge upon other attributes (YMMV as not all attributes have been added..)
<awoods>gregjansen: I am looking at: AbstractRolesAuthorizationDelegate.java13:43
gregjansen: the logic flows through that class.
<gregjansen>the content object (for lack of a better category), has a link to a policy set which should be applicable to the roles in teh XACML request
yes
<awoods>yes13:44
gregjansen: https://github.com/fcrepo4/fcrepo4/blob/master/fcrepo-auth-roles-common/src/main/java/org/fcrepo/auth/roles/common/AbstractRolesAuthorizationDelegate.java#L9613:45
gregjansen: in the line above, ACLs are collected from the object and its tree
<gregjansen>wait, do you need an ACL to do *any* XACML enforcement, or just for enforcement based upon roles? Roles/ACL should not be required for all policies or for policies to work in general
<awoods>gregjansen: exactly
<gregjansen>k
<awoods>gregjansen: In the line above, the found ACLs are compared to the user roles, and the intersection is passed into the xacml processing.13:46
<gregjansen>that is the intent IIRC13:47
<awoods>gregjansen: if there are no ACLs, then xacml processing does not know the user roles.
<gregjansen>w/o ACLs the provider returns the default ACL, which is "no roles for anyone"
<awoods>gregjansen: If the user has roles "reader,student" defined in tomcat-users.xml (for example), I would expect those to get passed to the xacml processing, no?13:49
gregjansen: I would not expect the need for an ACL on the content node for the user roles to get to xacml.13:50
<gregjansen>well, we have a problem with terminology here, which it would be a good idea to clarify
ACLs assign "content roles" to principals
tomcat assigns "global user roles"13:51
so these are not the same roles
<awoods>gregjansen: ok
<gregjansen>"container roles" vs. "content roles"
or "application roles" for the later
<awoods>gregjansen: The linked code above shows that "content roles" need to exist for "global user roles" to get into the xacml processing.13:52
<gregjansen>As developers we are used to talking about tomcat roles, but ACLs are more like the roles that users would recognize
"global user roles" would be a kind of principal (I think), which might be assigned "content roles" in the tree.13:53
<awoods>gregjansen: google hangout?
<gregjansen>sure thing
<awoods>https://plus.google.com/hangouts/_/event/c1glu6soq43r1rr6ou17qtobug8
* dwilcox leaves13:59
* dwilcox joins14:42
* scossu1 leaves14:56
* scossu joins15:01
* scossu leaves15:26
* scossu joins15:27
* mikeAtUVa leaves16:16
* dwilcox leaves16:26
* ksclarke leaves16:42
* gregjansen leaves16:53
<scossu>Chiming in on the XACML topic -16:54
Is urn:oasis:names:tc:xacml:2.0:subject:group the right attribute to look for container role principals?16:55
I'm referring to my post: https://groups.google.com/forum/#!topic/fedora-tech/AI25f6p0e7816:56
* ksclarke joins18:27
* scossu leaves18:40
* dwilcox joins18:53
* dwilcox leaves18:55
* dwilcox joins19:00
* dwilcox leaves19:02
<pivotal-bot>Andrew Woods added "Enable user "groups" to be included in XACML processing" https://www.pivotaltracker.com/story/show/7365601820:36
Andrew Woods started "Enable user "groups" to be included in XACML processing" https://www.pivotaltracker.com/story/show/73656018
Andrew Woods finished "Enable user "groups" to be included in XACML processing" https://www.pivotaltracker.com/story/show/7365601820:37
* github-ff joins20:40
[fcrepo-module-auth-xacml] awoods pushed 1 new commit to master: http://git.io/iZYAIw
fcrepo-module-auth-xacml/master 13be72d Andrew Woods: Non-functional update: remove dead code and clean formatting
* github-ff leaves
* github-ff joins20:41
[fcrepo-module-auth-xacml] awoods pushed 1 new commit to master: http://git.io/pSmlYA
fcrepo-module-auth-xacml/master 90b57be Andrew Woods: Enable user groups to be used in XACML processing...
* github-ff leaves
<pivotal-bot>Andrew Woods added comment: "Resolved with: https://github.com/fcrepo4/fcrepo-module-auth-xacml/commit/90b57be82cad808df2c72f848885b6b99..." https://www.pivotaltracker.com/story/show/7365601820:42
Andrew Woods delivered "Enable user "groups" to be included in XACML processing" https://www.pivotaltracker.com/story/show/73656018
* travis-ci joins20:46
[travis-ci] fcrepo4/fcrepo-module-auth-xacml#54 (master - 13be72d : Andrew Woods): The build passed.
[travis-ci] Change view : https://github.com/fcrepo4/fcrepo-module-auth-xacml/compare/4071833a2727...13be72d5487b
[travis-ci] Build details : http://travis-ci.org/fcrepo4/fcrepo-module-auth-xacml/builds/28088311
* travis-ci leaves
* travis-ci joins20:47
[travis-ci] fcrepo4/fcrepo-module-auth-xacml#55 (master - 90b57be : Andrew Woods): The build passed.
[travis-ci] Change view : https://github.com/fcrepo4/fcrepo-module-auth-xacml/compare/13be72d5487b...90b57be82cad
[travis-ci] Build details : http://travis-ci.org/fcrepo4/fcrepo-module-auth-xacml/builds/28088370
* travis-ci leaves
<bljenkins>Project fcrepo-module-auth-xacml build #101: UNSTABLE in 2 min 42 sec: http://ci.fcrepo.org/jenkins/job/fcrepo-module-auth-xacml/101/
awoods: Enable user groups to be used in XACML processing
* scossu joins23:39
* scossu leaves00:20

Generated by Sualtam