def on_initial_bootstrap(self, process, config, **kwargs):
org_ms_client = OrgManagementServiceProcessClient(process=process)
ex_ms_client = ExchangeManagementServiceProcessClient(process=process)
system_actor, _ = process.container.resource_registry.find_resources(
restype=RT.ActorIdentity,
name=config.system.system_actor,
id_only=True)
if not system_actor:
raise AbortBootstrap("Cannot find system actor")
system_actor_id = system_actor[0]
# Create root Org: ION
root_orgname = config.system.root_org
org = Org(name=root_orgname, description="ION Root Org")
self.org_id = org_ms_client.create_org(org)
# Instantiate initial set of User Roles for this Org
ion_manager = UserRole(name=ION_MANAGER,
label='ION Manager',
description='ION Manager')
org_ms_client.add_user_role(self.org_id, ion_manager)
org_ms_client.grant_role(self.org_id, system_actor_id, ION_MANAGER)
# Make the ION system agent a manager for the ION Org
org_ms_client.grant_role(self.org_id, system_actor_id,
ORG_MANAGER_ROLE)
# Create root ExchangeSpace
xs = ExchangeSpace(name=ION_ROOT_XS, description="ION service XS")
self.xs_id = ex_ms_client.create_exchange_space(xs, self.org_id)
def find_user_closed_requests(self,
user_info_id='',
actor_id='',
org_id=''):
"""
Local function to be called by extended resource framework from get_user_info_extension operation. The first
parameter MUST be the same user_info_id from that operation even though it is not used.
@param user_info_id:
@param actor_id:
@param org_id:
@return:
"""
org_client = OrgManagementServiceProcessClient(process=self)
neg_list = org_client.find_user_negotiations(actor_id=actor_id,
org_id=org_id)
#Filter out non Open negotiations
neg_list = [
neg for neg in neg_list
if neg.negotiation_status != NegotiationStatusEnum.OPEN
]
return self._convert_negotiations_to_requests(neg_list, user_info_id,
org_id)
def get_user_info_extension(self, user_info_id='', user_id=''):
"""Returns an UserInfoExtension object containing additional related information
@param user_info_id str
@retval user_info UserInfoExtension
@throws BadRequest A parameter is missing
@throws NotFound An object with the specified actor_id does not exist
"""
if not user_info_id:
raise BadRequest("The user_info_id parameter is empty")
extended_resource_handler = ExtendedResourceContainer(self)
extended_user = extended_resource_handler.create_extended_resource_container(
extended_resource_type=OT.UserInfoExtension,
resource_id=user_info_id,
user_id=user_id)
#If the org_id is not provided then skip looking for Org related roles.
if extended_user:
#Did not setup a dependency to org_management service to avoid a potential circular bootstrap issue
# since this method should never be called until the system is fully running
try:
org_client = OrgManagementServiceProcessClient(process=self)
roles = org_client.find_all_roles_by_user(extended_user.actor_identity._id)
extended_user.roles = list()
for org_name in roles:
for role in roles[org_name]:
flattened_role = copy.copy(role.__dict__)
del flattened_role['type_'] #Have to do this to appease the message validators for ION objects
flattened_role['org_name'] = org_name #Nothing like forcing a value into the dict to appease the UI code
extended_user.roles.append(flattened_role)
except Exception, e:
raise NotFound('Could not retrieve UserRoles for User Info id: %s - %s' % (user_info_id, e.message))
def start(self):
log.debug("GovernanceController starting ...")
