def on_initial_bootstrap(self, process, config, **kwargs): org_ms_client = OrgManagementServiceProcessClient(process=process) ex_ms_client = ExchangeManagementServiceProcessClient(process=process) system_actor, _ = process.container.resource_registry.find_resources( restype=RT.ActorIdentity, name=config.system.system_actor, id_only=True) if not system_actor: raise AbortBootstrap("Cannot find system actor") system_actor_id = system_actor[0] # Create root Org: ION root_orgname = config.system.root_org org = Org(name=root_orgname, description="ION Root Org") self.org_id = org_ms_client.create_org(org) # Instantiate initial set of User Roles for this Org ion_manager = UserRole(name=ION_MANAGER, label='ION Manager', description='ION Manager') org_ms_client.add_user_role(self.org_id, ion_manager) org_ms_client.grant_role(self.org_id, system_actor_id, ION_MANAGER) # Make the ION system agent a manager for the ION Org org_ms_client.grant_role(self.org_id, system_actor_id, ORG_MANAGER_ROLE) # Create root ExchangeSpace xs = ExchangeSpace(name=ION_ROOT_XS, description="ION service XS") self.xs_id = ex_ms_client.create_exchange_space(xs, self.org_id)
def find_user_closed_requests(self, user_info_id='', actor_id='', org_id=''): """ Local function to be called by extended resource framework from get_user_info_extension operation. The first parameter MUST be the same user_info_id from that operation even though it is not used. @param user_info_id: @param actor_id: @param org_id: @return: """ org_client = OrgManagementServiceProcessClient(process=self) neg_list = org_client.find_user_negotiations(actor_id=actor_id, org_id=org_id) #Filter out non Open negotiations neg_list = [ neg for neg in neg_list if neg.negotiation_status != NegotiationStatusEnum.OPEN ] return self._convert_negotiations_to_requests(neg_list, user_info_id, org_id)
def get_user_info_extension(self, user_info_id='', user_id=''): """Returns an UserInfoExtension object containing additional related information @param user_info_id str @retval user_info UserInfoExtension @throws BadRequest A parameter is missing @throws NotFound An object with the specified actor_id does not exist """ if not user_info_id: raise BadRequest("The user_info_id parameter is empty") extended_resource_handler = ExtendedResourceContainer(self) extended_user = extended_resource_handler.create_extended_resource_container( extended_resource_type=OT.UserInfoExtension, resource_id=user_info_id, user_id=user_id) #If the org_id is not provided then skip looking for Org related roles. if extended_user: #Did not setup a dependency to org_management service to avoid a potential circular bootstrap issue # since this method should never be called until the system is fully running try: org_client = OrgManagementServiceProcessClient(process=self) roles = org_client.find_all_roles_by_user(extended_user.actor_identity._id) extended_user.roles = list() for org_name in roles: for role in roles[org_name]: flattened_role = copy.copy(role.__dict__) del flattened_role['type_'] #Have to do this to appease the message validators for ION objects flattened_role['org_name'] = org_name #Nothing like forcing a value into the dict to appease the UI code extended_user.roles.append(flattened_role) except Exception, e: raise NotFound('Could not retrieve UserRoles for User Info id: %s - %s' % (user_info_id, e.message))
def start(self): log.debug("GovernanceController starting ...") config = CFG.interceptor.interceptors.governance.config if config is None: config['enabled'] = False if "enabled" in config: self.enabled = config["enabled"] log.debug("GovernanceInterceptor enabled: %s" % str(self.enabled)) self.resource_policy_event_subscriber = None if self.enabled: self.initialize_from_config(config) self.resource_policy_event_subscriber = EventSubscriber( event_type="ResourcePolicyEvent", callback=self.policy_event_callback) self.resource_policy_event_subscriber.activate() self.rr_client = ResourceRegistryServiceProcessClient( node=self.container.node, process=self.container) self.policy_client = PolicyManagementServiceProcessClient( node=self.container.node, process=self.container) self.org_client = OrgManagementServiceProcessClient( node=self.container.node, process=self.container)
