All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions.
All notable changes to this project are documented in this file following the [Keep a CHANGELOG](http://keepachangelog.com) conventions. We try to apply [Semantic Versioning](http://semver.org) with one particular rule: the version must be equal to or greater than the version of the _authzforce-ce-rest-api-model_ dependency (declared in _rest-service_ module's POM). Indeed, this dependency holds the resources of the REST API specification implemented by this project. Therefore, the rule helps relate a specific version of this project to the specific version of the REST API specification that is implemented/supported.
## 5.1.2
### Added
- REST API features (see *Changed* section for API changes):
- URL path specific to PDP properties:
-`GET /domains/{domainId}/pap/pdp.properties` gives properties of the PDP, including date/time of last modification and active/applicable policies (root policy and policies referenced directly/indirectly from root)
-`PUT /domains/{domainId}/pap/pdp.properties` also allows to set PDP's root policy reference and enable PDP implementation-specific features, such as Multiple Decision Profile support (scheme 2.3 - repeated attribute categories)
- URL path specific to PRP (Policy Repository Point) properties: `GET or PUT /domains/{domainId}/pap/prp.properties`: set/get properties `maxPolicyCount` (maximum number of policies), `maxVersionCount` (maximum number of versions per policy), `versionRollingEnabled` (enable policy version rolling, i.e. oldest versions auto-removed when the number of versions of a policy is about to exceed `maxVersionCount`)
- Special keyword `latest` usable as version ID pointing to the latest version of a given policy (in addition to XACML version IDs like before), e.g. URL path `/domains/{domainId}/pap/policies/P1/latest` points to the latest version of the policy `P1`
- Fast Infoset support with new data representation type `application/fastinfoset` (in addition to `application/xml`) for all API payloads. Requires Authzforce Server to be started in a specific mode using [JavaEE Environment Entry](https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Environment_Entries)`spring.profiles.active` in Tomcat-specific Authzforce webapp context file (`authzforce-ce.xml`). Default type remains `application/xml` (default type is used when a wildcard is received as Accept header value from the client)
- API caches domains' PDPs and externalIds for performance reasons, but it is now possible to force re-synchronizing this domain cache after any change to the backend domain repository, i.e. reloading domains' PDPs and externalIDs without restarting the webapp or server:
-`GET or HEAD /domains` forces re-synchronization of all domains
-`GET or HEAD /domain/{domainId}/properties` forces re-synchronization of externalId with domain properties file (properties.xml) in the domain directory
-`GET or HEAD /domain/{domainId}/pap/pdp.properties`; or `GET or HEAD /domain/{domainId}/pap/policies` forces re-synchronization of PDP with configuration file (`pdp.xml`) and policy files in subfolder `policies` of the domain directory
-`DELETE /domain/{domainId}` forces removal of the domain from cache, and the domain directory if it still exists (removes from cache only if directory already removed)
- Properties for controlling the size of incoming XML (`maxElementDepth`, `maxChildElements`, `maxAttributeCount`, `maxAttributeSize`, `maxTextLength`) corresponding to [CXF XML security properties](http://cxf.apache.org/docs/security.html#Security-XML) may be configured as [JavaEE Environment Entries](https://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Environment_Entries) in Tomcat-specific Authzforce webapp context file (`authzforce-ce.xml`). Only `maxElementDepth` and `maxChildElements` are supported in Fast Infoset mode (due to issue [CXF-6848](https://issues.apache.org/jira/browse/CXF-6848)).
- Completed 100% XACML 3.0 Core Specification compliance with support of Extended Indeterminate values in policy evaluation (XACML 3.0 Core specification, section 7.10-7.14, appendix C: combining algorithms)
- Distribution upgrader: tool to upgrade from Authzforce 4.2.0
### Changed
- Supported REST API model (authzforce-ce-rest-api-model) upgraded to **v5.1.1** with following changes:
- PDP's root policy reference set via method `PUT /domains/{domainId}/pap/pdp.properties` (instead of `PUT /domains/{domainId}/properties` in previous version)
- URL path `/domains/{domainId}/pap/attribute.providers` replaces `/domains/{domainId}/pap/attributeProviders` from previous version, in order to apply better practices of REST API design (case-insensitive URLs) and to be consistent with new API paths `pdp.properties` and `prp.properties` (see *Added* section)
- Multiple Decision Profile disabled by default after domain creation (enabled by default in previous version)
- Backend flat-file database (DAO):
- Format of `properties.xml` (domain properties): XML namespace changed to `http://authzforce.github.io/pap-dao-flat-file/xmlns/properties/3.6` (instead of `http://authzforce.github.io/pap-dao-file/xmlns/properties/3.6` in previous version)
- Format of `pdp.xml` (PDP): XML schema/namespace of PDP PolicyProvider configuration changed to `http://authzforce.github.io/pap-dao-flat-file/xmlns/pdp-ext/3.6` (instead of `http://authzforce.github.io/pap-dao-file/xmlns/pdp-ext/3.6` in previous version)
- Strategy for synchronizing cached domain's PDP and externalId-to-domain mapping with configuration files: no longer using Java WatchService (not adapted to NFS or CIFS shares), but each domain has a specific thread polling files in the domain directory's and checking their `lastModifiedTime` attribute for change:
- If a given domain ID is requested and no matching domain in cache, but a matching domain directory is found, the domain is automatically synced to cache and the synchronizing thread created;
- If the domain's directory found missing by the synchronizing thread, the thread deletes the domain from cache.