config = CFG.interceptor.interceptors.governance.config
if config is None:
config['enabled'] = False
if "enabled" in config:
self.enabled = config["enabled"]
log.debug("GovernanceInterceptor enabled: %s" % str(self.enabled))
self.resource_policy_event_subscriber = None
if self.enabled:
self.initialize_from_config(config)
self.resource_policy_event_subscriber = EventSubscriber(
event_type="ResourcePolicyEvent",
callback=self.policy_event_callback)
self.resource_policy_event_subscriber.activate()
self.rr_client = ResourceRegistryServiceProcessClient(
node=self.container.node, process=self.container)
self.policy_client = PolicyManagementServiceProcessClient(
node=self.container.node, process=self.container)
self.org_client = OrgManagementServiceProcessClient(
node=self.container.node, process=self.container)
def resolve_org_negotiation():
try:
payload = request.form['payload']
json_params = simplejson.loads(str(payload))
ion_actor_id, expiry = get_governance_info_from_request(
'serviceRequest', json_params)
ion_actor_id, expiry = validate_request(ion_actor_id, expiry)
headers = build_message_headers(ion_actor_id, expiry)
# extract negotiation-specific data (convert from unicode just in case - these are machine generated and unicode specific
# chars are unexpected)
verb = str(json_params['verb'])
originator = str(json_params['originator'])
negotiation_id = str(json_params['negotiation_id'])
reason = str(json_params.get('reason', ''))
proposal_status = None
if verb.lower() == "accept":
proposal_status = ProposalStatusEnum.ACCEPTED
elif verb.lower() == "reject":
proposal_status = ProposalStatusEnum.REJECTED
proposal_originator = None
if originator.lower() == "consumer":
proposal_originator = ProposalOriginatorEnum.CONSUMER
elif originator.lower() == "provider":
proposal_originator = ProposalOriginatorEnum.PROVIDER
rr_client = ResourceRegistryServiceProcessClient(
node=Container.instance.node, process=service_gateway_instance)
negotiation = rr_client.read(negotiation_id, headers=headers)
new_negotiation_sap = Negotiation.create_counter_proposal(
negotiation, proposal_status, proposal_originator)
org_client = OrgManagementServiceProcessClient(
node=Container.instance.node, process=service_gateway_instance)
resp = org_client.negotiate(new_negotiation_sap, headers=headers)
# update reason if it exists
if reason:
# reload negotiation because it has changed
negotiation = rr_client.read(negotiation_id, headers=headers)
negotiation.reason = reason
rr_client.update(negotiation)
return gateway_json_response(resp)
except Exception, e:
return build_error_response(e)
def seed_gov(container, process=FakeProcess()):
id_client = IdentityManagementServiceProcessClient(node=container.node,
process=process)
org_client = OrgManagementServiceProcessClient(node=container.node,
process=process)
ion_org = org_client.find_org()
try:
myorg = org_client.read_org()
except Exception, e:
log.info("This should fail")
log.info(e.message)
def test_policy(container, process=FakeProcess()):
org_client = OrgManagementServiceProcessClient(node=container.node,
process=process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(node=container.node,
process=process)
system_actor = id_client.find_actor_identity_by_name(
name=CFG.system.system_actor)
log.info('system actor:' + system_actor._id)
policy_client = PolicyManagementServiceProcessClient(node=container.node,
process=process)
header_roles = get_role_message_headers(
org_client.find_all_roles_by_user(system_actor._id))
users = org_client.find_enrolled_users(ion_org._id,
headers={
'ion-actor-id':
system_actor._id,
'ion-actor-roles': header_roles
})
for u in users:
log.info(str(u))
user = id_client.find_actor_identity_by_name(
'/DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Roger Unwin A254')
log.debug('user_id: ' + user._id)
roles = org_client.find_roles_by_user(ion_org._id, user._id)
for r in roles:
log.info('User UserRole: ' + str(r))
header_roles = get_role_message_headers(
org_client.find_all_roles_by_user(user._id))
try:
org_client.grant_role(ion_org._id,
user._id,
'INSTRUMENT_OPERATOR',
headers={
'ion-actor-id': user._id,
'ion-actor-roles': header_roles
})
except Exception, e:
log.info('This grant role should be denied:' + e.message)
def setUp(self):
# Start container
self._start_container()
#Load a deploy file
self.container.start_rel_from_url('res/deploy/r2deploy.yml')
#Instantiate a process to represent the test
process = GovernanceTestProcess()
#Load system policies after container has started all of the services
LoadSystemPolicy.op_load_system_policies(process)
self.rr_client = ResourceRegistryServiceProcessClient(
node=self.container.node, process=process)
self.id_client = IdentityManagementServiceProcessClient(
node=self.container.node, process=process)
self.pol_client = PolicyManagementServiceProcessClient(
node=self.container.node, process=process)
self.org_client = OrgManagementServiceProcessClient(
node=self.container.node, process=process)
self.ims_client = InstrumentManagementServiceProcessClient(
node=self.container.node, process=process)
self.ems_client = ExchangeManagementServiceProcessClient(
node=self.container.node, process=process)
self.ion_org = self.org_client.find_org()
self.system_actor = self.id_client.find_actor_identity_by_name(
name=CFG.system.system_actor)
log.debug('system actor:' + self.system_actor._id)
sa_header_roles = get_role_message_headers(
self.org_client.find_all_roles_by_user(self.system_actor._id))
self.sa_user_header = {
'ion-actor-id': self.system_actor._id,
'ion-actor-roles': sa_header_roles
}
def test_requests(container, process=FakeProcess()):
org_client = OrgManagementServiceProcessClient(node=container.node,
process=process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(node=container.node,
process=process)
rr_client = ResourceRegistryServiceProcessClient(node=container.node,
process=process)
system_actor = id_client.find_actor_identity_by_name(
name=CFG.system.system_actor)
log.info('system actor:' + system_actor._id)
sa_header_roles = get_role_message_headers(
org_client.find_all_roles_by_user(system_actor._id))
try:
user = id_client.find_actor_identity_by_name(
'/DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Roger Unwin A254')
except:
raise Inconsistent(
"The test user is not found; did you seed the data?")
