wso2carbon - wso2 Identity Server: Policies can not be retrieved from registry policy finder module -
i using identity server 4.1.0. while editing policies, have noticed evaluation of correct xacml policies lead result 'not applicable'. indicated server not able find matching target within policies.
after looking system logs, came across following faults: 1. error while parsing policy 2. policies cannot retrieved registry policy finder module
after looking @ known issues, have found pdp might return notapplicable during load testing. since user, assume issue not causing fault.
i have attached descriptions. not understand cause of faults, need in deciphering fault descriptions overcome issue.
1.
tid[-1234] [is] [2013-05-15 09:29:11,466] error {org.wso2.carbon.identity.entitlement.policy.policyreader} - error while parsing policy org.wso2.balana.cond.functionbase.checkinputsnobag(functionbase.java:419) org.wso2.balana.targetmatch.getinstance(targetmatch.java:243) org.wso2.balana.targetmatch.getinstance(targetmatch.java:169) org.wso2.balana.xacml3.allofselection.getinstance(allofselection.java:68) org.wso2.balana.xacml3.anyofselection.getinstance(anyofselection.java:79) org.wso2.balana.xacml3.target.getinstance(target.java:78) org.wso2.balana.targetfactory.gettarget(targetfactory.java:43) org.wso2.balana.rule.getinstance(rule.java:232) org.wso2.balana.policy.(policy.java:308) org.wso2.balana.policy.getinstance(policy.java:389) org.wso2.carbon.identity.entitlement.policy.policyreader.handledocument(policyreader.java:163) org.wso2.carbon.identity.entitlement.policy.policyreader.getpolicy(policyreader.java:124) org.wso2.carbon.identity.entitlement.policy.finder.registry.registrypolicyreader.readpolicy(registrypolicyreader.java:195) org.wso2.carbon.identity.entitlement.policy.finder.registry.registrypolicyreader.readallpolicies(registrypolicyreader.java:111) org.wso2.carbon.identity.entitlement.policy.finder.registry.registrypolicyfindermodule.getpolicies(registrypolicyfindermodule.java:90) org.wso2.carbon.identity.entitlement.policy.finder.carbonpolicyfinder.init(carbonpolicyfinder.java:160) org.wso2.carbon.identity.entitlement.policy.finder.carbonpolicyfinder.init(carbonpolicyfinder.java:75) org.wso2.carbon.identity.entitlement.policy.finder.carbonpolicyfinder.findpolicy(carbonpolicyfinder.java:203) org.wso2.balana.finder.policyfinder.findpolicy(policyfinder.java:169) org.wso2.balana.pdp.evaluatecontext(pdp.java:243) org.wso2.balana.pdp.evaluate(pdp.java:199) org.wso2.balana.pdp.evaluate(pdp.java:157) org.wso2.balana.pdp.evaluate(pdp.java:119) org.wso2.carbon.identity.entitlement.pdp.entitlementengine.evaluate(entitlementengine.java:256) org.wso2.carbon.identity.entitlement.entitlementservice.getdecision(entitlementservice.java:54) sun.reflect.nativemethodaccessorimpl.invoke0(native method) sun.reflect.nativemethodaccessorimpl.invoke(nativemethodaccessorimpl.java:39) sun.reflect.delegatingmethodaccessorimpl.invoke(delegatingmethodaccessorimpl.java:25) java.lang.reflect.method.invoke(method.java:597) org.apache.axis2.rpc.receivers.rpcutil.invokeserviceclass(rpcutil.java:212) org.apache.axis2.rpc.receivers.rpcmessagereceiver.invokebusinesslogic(rpcmessagereceiver.java:117) org.apache.axis2.receivers.abstractinoutmessagereceiver.invokebusinesslogic(abstractinoutmessagereceiver.java:40) org.apache.axis2.receivers.abstractmessagereceiver.receive(abstractmessagereceiver.java:110) org.apache.axis2.engine.axisengine.receive(axisengine.java:180) org.apache.axis2.transport.http.httptransportutils.processhttppostrequest(httptransportutils.java:172) org.apache.axis2.transport.http.axisservlet.dopost(axisservlet.java:146) org.wso2.carbon.core.transports.carbonservlet.dopost(carbonservlet.java:231) javax.servlet.http.httpservlet.service(httpservlet.java:641) javax.servlet.http.httpservlet.service(httpservlet.java:722) org.eclipse.equinox.http.servlet.internal.servletregistration.handlerequest(servletregistration.java:90) org.eclipse.equinox.http.servlet.internal.proxyservlet.processalias(proxyservlet.java:111) org.eclipse.equinox.http.servlet.internal.proxyservlet.service(proxyservlet.java:67) javax.servlet.http.httpservlet.service(httpservlet.java:722) org.wso2.carbon.tomcat.ext.servlet.delegationservlet.service(delegationservlet.java:68) org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:305) org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:210) org.wso2.carbon.tomcat.ext.filter.charactersetfilter.dofilter(charactersetfilter.java:61) org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:243) org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:210) org.apache.catalina.core.standardwrappervalve.invoke(standardwrappervalve.java:225) org.apache.catalina.core.standardcontextvalve.invoke(standardcontextvalve.java:123) org.apache.catalina.authenticator.authenticatorbase.invoke(authenticatorbase.java:472) org.apache.catalina.core.standardhostvalve.invoke(standardhostvalve.java:168) org.apache.catalina.valves.errorreportvalve.invoke(errorreportvalve.java:98