- If any change to `properties.xml` (domain description, externalId) detected, externalId updated in cache
- If any change to `pdp.xml` or the file of any policy used by the PDP, the PDP is reloaded.
- ZIP distribution format (`.zip`) changed to tarball format (`.tar.gz`), more suitable for Unix/Linux environments.
### Removed
- Dependency on commons-io, replaced with Java 7 java.nio.file API for recursive directory copy/deletion
### Fixed
- Github #1: deleted domain ID still returned by GET /domains?externalId=...
- Default domain rootPolicyRef no longer has 'Version' specified so that the root policy is always the latest version added via the PAP (by default).
### Fixed
- Hidding file paths from error messages
- Hiding file paths from error messages returned by the REST API
## 4.4.0
...
...
@@ -28,7 +70,7 @@ All notable changes to this project are documented in this file following the [K
1. OR: If at least 1 True arg, then True regardless of Indeterminate args; else if at least 1 Indeterminate, return Indeterminate; else false.
1. AND: If at least 1 False arg, then False regardless of Indeterminate args; else if at least 1 Indeterminate, then Indeterminate; else True.
1. N-OF: similar to OR but checking whether at least N args are True instead of 1, in the remaining arguments; else there is/are n True(s) with n < N; if there are at least (N-n) Indeterminate, return Indeterminate; else return false.
- Global configuration properties: max number of policies per domain, max number of versions per domain
- Global configuration properties: max number of policies per domain, max number of versions per policy
Server components and distribution of AuthZForce authorization service (FIWARE Authorization PDP GEri).
This project also provides the Reference Implementation (GEri) of [FIWARE](https://www.fiware.org)*Authorization PDP* Generic Enabler (GE). More info on the [FIWARE catalogue](http://catalogue.fiware.org/enablers/authorization-pdp-authzforce).
The manuals are available on [readthedocs.org](http://authzforce-ce-fiware.readthedocs.org/).
My comment: if you run the command with strace, you will actually see that it is trying to read bytes from /dev/random, one by one in order to create a 64-bytes base64-encoded string (therefore reading bytes until it has 64 of them) -> 64*64=4096 bit (+ a newline character).
if you are on a master, say ubuntu199.theresis.org, and master-slave config with ubuntu200.theresis.org as slave...
if you are on a master, say ubuntu199.example.org, and master-slave config with ubuntu200.example.org as slave...
Edit /etc/csync2.cfg and update as below (use brackets '()' for slave hosts):
****
# please see the README file how to configure csync2
# For some reason, it can happen that "%%" will list all files changed since first sync after last csync2 daemon started, not only the last changes (during last sync)
...
...
@@ -90,14 +90,14 @@
... to clean the database, before you retry sync
The lastchangedfiles will look like this (whitespace-separated list of absolute paths): (only changed files during last sync in there, previous list overwritten, no append):
<!-- expand "SNAPSHOT" to what is in the "USER" env variable. Expanded to timestamp by default. -->
<!-- <snapshotEnv>USER</snapshotEnv> -->
<!-- In control files, you can use any variable defined by initializeVariableResolver(...) method in https://github.com/tcurdt/jdeb/blob/master/src/main/java/org/vafer/jdeb/maven/DebMojo.java Surround
the variable name with double square brackets "[[" "]]" to have it replaced by the variable value. -->
<!-- In control files, you can use any variable defined by initializeVariableResolver(...) method in https://github.com/tcurdt/jdeb/blob/master/src/main/java/org/vafer/jdeb/maven/DebMojo.java Surround the variable name with double square brackets "[[" "]]" to have it replaced by the variable value. -->
<!-- Dumping HTTP requests and response with their headers for access logging. More info: http://blog.xebia.fr/2013/10/10/logs-daudit-pour-les-services-rest/ Use "accessAsync" appender for better performance (asynchronous logging) -->
<!-- For logging request/response to/from webapp, only logger "org.apache.cxf" in level INFO is required, and you must add CXF org.apache.cxf.interceptor.LoggingInInterceptor/LoggingOutInterceptor to JAX-RS server's in/outInterceptors -->
Reference Implementation of FIWARE Authorization PDP Generic Enabler
Homepage: https://github.com/authzforce
\ No newline at end of file
# Distribution will be removed by jdeb from the final debian control file but used as 'distribution' in the .changes file
# Do not specify 'distribution' in the CHANGES.txt (on the contrary to current jdeb doc with ant) as it is ignored, only the Distribution specified here is used for the .changes file.
echo"Reminder: Tomcat default setup is not suitable for production! We strongly recommend reading and applying - when relevant - the guidelines from the following links:"
echo"Performance tuning best practices for VMware Apache Tomcat: http://kb.vmware.com/kb/2013486"
echo"How to optimize tomcat performance in production: http://www.genericarticles.com/mediawiki/index.php?title=How_to_optimize_tomcat_performance_in_production"
echo"How to optimize Tomcat performance in production: http://www.genericarticles.com/mediawiki/index.php?title=How_to_optimize_tomcat_performance_in_production"
echo"Apache Tomcat Tuning Guide for REST/HTTP APIs: https://javamaster.wordpress.com/2013/03/13/apache-tomcat-tuning-guide/"
This guide provides the procedure to install the AuthZForce server from the `tar.gz` distribution, including system requirements and troubleshooting instructions.