log.debug('user_id: ' + user._id)
user_header_roles = get_role_message_headers(
org_client.find_all_roles_by_user(user._id))
try:
org2 = org_client.find_org('Org2')
org2_id = org2._id
except NotFound, e:
org2 = IonObject(RT.Org, name='Org2', description='A second Org')
org2_id = org_client.create_org(org2,
headers={
'ion-actor-id': system_actor._id,
'ion-actor-roles': sa_header_roles
})
def __init__(self, pa):
"""
Called by platform agent upon its initialization so there is a driver
already created and configured.
@param pa The associated platform agent object to access the
elements handled by this helper.
"""
self._agent = pa
self._platform_id = pa._platform_id
# mission_id -> MissionScheduler mapping:
self._running_missions = {}
log.debug('%r: [mm] MissionManager created', self._platform_id)
self._provider_id = self._agent._provider_id
self._actor_id = self._agent._actor_id
log.debug('%r: [xa] provider_id=%r actor_id=%r', self._platform_id,
self._provider_id, self._actor_id)
# ctx = self._agent.get_context()
# self._actor_id = ctx.get('ion-actor-id', None) if ctx else None
# log.debug('[xa] actor_id=%r', self._actor_id)
if self._actor_id is None:
log.warn('%r: [xa] actor_id is None', self._platform_id)
# _exaccess: resource_id -> {'commitment_id': id, 'mission_ids': [mission_id, ...]}:
# the agents we have acquired exclusive access to. We remove the actual exclusive
# access when there are no more associated mission_id's for a given resource_id.
self._exaccess = {}
self.ORG = OrgManagementServiceProcessClient(process=self._agent)
self.RR = ResourceRegistryServiceClient()
# TODO what's the correct way to obtain the actor header? the following is
# working but likely because the same call is done in
# base_test_platform_agent for the IMS.start_platform_agent_instance call
self._actor_header = get_system_actor_header()
log.debug('%r: [xa] actor_header=%s', self._platform_id,
self._actor_header)
def build_message_headers(ion_actor_id, expiry):
headers = dict()
headers['ion-actor-id'] = ion_actor_id
headers['expiry'] = expiry
#If this is an anonymous requester then there are no roles associated with the request
if ion_actor_id == DEFAULT_ACTOR_ID:
headers['ion-actor-roles'] = dict()
return headers
try:
#Check to see if the user's roles are cached already - keyed by user id
if service_gateway_instance.user_role_cache.has_key(ion_actor_id):
role_header = service_gateway_instance.user_role_cache.get(
ion_actor_id)
if role_header is not None:
headers['ion-actor-roles'] = role_header
return headers
#The user's roles were not cached so hit the datastore to find it.
org_client = OrgManagementServiceProcessClient(
node=Container.instance.node, process=service_gateway_instance)
org_roles = org_client.find_all_roles_by_user(
ion_actor_id,
headers={
"ion-actor-id": service_gateway_instance.name,
'expiry': DEFAULT_EXPIRY
})
role_header = get_role_message_headers(org_roles)
#Cache the roles by user id
service_gateway_instance.user_role_cache.put(ion_actor_id, role_header)
except Exception, e:
role_header = dict(
) # Default to empty dict if there is a problem finding roles for the user
def get_user_info_extension(self, user_info_id='', org_id=''):
"""Returns an UserInfoExtension object containing additional related information
@param user_info_id str
@param org_id str - An optional org id that the user is interested in filtering against.