) org.wso2.carbon.tomcat.ext.valves.compositevalve.invoke(compositevalve.java:172) org.wso2.carbon.tomcat.ext.valves.carbonstuckthreaddetectionvalve.invoke(carbonstuckthreaddetectionvalve.java:156) org.apache.catalina.valves.accesslogvalve.invoke(accesslogvalve.java:927) org.wso2.carbon.tomcat.ext.valves.carboncontextcreatorvalve.invoke(carboncontextcreatorvalve.java:52) org.apache.catalina.core.standardenginevalve.invoke(standardenginevalve.java:118) org.apache.catalina.connector.coyoteadapter.service(coyoteadapter.java:407) org.apache.coyote.http11.abstracthttp11processor.process(abstracthttp11processor.java:1001) org.apache.coyote.abstractprotocol$abstractconnectionhandler.process(abstractprotocol.java:579) org.apache.tomcat.util.net.nioendpoint$socketprocessor.run(nioendpoint.java:1653) java.util.concurrent.threadpoolexecutor$worker.runtask(threadpoolexecutor.java:886) java.util.concurrent.threadpoolexecutor$worker.run(threadpoolexecutor.java:908) java.lang.thread.run(thread.java:662)
2.
tid[-1234] [is] [2013-05-15 09:29:11,467] error {org.wso2.carbon.identity.entitlement.policy.finder.registry.registrypolicyfindermodule} - policies can not retrieved registry policy finder module org.wso2.carbon.identity.entitlement.policy.finder.registry.registrypolicyreader.readpolicy(registrypolicyreader.java:197) org.wso2.carbon.identity.entitlement.policy.finder.registry.registrypolicyreader.readallpolicies(registrypolicyreader.java:111) org.wso2.carbon.identity.entitlement.policy.finder.registry.registrypolicyfindermodule.getpolicies(registrypolicyfindermodule.java:90) org.wso2.carbon.identity.entitlement.policy.finder.carbonpolicyfinder.init(carbonpolicyfinder.java:160) org.wso2.carbon.identity.entitlement.policy.finder.carbonpolicyfinder.init(carbonpolicyfinder.java:75) org.wso2.carbon.identity.entitlement.policy.finder.carbonpolicyfinder.findpolicy(carbonpolicyfinder.java:203) org.wso2.balana.finder.policyfinder.findpolicy(policyfinder.java:169) org.wso2.balana.pdp.evaluatecontext(pdp.java:243) org.wso2.balana.pdp.evaluate(pdp.java:199) org.wso2.balana.pdp.evaluate(pdp.java:157) org.wso2.balana.pdp.evaluate(pdp.java:119) org.wso2.carbon.identity.entitlement.pdp.entitlementengine.evaluate(entitlementengine.java:256) org.wso2.carbon.identity.entitlement.entitlementservice.getdecision(entitlementservice.java:54) sun.reflect.nativemethodaccessorimpl.invoke0(native method) sun.reflect.nativemethodaccessorimpl.invoke(nativemethodaccessorimpl.java:39) sun.reflect.delegatingmethodaccessorimpl.invoke(delegatingmethodaccessorimpl.java:25) java.lang.reflect.method.invoke(method.java:597) org.apache.axis2.rpc.receivers.rpcutil.invokeserviceclass(rpcutil.java:212) org.apache.axis2.rpc.receivers.rpcmessagereceiver.invokebusinesslogic(rpcmessagereceiver.java:117) org.apache.axis2.receivers.abstractinoutmessagereceiver.invokebusinesslogic(abstractinoutmessagereceiver.java:40) org.apache.axis2.receivers.abstractmessagereceiver.receive(abstractmessagereceiver.java:110) org.apache.axis2.engine.axisengine.receive(axisengine.java:180) org.apache.axis2.transport.http.httptransportutils.processhttppostrequest(httptransportutils.java:172) org.apache.axis2.transport.http.axisservlet.dopost(axisservlet.java:146) org.wso2.carbon.core.transports.carbonservlet.dopost(carbonservlet.java:231) javax.servlet.http.httpservlet.service(httpservlet.java:641) javax.servlet.http.httpservlet.service(httpservlet.java:722) org.eclipse.equinox.http.servlet.internal.servletregistration.handlerequest(servletregistration.java:90) org.eclipse.equinox.http.servlet.internal.proxyservlet.processalias(proxyservlet.java:111) org.eclipse.equinox.http.servlet.internal.proxyservlet.service(proxyservlet.java:67) javax.servlet.http.httpservlet.service(httpservlet.java:722) org.wso2.carbon.tomcat.ext.servlet.delegationservlet.service(delegationservlet.java:68) org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:305) org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:210) org.wso2.carbon.tomcat.ext.filter.charactersetfilter.dofilter(charactersetfilter.java:61) org.apache.catalina.core.applicationfilterchain.internaldofilter(applicationfilterchain.java:243) org.apache.catalina.core.applicationfilterchain.dofilter(applicationfilterchain.java:210) org.apache.catalina.core.standardwrappervalve.invoke(standardwrappervalve.java:225) org.apache.catalina.core.standardcontextvalve.invoke(standardcontextvalve.java:123) org.apache.catalina.authenticator.authenticatorbase.invoke(authenticatorbase.java:472) org.apache.catalina.core.standardhostvalve.invoke(standardhostvalve.java:168) org.apache.catalina.valves.errorreportvalve.invoke(errorreportvalve.java:98) org.wso2.carbon.tomcat.ext.valves.compositevalve.invoke(compositevalve.java:172) org.wso2.carbon.tomcat.ext.valves.carbonstuckthreaddetectionvalve.invoke(carbonstuckthreaddetectionvalve.java:156) org.apache.catalina.valves.accesslogvalve.invoke(accesslogvalve.java:927) org.wso2.carbon.tomcat.ext.valves.carboncontextcreatorvalve.invoke(carboncontextcreatorvalve.java:52) org.apache.catalina.core.standardenginevalve.invoke(standardenginevalve.java:118) org.apache.catalina.connector.coyoteadapter.service(coyoteadapter.java:407) org.apache.coyote.http11.abstracthttp11processor.process(abstracthttp11processor.java:1001) org.apache.coyote.abstractprotocol$abstractconnectionhandler.process(abstractprotocol.java:579) org.apache.tomcat.util.net.nioendpoint$socketprocessor.run(nioendpoint.java:1653) java.util.concurrent.threadpoolexecutor$worker.runtask(threadpoolexecutor.java:886) java.util.concurrent.threadpoolexecutor$worker.run(threadpoolexecutor.java:908) java.lang.thread.run(thread.java:662)