## System Requirements
* CPU frequency: 2.6 GHz min
* CPU architecture: i686/x86_64
* RAM: 4GB min
* Disk space: 10 GB min
* Operating System: Ubuntu 14.04 LTS
* Java environment:
* JDK 7 either from OpenJDK or Oracle;
* Tomcat 7.x.
## Installation
### Minimal
1. If you don't have a JDK 7 already installed, you may do it on the command-line as follows, depending on your JDK preference:
* If you prefer OpenJDK: `$ sudo aptitude install openjdk-7-jdk`
* If you prefer Oracle JDK, follow the instructions from [WEB UPD8](http://www.webupd8.org/2012/01/install-oracle-java-jdk-7-in-ubuntu-via.html). In the end, you should have the package `oracle-java7-installer` installed.
1. If you don't have Tomcat 7 already installed, you may do it on the command-line: `$ sudo aptitude install tomcat7`
1. Download AuthZForce server `tar.gz` distribution from the [Github project releases page](https://github.com/authzforce/server/releases/download/release-${project.version}/authzforce-ce-server-${project.version}.tar.gz>). You get a file called ``authzforce-ce-server-${project.version}.tar.gz``.
1. Copy this file to the host where you want to install AuthZForce Server.
1. For security purposes, Tomcat should be run as an unprivileged user (i.e. not `root`). If you installed Tomcat as shown above, this user is `tomcat7`. Let us assume that `tomcat7` is the user (and group) that will run the Tomcat service in your case, and `/opt` is the directory where you want to install AuthZForce server. Please replace both names according to your setup. `$CATALINA_BASE` is a Tomcat environment-specific property, usually equal to `$CATALINA_HOME`, i.e. the root directory of your Tomcat installation ([more information](https://tomcat.apache.org/tomcat-7.0-doc/introduction.html)). If you installed Tomcat as shown above, `$CATALINA_BASE = /var/lib/tomcat7`. From the directory where you copied the `tar.gz` for installation, run the following commands:
```shell
$ sudo tar xvzf authzforce-ce-server-${project.version}.tar.gz --directory /opt
1. If you did not use `/opt` as installation directory, replace **ALL** occurrences of `/opt` in the webapp context configuration file `authzforce-ce.xml` according to your setup.
1. You may restart Tomcat server now. For instance, if you installed Tomcat as shown above, do it as follows:
```shell
$ sudo service tomcat7 restart
```
1. When the webapp is up and running, you should get a HTTP response with status code 200 to this HTTP request with curl tool (replace 8080 with the port that Tomcat is listening to):
```shell
$ curl --verbose--show-error--write-out'\n'--request GET http://localhost:8080/authzforce-ce/domains
```
Now you can start playing with the REST API as defined by the WADL document that you can retrieve with a wget command (will save the wadl to local file `authzforce.wadl`):
Tomcat default setup is not suitable for production! If you are targeting a production environment, you have to carry out extra installation and configuration steps to address non-functional aspects: security (including availability), performance, etc. For performance aspects, we strongly recommend reading and applying - when relevant - the guidelines from the following links:
-[Performance tuning best practices for VMware Apache Tomcat](http://kb.vmware.com/kb/2013486)
-[How to optimize Tomcat performance in production](http://www.genericarticles.com/mediawiki/index.php?title=How_to_optimize_tomcat_performance_in_production)
-[Apache Tomcat Tuning Guide for REST/HTTP APIs](https://javamaster.wordpress.com/2013/03/13/apache-tomcat-tuning-guide/)
Last but not least, please check the *More information* section below.
## Troubleshooting
If Tomcat fails to (re)start, check for any Tomcat high-level error in Tomcat log directory: `$CATALINA_BASE/logs`.
One common reason for failure is Tomcat default configuration may specify a value for the Java `Xmx` flag that is too low for the AuthZForce webapp. Make sure Tomcat is configured with `Xmx` at 1GB or more, 2 GB recommended. For example, in the official Tomcat package for Ubuntu 12.04, Xmx used to be 128m. You can fix this parameter as follows:
If Tomcat is started but AuthZForce webapp deployment fails, check for any webapp-specific error in log file: `$CATALINA_BASE/logs/authzforce-ce/error.log`
## More information
For more information, go to the [online documentation](http://authzforce-ce-fiware.readthedocs.io/en/) and select the version matching your software release at the bottom of the page.