@retval user_info UserInfoExtension
@throws BadRequest A parameter is missing
@throws NotFound An object with the specified actor_id does not exist
"""
if not user_info_id:
raise BadRequest("The user_info_id parameter is empty")
#THis is a hack to get the UI going. It would be preferable to get the actor id from the extended resource
#container below, but their would need to be a guarantee of order of field processing in order
#to ensure that the actor identity has been found BEFORE the negotiation methods are called - and probably
#some elegant way to indicate the field and sub field; ie actor_identity._id
actors, _ = self.clients.resource_registry.find_subjects(
subject_type=RT.ActorIdentity,
predicate=PRED.hasInfo,
object=user_info_id,
id_only=True)
actor_id = actors[0] if len(actors) > 0 else ''
extended_resource_handler = ExtendedResourceContainer(self)
extended_user = extended_resource_handler.create_extended_resource_container(
extended_resource_type=OT.UserInfoExtension,
resource_id=user_info_id,
computed_resource_type=OT.ComputedAttributes,
user_id=user_info_id,
org_id=org_id,
actor_id=actor_id)
#If the org_id is not provided then skip looking for Org related roles.
if extended_user:
#Did not setup a dependency to org_management service to avoid a potential circular bootstrap issue
# since this method should never be called until the system is fully running
try:
org_client = OrgManagementServiceProcessClient(process=self)
roles = org_client.find_all_roles_by_user(
extended_user.actor_identity._id)
extended_user.roles = list()
for org_name in roles:
for role in roles[org_name]:
flattened_role = copy.copy(role.__dict__)
del flattened_role[
'type_'] #Have to do this to appease the message validators for ION objects
flattened_role[
'org_name'] = org_name #Nothing like forcing a value into the dict to appease the UI code
extended_user.roles.append(flattened_role)
except Exception, e:
raise NotFound(
'Could not retrieve UserRoles for User Info id: %s - %s' %
(user_info_id, e.message))
#filter notification requests that are retired
extended_user.subscriptions = [
nr for nr in extended_user.subscriptions
if nr.temporal_bounds.end_datetime == ''
]
#filter owned resources that are retired
nr_removed = []
for rsrc in extended_user.owned_resources:
#remove all the Notifications
if rsrc.type_ != OT.NotificationRequest:
nr_removed.append(rsrc)
extended_user.owned_resources = [
rsrc for rsrc in nr_removed if rsrc.lcstate != 'DELETED'
]
#now append the active NotificationRequests
extended_user.owned_resources.extend(extended_user.subscriptions)
def op_load_system_policies(cls, calling_process):
org_client = OrgManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
system_actor = get_system_actor()
log.info('system actor:' + system_actor._id)
sa_user_header = get_system_actor_header()
policy_client = PolicyManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
timeout = 20
##############
'''
This rule must be loaded before the Deny_Everything rule
'''
policy_client = PolicyManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
policy_text = '''
<Rule RuleId="%s:" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ION_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy(
'ION_Manager_Permit_Everything',
'A global policy rule that permits access to everything with the ION Manager role',
policy_text,
headers=sa_user_header)
##############
'''
This rule must be loaded before the Deny_Everything rule
'''
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">is*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">has*</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_org_negotiations</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
</Apply>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy(
'Allowed_Anonymous_Service_Operations',
'A global policy rule which specifies operations that are allowed with anonymous access',
policy_text,
headers=sa_user_header)
##############
#This rule has been modified specifically for 2.0 to Deny for only specific services and agents. Everything else will be allowed.