def resolve_org_negotiation(): try: payload = request.form['payload'] json_params = simplejson.loads(str(payload)) ion_actor_id, expiry = get_governance_info_from_request( 'serviceRequest', json_params) ion_actor_id, expiry = validate_request(ion_actor_id, expiry) headers = build_message_headers(ion_actor_id, expiry) # extract negotiation-specific data (convert from unicode just in case - these are machine generated and unicode specific # chars are unexpected) verb = str(json_params['verb']) originator = str(json_params['originator']) negotiation_id = str(json_params['negotiation_id']) reason = str(json_params.get('reason', '')) proposal_status = None if verb.lower() == "accept": proposal_status = ProposalStatusEnum.ACCEPTED elif verb.lower() == "reject": proposal_status = ProposalStatusEnum.REJECTED proposal_originator = None if originator.lower() == "consumer": proposal_originator = ProposalOriginatorEnum.CONSUMER elif originator.lower() == "provider": proposal_originator = ProposalOriginatorEnum.PROVIDER rr_client = ResourceRegistryServiceProcessClient( node=Container.instance.node, process=service_gateway_instance) negotiation = rr_client.read(negotiation_id, headers=headers) new_negotiation_sap = Negotiation.create_counter_proposal( negotiation, proposal_status, proposal_originator) org_client = OrgManagementServiceProcessClient( node=Container.instance.node, process=service_gateway_instance) resp = org_client.negotiate(new_negotiation_sap, headers=headers) # update reason if it exists if reason: # reload negotiation because it has changed negotiation = rr_client.read(negotiation_id, headers=headers) negotiation.reason = reason rr_client.update(negotiation) return gateway_json_response(resp) except Exception, e: return build_error_response(e)
def seed_gov(container, process=FakeProcess()): id_client = IdentityManagementServiceProcessClient(node=container.node, process=process) org_client = OrgManagementServiceProcessClient(node=container.node, process=process) ion_org = org_client.find_org() try: myorg = org_client.read_org() except Exception, e: log.info("This should fail") log.info(e.message)
def test_policy(container, process=FakeProcess()): org_client = OrgManagementServiceProcessClient(node=container.node, process=process) ion_org = org_client.find_org() id_client = IdentityManagementServiceProcessClient(node=container.node, process=process) system_actor = id_client.find_actor_identity_by_name( name=CFG.system.system_actor) log.info('system actor:' + system_actor._id) policy_client = PolicyManagementServiceProcessClient(node=container.node, process=process) header_roles = get_role_message_headers( org_client.find_all_roles_by_user(system_actor._id)) users = org_client.find_enrolled_users(ion_org._id, headers={ 'ion-actor-id': system_actor._id, 'ion-actor-roles': header_roles }) for u in users: log.info(str(u)) user = id_client.find_actor_identity_by_name( '/DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Roger Unwin A254') log.debug('user_id: ' + user._id) roles = org_client.find_roles_by_user(ion_org._id, user._id) for r in roles: log.info('User UserRole: ' + str(r)) header_roles = get_role_message_headers( org_client.find_all_roles_by_user(user._id)) try: org_client.grant_role(ion_org._id, user._id, 'INSTRUMENT_OPERATOR', headers={ 'ion-actor-id': user._id, 'ion-actor-roles': header_roles }) except Exception, e: log.info('This grant role should be denied:' + e.message)
def setUp(self): # Start container self._start_container() #Load a deploy file self.container.start_rel_from_url('res/deploy/r2deploy.yml') #Instantiate a process to represent the test process = GovernanceTestProcess() #Load system policies after container has started all of the services LoadSystemPolicy.op_load_system_policies(process) self.rr_client = ResourceRegistryServiceProcessClient( node=self.container.node, process=process) self.id_client = IdentityManagementServiceProcessClient( node=self.container.node, process=process) self.pol_client = PolicyManagementServiceProcessClient( node=self.container.node, process=process) self.org_client = OrgManagementServiceProcessClient( node=self.container.node, process=process) self.ims_client = InstrumentManagementServiceProcessClient( node=self.container.node, process=process) self.ems_client = ExchangeManagementServiceProcessClient( node=self.container.node, process=process) self.ion_org = self.org_client.find_org() self.system_actor = self.id_client.find_actor_identity_by_name( name=CFG.system.system_actor) log.debug('system actor:' + self.system_actor._id) sa_header_roles = get_role_message_headers( self.org_client.find_all_roles_by_user(self.system_actor._id)) self.sa_user_header = { 'ion-actor-id': self.system_actor._id, 'ion-actor-roles': sa_header_roles }
def test_requests(container, process=FakeProcess()): org_client = OrgManagementServiceProcessClient(node=container.node, process=process) ion_org = org_client.find_org() id_client = IdentityManagementServiceProcessClient(node=container.node, process=process) rr_client = ResourceRegistryServiceProcessClient(node=container.node, process=process) system_actor = id_client.find_actor_identity_by_name( name=CFG.system.system_actor) log.info('system actor:' + system_actor._id) sa_header_roles = get_role_message_headers( org_client.find_all_roles_by_user(system_actor._id)) try: user = id_client.find_actor_identity_by_name( '/DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Roger Unwin A254') except: raise Inconsistent( "The test user is not found; did you seed the data?") log.debug('user_id: ' + user._id) user_header_roles = get_role_message_headers( org_client.find_all_roles_by_user(user._id)) try: org2 = org_client.find_org('Org2') org2_id = org2._id except NotFound, e: org2 = IonObject(RT.Org, name='Org2', description='A second Org') org2_id = org_client.create_org(org2, headers={ 'ion-actor-id': system_actor._id, 'ion-actor-roles': sa_header_roles })
