Access/permissions problem migrating Islandora site
48 views
Skip to first unread message
Manny Rodriguez
Nov 14, 2023, 1:48:53 PM11/14/23
to islandora
Hello,
I'm working on migrating a production Islandora site to a new, ISLE based site.
All of the databases, Fedora dataStreams and objectStreams were copied over, and the Fedora and Solr indexes were rebuilt.
The new site mostly works, with most records loading as expected. However, there are some issues with some records failing to load with an "Access Denied, You are not authorized to access this page" error.
Looking at one of the instances of this, I'm seeing the following error in the Fedora log:
```
org.fcrepo.server.errors.StreamIOException: [DatastreamManagedContent] returned the error: "org.fcrepo.server.errors.ObjectNotInLowlevelStorageException". Reason: Object not found in low-level storage: ncm:226338+POLICY+POLICY.1
at org.fcrepo.server.storage.types.DatastreamManagedContent.getContentStream(DatastreamManagedContent.java:187) ~[fcrepo-server-3.8.1.jar:na]
```
Since the dataStream and objectStream directories were copied over, and I confirmed the relevant files for ncm:226338 are present in the new site's data/objectStream directories, I'm thinking maybe the issue is a missing XACML policy.
The new site is using the basic, default and minimal XACML policy set.
I have a large collection of XACML policy files from the old site, and the one for the record showing the access denied error (ncm:226338.xml) looks like this:
```
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="islandora-xacml-editor-v1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule RuleId="allow-everything-else" Effect="Permit">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
</Rule>
</Policy>
```
This policy file looks to setting a blanket "grant all priviliges" policy.
One issue I'm having is that I'm not sure where this file needs to go. I've tried putting the file in the following paths:
/usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/ncm:226338.xml
/usr/local/fedora/data/fedora-xacml-policies/repository-policies/islandora/ncm:226338.xml
/usr/local/fedora/data/fedora-xacml-policies/repository-policies/ncm/ncm:226338.xml
None of these have made a difference.
I'm wondering if anyone has seen this error before, and if there's another place policy files need to go, or if this kind of error might have another cause.
I'm confused by the fact that this issue is intermittent, many records are loading fine and there doesn't seem to be anything specific or special about this records policy set.
I'm working on migrating a production Islandora site to a new, ISLE based site.
All of the databases, Fedora dataStreams and objectStreams were copied over, and the Fedora and Solr indexes were rebuilt.
The new site mostly works, with most records loading as expected. However, there are some issues with some records failing to load with an "Access Denied, You are not authorized to access this page" error.
Looking at one of the instances of this, I'm seeing the following error in the Fedora log:
```
org.fcrepo.server.errors.StreamIOException: [DatastreamManagedContent] returned the error: "org.fcrepo.server.errors.ObjectNotInLowlevelStorageException". Reason: Object not found in low-level storage: ncm:226338+POLICY+POLICY.1
at org.fcrepo.server.storage.types.DatastreamManagedContent.getContentStream(DatastreamManagedContent.java:187) ~[fcrepo-server-3.8.1.jar:na]
```
Since the dataStream and objectStream directories were copied over, and I confirmed the relevant files for ncm:226338 are present in the new site's data/objectStream directories, I'm thinking maybe the issue is a missing XACML policy.
The new site is using the basic, default and minimal XACML policy set.
I have a large collection of XACML policy files from the old site, and the one for the record showing the access denied error (ncm:226338.xml) looks like this:
```
<?xml version="1.0" encoding="UTF-8"?>
<Policy xmlns="urn:oasis:names:tc:xacml:1.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="islandora-xacml-editor-v1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
<Rule RuleId="allow-everything-else" Effect="Permit">
<Target>
<Subjects>
<AnySubject/>
</Subjects>
<Resources>
<AnyResource/>
</Resources>
<Actions>
<AnyAction/>
</Actions>
</Target>
</Rule>
</Policy>
```
This policy file looks to setting a blanket "grant all priviliges" policy.
One issue I'm having is that I'm not sure where this file needs to go. I've tried putting the file in the following paths:
/usr/local/fedora/data/fedora-xacml-policies/repository-policies/default/ncm:226338.xml
/usr/local/fedora/data/fedora-xacml-policies/repository-policies/islandora/ncm:226338.xml
/usr/local/fedora/data/fedora-xacml-policies/repository-policies/ncm/ncm:226338.xml
None of these have made a difference.
I'm wondering if anyone has seen this error before, and if there's another place policy files need to go, or if this kind of error might have another cause.
I'm confused by the fact that this issue is intermittent, many records are loading fine and there doesn't seem to be anything specific or special about this records policy set.
Jared Whiklo
Nov 15, 2023, 1:37:14 PM11/15/23
to islandora
Hi Manny,
There is very limited support for Islandora Legacy and we suggest considering migrating your content.
But your issue seems to be that the actual POLICY file does _not_ exist in the correct datastreamStore location so Fedora can't find it. Depending on if you are using a legacy or Akubra filesystem the locations are different.
You can't just add the policy as a repository-policies because the error is because Islandora is requesting a datastream from Fedora that it expects to be there.
cheers,
jared
Manny Rodriguez
Nov 15, 2023, 5:56:52 PM11/15/23
to islandora
Hi Jared,
Thanks for the info!
Could you provide more info on what you mean by 'migrating your content'?
I've been following the documentation here:
https://islandora-collaboration-group.github.io/ISLE/install/install-production-migrate/#step-10-on-remote-production-copy-over-the-production-data-directories
Is there a different migration step/process from copying the Fedora datastreamStore and objectStream store directories from the old instance into the ISLE Fedora container?
Do you know of a way to determine the file path in the datastreamStore directory of the missing policy file, so I can check to see if it is present on the old instance and got lost in the shuffle somehow?
It's strange that the policy file is missing, since the whole directory was tarred up as a whole before it was transferred.
I really appreciate the help!
Thanks for the info!
Could you provide more info on what you mean by 'migrating your content'?
I've been following the documentation here:
https://islandora-collaboration-group.github.io/ISLE/install/install-production-migrate/#step-10-on-remote-production-copy-over-the-production-data-directories
Is there a different migration step/process from copying the Fedora datastreamStore and objectStream store directories from the old instance into the ISLE Fedora container?
Do you know of a way to determine the file path in the datastreamStore directory of the missing policy file, so I can check to see if it is present on the old instance and got lost in the shuffle somehow?
It's strange that the policy file is missing, since the whole directory was tarred up as a whole before it was transferred.
I really appreciate the help!
Reply all
Reply to author
Forward
0 new messages