policy_text = '''
<Rule RuleId="%s:" Effect="Deny">
<Description>
%s
</Description>
<Target>
<!-- REMOVE THE RESOURCE TARGETS BELOW AFTER 2.0 TO TIGHTEN POLICY -->
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">observatory_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">scheduler</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
</Target>
</Rule>
'''
policy_id = policy_client.create_common_service_access_policy(
'Deny_Everything',
'A global policy rule that denies access to everything by default',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">service</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DATA_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_common_service_access_policy(
'Allowed_CUD_Service_Operations_for_Roles',
'A global policy rule which specifies operations that are allowed with for OPERATOR AND MANAGER roles',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">signon</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_user_info</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Apply>
</Condition>
</Rule> '''
policy_id = policy_client.create_service_access_policy(
'identity_management',
'IDS_Permitted_Non_Anonymous',
'Permit these operations in the Identity Management Service is the user is not anonymous',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy(
'org_management',
'OMS_Org_Manager_Role_Permitted',
'Permit these operations in the Org Management Service for the role of Org Manager',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">negotiate</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">has_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">release_commitment</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MEMBER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy(
'org_management',
'OMS_Org_Member_Role_Permitted',
'Permit these operations in the Org Management Service for any user that is a simple Member of the Org',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy(
'instrument_management',
'IMS_Role_Permitted_Operations',
'Permit these operations in the Instrument Management Service for role of Instrument Operator, Observatory Operator or Org Manager',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">observatory_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
policy_id = policy_client.create_service_access_policy(
'observatory_management',
'OBM_Role_Permitted_Operations',
'Permit these operations in the Observatory Management Service for role of Observatory Operator or Org Manager',
policy_text,
headers=sa_user_header)
##############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">OBSERVATORY_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'InstrumentDevice',
'Instrument_Agent_Org_Manager_Role_Permitted',
'Permit all instrument agent operations for the role of Org Manager',
policy_text,
headers=sa_user_header)
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'PlatformDevice',
'Platform_Agent_Org_Manager_Role_Permitted',
'Permit all platform agent operations for the role of Org Manager',
policy_text,
headers=sa_user_header)
#############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">negotiate</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_capabilities</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MEMBER</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'InstrumentDevice',
'Instrument_Agent_Org_Member_Permitted',
'Permit these operations in an instrument agent for a Member of the Org',
policy_text,
headers=sa_user_header)
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'PlatformDevice',
'Platform_Agent_Org_Member_Permitted',
'Permit these operations in an platform agent for a Member of the Org',
policy_text,
headers=sa_user_header)
#############
policy_text = '''
<Rule RuleId="%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">InstrumentDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">PlatformDevice</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">agent</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:receiver-type" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_resource_state</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">set_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">execute_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ping_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get_agent_state</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule> '''
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'InstrumentDevice',
'Instrument_Agent_Instrument_Operator_Permitted',
'Permit these operations in an instrument agent for an Instrument Operator',
policy_text,
headers=sa_user_header)
#All resource_agents are kind of handled the same - but the resource-id in the rule is set to the specific type
policy_id = policy_client.create_service_access_policy(
'PlatformDevice',
'Platform_Agent_Instrument_Operator_Permitted',
'Permit these operations in an platform agent for an Instrument Operator',
policy_text,
headers=sa_user_header)
######### Load Operation Specific Preconditions #############
#Add precondition policies for the Instrument Agents
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.InstrumentDevice,
op='execute_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.InstrumentDevice,
op='set_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.InstrumentDevice,
op='ping_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
#Add precondition policies for the Platform Agents
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.PlatformDevice,
op='execute_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.PlatformDevice,
op='set_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name=RT.PlatformDevice,
op='ping_resource',
policy_content='check_resource_operation_policy',
headers=sa_user_header)
#Add precondition policies for IMS Direct Access operations
pol_id = policy_client.add_process_operation_precondition_policy(
process_name='instrument_management',
op='request_direct_access',
policy_content='check_direct_access_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name='instrument_management',
op='stop_direct_access',
policy_content='check_direct_access_policy',
headers=sa_user_header)
#Add precondition policies for IMS lifecyle operations
pol_id = policy_client.add_process_operation_precondition_policy(
process_name='instrument_management',
op='execute_instrument_device_lifecycle',
policy_content='check_device_lifecycle_policy',
headers=sa_user_header)
pol_id = policy_client.add_process_operation_precondition_policy(
process_name='instrument_management',
op='execute_platform_device_lifecycle',
policy_content='check_device_lifecycle_policy',
headers=sa_user_header)
def op_load_system_policies(cls, calling_process):
org_client = OrgManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
ion_org = org_client.find_org()
id_client = IdentityManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
system_actor = id_client.find_actor_identity_by_name(
name=CFG.system.system_actor)
log.debug('system actor:' + system_actor._id)
sa_header_roles = get_role_message_headers(
org_client.find_all_roles_by_user(system_actor._id))
sa_user_header = {
'ion-actor-id': system_actor._id,
'ion-actor-roles': sa_header_roles
}
policy_client = PolicyManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
##############
"""
This policy MUST BE LOADED FIRST!!!!!