def __init__(self, pa): """ Called by platform agent upon its initialization so there is a driver already created and configured. @param pa The associated platform agent object to access the elements handled by this helper. """ self._agent = pa self._platform_id = pa._platform_id # mission_id -> MissionScheduler mapping: self._running_missions = {} log.debug('%r: [mm] MissionManager created', self._platform_id) self._provider_id = self._agent._provider_id self._actor_id = self._agent._actor_id log.debug('%r: [xa] provider_id=%r actor_id=%r', self._platform_id, self._provider_id, self._actor_id) # ctx = self._agent.get_context() # self._actor_id = ctx.get('ion-actor-id', None) if ctx else None # log.debug('[xa] actor_id=%r', self._actor_id) if self._actor_id is None: log.warn('%r: [xa] actor_id is None', self._platform_id) # _exaccess: resource_id -> {'commitment_id': id, 'mission_ids': [mission_id, ...]}: # the agents we have acquired exclusive access to. We remove the actual exclusive # access when there are no more associated mission_id's for a given resource_id. self._exaccess = {} self.ORG = OrgManagementServiceProcessClient(process=self._agent) self.RR = ResourceRegistryServiceClient() # TODO what's the correct way to obtain the actor header? the following is # working but likely because the same call is done in # base_test_platform_agent for the IMS.start_platform_agent_instance call self._actor_header = get_system_actor_header() log.debug('%r: [xa] actor_header=%s', self._platform_id, self._actor_header)
def build_message_headers(ion_actor_id, expiry): headers = dict() headers['ion-actor-id'] = ion_actor_id headers['expiry'] = expiry #If this is an anonymous requester then there are no roles associated with the request if ion_actor_id == DEFAULT_ACTOR_ID: headers['ion-actor-roles'] = dict() return headers try: #Check to see if the user's roles are cached already - keyed by user id if service_gateway_instance.user_role_cache.has_key(ion_actor_id): role_header = service_gateway_instance.user_role_cache.get( ion_actor_id) if role_header is not None: headers['ion-actor-roles'] = role_header return headers #The user's roles were not cached so hit the datastore to find it. org_client = OrgManagementServiceProcessClient( node=Container.instance.node, process=service_gateway_instance) org_roles = org_client.find_all_roles_by_user( ion_actor_id, headers={ "ion-actor-id": service_gateway_instance.name, 'expiry': DEFAULT_EXPIRY }) role_header = get_role_message_headers(org_roles) #Cache the roles by user id service_gateway_instance.user_role_cache.put(ion_actor_id, role_header) except Exception, e: role_header = dict( ) # Default to empty dict if there is a problem finding roles for the user
def get_user_info_extension(self, user_info_id='', org_id=''): """Returns an UserInfoExtension object containing additional related information @param user_info_id str @param org_id str - An optional org id that the user is interested in filtering against. @retval user_info UserInfoExtension @throws BadRequest A parameter is missing @throws NotFound An object with the specified actor_id does not exist """ if not user_info_id: raise BadRequest("The user_info_id parameter is empty") #THis is a hack to get the UI going. It would be preferable to get the actor id from the extended resource #container below, but their would need to be a guarantee of order of field processing in order #to ensure that the actor identity has been found BEFORE the negotiation methods are called - and probably #some elegant way to indicate the field and sub field; ie actor_identity._id actors, _ = self.clients.resource_registry.find_subjects( subject_type=RT.ActorIdentity, predicate=PRED.hasInfo, object=user_info_id, id_only=True) actor_id = actors[0] if len(actors) > 0 else '' extended_resource_handler = ExtendedResourceContainer(self) extended_user = extended_resource_handler.create_extended_resource_container( extended_resource_type=OT.UserInfoExtension, resource_id=user_info_id, computed_resource_type=OT.ComputedAttributes, user_id=user_info_id, org_id=org_id, actor_id=actor_id) #If the org_id is not provided then skip looking for Org related roles. if extended_user: #Did not setup a dependency to org_management service to avoid a potential circular bootstrap issue # since this method should never be called until the system is fully running try: org_client = OrgManagementServiceProcessClient(process=self) roles = org_client.find_all_roles_by_user( extended_user.actor_identity._id) extended_user.roles = list() for org_name in roles: for role in roles[org_name]: flattened_role = copy.copy(role.