edit may 21, added active policies (they promoted pdp)
<policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" policyid="dossierpolicy" rulecombiningalgid="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:deny-overrides" version="1.0"> <target> <anyof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">objectid_dossier</attributevalue> <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> </anyof> </target> <rule effect="permit" ruleid="eigenaarrules"> <target> <anyof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">dossiereigenaar</attributevalue> <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:subject:subject-id" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">datasetid_http://www.horecataxonomie.nl/0.92/report/horeca/entrypoints/rpt-hrt-entity.xsd</attributevalue> <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">create</attributevalue> <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:action:action-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">read</attributevalue> <attributedesignator attributeid="null" category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">update</attributevalue> <attributedesignator attributeid="null" category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">delete</attributevalue> <attributedesignator attributeid="null" category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> </anyof> </target> </rule> </policy> <policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" policyid="basic2" rulecombiningalgid="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" version="1.0"> <target> <anyof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">someotherstuff</attributevalue> <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> </anyof> </target> <rule effect="permit" ruleid="rule-1"> <target> <anyof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">someotherstuff</attributevalue> <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> </anyof> <anyof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">read</attributevalue> <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:action:action-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> </anyof> <anyof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">wstc</attributevalue> <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:environment:environment-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> </anyof> </target> <condition> <apply functionid="urn:oasis:names:tc:xacml:1.0:function:any-of"> <function functionid="urn:oasis:names:tc:xacml:1.0:function:string-equal"></function> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">architect</attributevalue> <attributedesignator attributeid="http://wso2.org/claims/role" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </apply> </condition> </rule> </policy> <policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" policyid="basic" rulecombiningalgid="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" version="1.0"> <target> <anyof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">risourceapp</attributevalue> <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> </anyof> </target> <rule effect="permit" ruleid="rule-1"> <target> <anyof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">risourceapp</attributevalue> <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:resource:resource-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> </anyof> <anyof> <allof> <match matchid="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">read</attributevalue> <attributedesignator attributeid="urn:oasis:names:tc:xacml:1.0:action:action-id" category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </match> </allof> </anyof> </target> <condition> <apply functionid="urn:oasis:names:tc:xacml:1.0:function:any-of"> <function functionid="urn:oasis:names:tc:xacml:1.0:function:string-equal"></function> <attributevalue datatype="http://www.w3.org/2001/xmlschema#string">architect</attributevalue> <attributedesignator attributeid="http://wso2.org/claims/role" category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" datatype="http://www.w3.org/2001/xmlschema#string" mustbepresent="true"></attributedesignator> </apply> </condition> </rule> </policy>
did enable ploicy after editing [1]
[1] http://docs.wso2.org/wiki/display/is410/activating+and+deactivating+an+xacml+policy
Comments
Post a Comment