"""
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">get</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">signon</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_requests</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_user_requests</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
</Apply>
<ActionAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='Anonymous_Allowed_Operations',
definition_type="Org",
rule=policy_text,
description=
'A global Org policy rule which specifies operations that are allowed with anonymous access'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_resource_policy(ion_org._id,
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
</Target>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='Anonymous_Deny_Everything',
definition_type="Org",
rule=policy_text,
description=
'A global Org policy rule that denies anonymous access to everything in the Org as the base'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_resource_policy(ion_org._id,
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
###############
policy_client = PolicyManagementServiceProcessClient(
node=Container.instance.node, process=calling_process)
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ION_MANAGER</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='Org_Manager_Permit_Everything',
definition_type="Org",
rule=policy_text,
description=
'A global Org policy rule that permits access to everything in the Org for a user with Org Manager or ION Manager role'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_resource_policy(ion_org._id,
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">datastore</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_doc</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bootstrap</AttributeValue>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='DataStore_Anonymous_Bootstrap',
definition_type="Service",
rule=policy_text,
description=
'Permit anonymous access to these operations in the Datastore Service if called from the Bootstrap Service'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_service_policy('datastore',
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">resource_registry</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_association</AttributeValue>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">policy_management</AttributeValue>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='Resource_Registry_Anonymous_Bootstrap',
definition_type="Service",
rule=policy_text,
description=
'Permit anonymous access to these operations in the Resource Registry Service if called from the Identity Management Service'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_service_policy('resource_registry',
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Permit">
<Description>
%s
</Description>
<Target>
<Subjects>
<Subject>
<SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">anonymous</AttributeValue>
<SubjectAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</SubjectMatch>
</Subject>
</Subjects>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">identity_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create_actor_identity</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-sender-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bootstrap</AttributeValue>
</Apply>
</Condition>
</Rule>
'''
policy_obj = IonObject(
RT.Policy,
name='Identity_Management_Anonymous_Bootstrap',
definition_type="Service",
rule=policy_text,
description=
'Permit anonymous access to these operations in the Identity Management Service if called from the Bootstrap Service'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_service_policy('identity_management',
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">org_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_requests</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">find_enrolled_users</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">approve_request</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">deny_request</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">enroll_member</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cancel_member_enrollment</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">grant_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">revoke_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">add_user_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">remove_user_role</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">acquire_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">release_resource</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ORG_MANAGER</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule> '''
policy_obj = IonObject(
RT.Policy,
name='Org_Management_Org_Manager_Role_Permitted',
definition_type="Service",
rule=policy_text,
description=
'Deny these operations in the Org Management Service if not the role of Org Manager'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_service_policy('org_management',
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
##############
policy_text = '''
<Rule RuleId="urn:oasis:names:tc:xacml:2.0:example:ruleid:%s" Effect="Deny">
<Description>
%s
</Description>
<Target>
<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">instrument_management</AttributeValue>
<ResourceAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ResourceMatch>
</Resource>
</Resources>
<Actions>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">create</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
<Action>
<ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">delete</AttributeValue>
<ActionAttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
</ActionMatch>
</Action>
</Actions>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:ooi:function:not">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">INSTRUMENT_OPERATOR</AttributeValue>
</Apply>
<SubjectAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-role-id"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
</Apply>
</Apply>
</Condition>
</Rule> '''
policy_obj = IonObject(
RT.Policy,
name='Instrument_Management_Instrument_Operator_Role_Permitted',
definition_type="Service",
rule=policy_text,
description=
'Deny these operations in the Instrument Management Service if not the role of Instrument Operator'
)
policy_id = policy_client.create_policy(policy_obj,
headers=sa_user_header)
policy_client.add_service_policy('instrument_management',
policy_id,
headers=sa_user_header,
timeout=20)
log.debug('Policy created: ' + policy_obj.name)