__dict__) del flattened_role[ 'type_'] #Have to do this to appease the message validators for ION objects flattened_role[ 'org_name'] = org_name #Nothing like forcing a value into the dict to appease the UI code extended_user.roles.append(flattened_role) except Exception, e: raise NotFound( 'Could not retrieve UserRoles for User Info id: %s - %s' % (user_info_id, e.message)) #filter notification requests that are retired extended_user.subscriptions = [ nr for nr in extended_user.subscriptions if nr.temporal_bounds.end_datetime == '' ] #filter owned resources that are retired nr_removed = [] for rsrc in extended_user.owned_resources: #remove all the Notifications if rsrc.type_ != OT.NotificationRequest: nr_removed.append(rsrc) extended_user.owned_resources = [ rsrc for rsrc in nr_removed if rsrc.lcstate != 'DELETED' ] #now append the active NotificationRequests extended_user.owned_resources.extend(extended_user.subscriptions)
def op_load_system_policies(cls, calling_process): org_client = OrgManagementServiceProcessClient( node=Container.instance.node, process=calling_process) ion_org = org_client.find_org() id_client = IdentityManagementServiceProcessClient( node=Container.instance.node, process=calling_process) system_actor = get_system_actor() log.info('system actor:' + system_actor._id) sa_user_header = get_system_actor_header() policy_client = PolicyManagementServiceProcessClient( node=Container.instance.node, process=calling_process) timeout = 20 ############## ''' This rule must be loaded before the Deny_Everything rule ''' policy_client = PolicyManagementServiceProcessClient( node=Container.instance.node, process=calling_process) policy_text = ''' <Rule RuleId="%s:" Effect="Permit"> <Description> %s </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ION_MANAGER</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> ''' policy_id = policy_client.create_common_service_access_policy( 'ION_Manager_Permit_Everything', 'A global policy rule that permits access to everything with the ION Manager role', policy_text, headers=sa_user_header) ############## ''' This rule must be loaded before the Deny_Everything rule ''' policy_text = ''' <Rule RuleId="%s" Effect="Permit"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read*</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find*</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get*</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">is*</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">has*</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_org_negotiations</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue> </Apply> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Apply> </Condition> </Rule> ''' policy_id = policy_client.create_common_service_access_policy( 'Allowed_Anonymous_Service_Operations', 'A global policy rule which specifies operations that are allowed with anonymous access', policy_text, headers=sa_user_header) ############## #This rule has been modified specifically for 2.0 to Deny for only specific services and agents. Everything else will be allowed. policy_text = ''' <Rule RuleId="%s:" Effect="Deny"> <Description> %s </Description> <Target> <!-- REMOVE THE RESOURCE TARGETS BELOW AFTER 2.0 TO TIGHTEN POLICY --> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">observatory_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">scheduler</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> </Target> </Rule> ''' policy_id = policy_client.create_common_service_access_policy( 'Deny_Everything', 'A global policy rule that denies access to everything by default', policy_text, headers=sa_user_header) ############## policy_text = ''' <Rule RuleId="%s" Effect="Permit"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DATA_OPERATOR</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> ''' policy_id = policy_client.create_common_service_access_policy( 'Allowed_CUD_Service_Operations_for_Roles', 'A global policy rule which specifies operations that are allowed with for OPERATOR AND MANAGER roles', policy_text, headers=sa_user_header) ############## policy_text = ''' <Rule RuleId="%s" Effect="Permit"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">signon</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_user_info</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Apply> </Apply> </Condition> </Rule> ''' policy_id = policy_client.create_service_access_policy( 'identity_management', 'IDS_Permitted_Non_Anonymous', 'Permit these operations in the Identity Management Service is the user is not anonymous', policy_text, headers=sa_user_header) ############## policy_text = ''' <Rule RuleId="%s" Effect="Permit"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> ''' policy_id = policy_client.create_service_access_policy( 'org_management', 'OMS_Org_Manager_Role_Permitted', 'Permit these operations in the Org Management Service for the role of Org Manager', policy_text, headers=sa_user_header) ############## policy_text = ''' <Rule RuleId="%s" Effect="Permit"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">negotiate</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">has_role</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">release_commitment</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MEMBER</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> ''' policy_id = policy_client.create_service_access_policy( 'org_management', 'OMS_Org_Member_Role_Permitted', 'Permit these operations in the Org Management Service for any user that is a simple Member of the Org', policy_text, headers=sa_user_header) ############## policy_text = ''' <Rule RuleId="%s" Effect="Permit"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> ''' policy_id = policy_client.create_service_access_policy( 'instrument_management', 'IMS_Role_Permitted_Operations', 'Permit these operations in the Instrument Management Service for role of Instrument Operator, Observatory Operator or Org Manager', policy_text, headers=sa_user_header) ############## policy_text = ''' <Rule RuleId="%s" Effect="Permit"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">observatory_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> ''' policy_id = policy_client.create_service_access_policy( 'observatory_management', 'OBM_Role_Permitted_Operations', 'Permit these operations in the Observatory Management Service for role of Observatory Operator or Org Manager', policy_text, headers=sa_user_header) ############## policy_text = ''' <Rule RuleId="%s" Effect="Permit"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> ''' #All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type policy_id = policy_client.create_service_access_policy( 'InstrumentDevice', 'Instrument_Agent_Org_Manager_Role_Permitted', 'Permit all instrument agent operations for the role of Org Manager', policy_text, headers=sa_user_header) #All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type policy_id = policy_client.create_service_access_policy( 'PlatformDevice', 'Platform_Agent_Org_Manager_Role_Permitted', 'Permit all platform agent operations for the role of Org Manager', policy_text, headers=sa_user_header) ############# policy_text = ''' <Rule RuleId="%s" Effect="Permit"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">negotiate</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_capabilities</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MEMBER</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> ''' #All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type policy_id = policy_client.create_service_access_policy( 'InstrumentDevice', 'Instrument_Agent_Org_Member_Permitted', 'Permit these operations in an instrument agent for a Member of the Org', policy_text, headers=sa_user_header) #All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type policy_id = policy_client.create_service_access_policy( 'PlatformDevice', 'Platform_Agent_Org_Member_Permitted', 'Permit these operations in an platform agent for a Member of the Org', policy_text, headers=sa_user_header) ############# policy_text = ''' <Rule RuleId="%s" Effect="Permit"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_resource_state</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_resource</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">set_resource</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">execute_resource</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ping_resource</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_agent_state</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> ''' #All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type policy_id = policy_client.create_service_access_policy( 'InstrumentDevice', 'Instrument_Agent_Instrument_Operator_Permitted', 'Permit these operations in an instrument agent for an Instrument Operator', policy_text, headers=sa_user_header) #All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type policy_id = policy_client.create_service_access_policy( 'PlatformDevice', 'Platform_Agent_Instrument_Operator_Permitted', 'Permit these operations in an platform agent for an Instrument Operator', policy_text, headers=sa_user_header) ######### Load Operation Specific Preconditions ############# #Add precondition policies for the Instrument Agents pol_id = policy_client.add_process_operation_precondition_policy( process_name=RT.InstrumentDevice, op='execute_resource', policy_content='check_resource_operation_policy', headers=sa_user_header) pol_id = policy_client.add_process_operation_precondition_policy( process_name=RT.InstrumentDevice, op='set_resource', policy_content='check_resource_operation_policy', headers=sa_user_header) pol_id = policy_client.add_process_operation_precondition_policy( process_name=RT.InstrumentDevice, op='ping_resource', policy_content='check_resource_operation_policy', headers=sa_user_header) #Add precondition policies for the Platform Agents pol_id = policy_client.add_process_operation_precondition_policy( process_name=RT.PlatformDevice, op='execute_resource', policy_content='check_resource_operation_policy', headers=sa_user_header) pol_id = policy_client.add_process_operation_precondition_policy( process_name=RT.PlatformDevice, op='set_resource', policy_content='check_resource_operation_policy', headers=sa_user_header) pol_id = policy_client.add_process_operation_precondition_policy( process_name=RT.PlatformDevice, op='ping_resource', policy_content='check_resource_operation_policy', headers=sa_user_header) #Add precondition policies for IMS Direct Access operations pol_id = policy_client.add_process_operation_precondition_policy( process_name='instrument_management', op='request_direct_access', policy_content='check_direct_access_policy', headers=sa_user_header) pol_id = policy_client.add_process_operation_precondition_policy( process_name='instrument_management', op='stop_direct_access', policy_content='check_direct_access_policy', headers=sa_user_header) #Add precondition policies for IMS lifecyle operations pol_id = policy_client.add_process_operation_precondition_policy( process_name='instrument_management', op='execute_instrument_device_lifecycle', policy_content='check_device_lifecycle_policy', headers=sa_user_header) pol_id = policy_client.add_process_operation_precondition_policy( process_name='instrument_management', op='execute_platform_device_lifecycle', policy_content='check_device_lifecycle_policy', headers=sa_user_header)
def op_load_system_policies(cls, calling_process): org_client = OrgManagementServiceProcessClient( node=Container.instance.node, process=calling_process) ion_org = org_client.find_org() id_client = IdentityManagementServiceProcessClient( node=Container.instance.node, process=calling_process) system_actor = id_client.find_actor_identity_by_name( name=CFG.system.system_actor) log.debug('system actor:' + system_actor._id) sa_header_roles = get_role_message_headers( org_client.find_all_roles_by_user(system_actor._id)) sa_user_header = { 'ion-actor-id': system_actor._id, 'ion-actor-roles': sa_header_roles } policy_client = PolicyManagementServiceProcessClient( node=Container.instance.node, process=calling_process) ############## """ This policy MUST BE LOADED FIRST!!!!! """ policy_text = ''' <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit"> <Description> %s </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">signon</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_requests</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_user_requests</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue> </Apply> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Apply> </Condition> </Rule> ''' policy_obj = IonObject( RT.Policy, name='Anonymous_Allowed_Operations', definition_type="Org", rule=policy_text, description= 'A global Org policy rule which specifies operations that are allowed with anonymous access' ) policy_id = policy_client.create_policy(policy_obj, headers=sa_user_header) policy_client.add_resource_policy(ion_org._id, policy_id, headers=sa_user_header, timeout=20) log.debug('Policy created: ' + policy_obj.name) ############## policy_text = ''' <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny"> <Description> %s </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> </Target> </Rule> ''' policy_obj = IonObject( RT.Policy, name='Anonymous_Deny_Everything', definition_type="Org", rule=policy_text, description= 'A global Org policy rule that denies anonymous access to everything in the Org as the base' ) policy_id = policy_client.create_policy(policy_obj, headers=sa_user_header) policy_client.add_resource_policy(ion_org._id, policy_id, headers=sa_user_header, timeout=20) log.debug('Policy created: ' + policy_obj.name) ############### policy_client = PolicyManagementServiceProcessClient( node=Container.instance.node, process=calling_process) policy_text = ''' <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit"> <Description> %s </Description> <Target> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ION_MANAGER</AttributeValue> </Apply> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Condition> </Rule> ''' policy_obj = IonObject( RT.Policy, name='Org_Manager_Permit_Everything', definition_type="Org", rule=policy_text, description= 'A global Org policy rule that permits access to everything in the Org for a user with Org Manager or ION Manager role' ) policy_id = policy_client.create_policy(policy_obj, headers=sa_user_header) policy_client.add_resource_policy(ion_org._id, policy_id, headers=sa_user_header, timeout=20) log.debug('Policy created: ' + policy_obj.name) ############## ############## policy_text = ''' <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit"> <Description> %s </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">datastore</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_doc</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bootstrap</AttributeValue> </Apply> </Condition> </Rule> ''' policy_obj = IonObject( RT.Policy, name='DataStore_Anonymous_Bootstrap', definition_type="Service", rule=policy_text, description= 'Permit anonymous access to these operations in the Datastore Service if called from the Bootstrap Service' ) policy_id = policy_client.create_policy(policy_obj, headers=sa_user_header) policy_client.add_service_policy('datastore', policy_id, headers=sa_user_header, timeout=20) log.debug('Policy created: ' + policy_obj.name) ############## policy_text = ''' <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit"> <Description> %s </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource_registry</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_association</AttributeValue> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">policy_management</AttributeValue> </Apply> </Condition> </Rule> ''' policy_obj = IonObject( RT.Policy, name='Resource_Registry_Anonymous_Bootstrap', definition_type="Service", rule=policy_text, description= 'Permit anonymous access to these operations in the Resource Registry Service if called from the Identity Management Service' ) policy_id = policy_client.create_policy(policy_obj, headers=sa_user_header) policy_client.add_service_policy('resource_registry', policy_id, headers=sa_user_header, timeout=20) log.debug('Policy created: ' + policy_obj.name) ############## policy_text = ''' <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit"> <Description> %s </Description> <Target> <Subjects> <Subject> <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </SubjectMatch> </Subject> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_actor_identity</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bootstrap</AttributeValue> </Apply> </Condition> </Rule> ''' policy_obj = IonObject( RT.Policy, name='Identity_Management_Anonymous_Bootstrap', definition_type="Service", rule=policy_text, description= 'Permit anonymous access to these operations in the Identity Management Service if called from the Bootstrap Service' ) policy_id = policy_client.create_policy(policy_obj, headers=sa_user_header) policy_client.add_service_policy('identity_management', policy_id, headers=sa_user_header, timeout=20) log.debug('Policy created: ' + policy_obj.name) ############## policy_text = ''' <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_requests</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve_request</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">deny_request</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">enroll_member</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cancel_member_enrollment</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">grant_role</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">revoke_role</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">add_user_role</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">remove_user_role</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acquire_resource</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">release_resource</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue> </Apply> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Apply> </Condition> </Rule> ''' policy_obj = IonObject( RT.Policy, name='Org_Management_Org_Manager_Role_Permitted', definition_type="Service", rule=policy_text, description= 'Deny these operations in the Org Management Service if not the role of Org Manager' ) policy_id = policy_client.create_policy(policy_obj, headers=sa_user_header) policy_client.add_service_policy('org_management', policy_id, headers=sa_user_header, timeout=20) log.debug('Policy created: ' + policy_obj.name) ############## policy_text = ''' <Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny"> <Description> %s </Description> <Target> <Resources> <Resource> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue> <ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ResourceMatch> </Resource> </Resources> <Actions> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> <Action> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue> <ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </ActionMatch> </Action> </Actions> </Target> <Condition> <Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue> </Apply> <SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id" DataType="http://www.w3.org/2001/XMLSchema#string"/> </Apply> </Apply> </Condition> </Rule> ''' policy_obj = IonObject( RT.Policy, name='Instrument_Management_Instrument_Operator_Role_Permitted', definition_type="Service", rule=policy_text, description= 'Deny these operations in the Instrument Management Service if not the role of Instrument Operator' ) policy_id = policy_client.create_policy(policy_obj, headers=sa_user_header) policy_client.add_service_policy('instrument_management', policy_id, headers=sa_user_header, timeout=20) log.debug('Policy created: ' + policy_obj.name)