Error at Connector Restricted usage policy

[jmartinezsqs]

I have deployed two Dataspace connectors version 7.0.1 and configured them to be able to communicate. They are deployed in ports 7080 (provider) & 7081 (consumer) I create a rule on the provider with the connector restricted usage policy with the URL of the connector I want to only have access:

Then link this rule to an active artifact and do all the negotiation processes on the consumer side. But once I try to access the data even though the consumer should be able to access it the provider gives an error responding that it's not allowed to access the data due to a policy restriction.

I don't know if this is due to a problem in the implementation of the policy or if it's a problem in the creation of the rule and later negotiation process, but as it is right now I cannot validate that the policy is working as expected.

Apart from the previous problem, it would be much appreciated to have a more in-depth explanation of both what the policies are meant to control as well as how can they be implemented for a specific artifact.

Thanks for the help, hope to hear from you soon and don't hesitate to ask for more information if needed.

[ronjaquensel]

Hi,

the url field of the policy should point to the ID of connectorb. Is https://connectorb:7081 also defined as the connector ID in connectorb's config.json? If the ID defined in the config.json is a different one, could you try with that?

[jmartinezsqs]

The id of the previous example is not the one in the config.json. It is:

I have done the test again with this id in the rule

and received the same answer, that there is a policy restriction.

[ronjaquensel]

The url has to be an exact match for the ID, so the port should be removed. Can you try with "url": "https://connector_B"?

[jmartinezsqs]

I have tried creating the rule with the URL without the port and it is now working as expected. I can receive the data requested with the connector that is stored in the rule.

But when trying with other connector also configured to work with both of them (but not added to the rule), i cannot get the link to retrieve the data. I can properly negotiate as seen in the photo and the agreement is created.

But when i need to access that agreement to take the link to the data i get a 401 code error telling me i am not authorised.

I am not sure if this is the normal operation when you does not have access to the data but i was expecting an output similar to the one i was receiving in the first entry of this issue. Let me know if this is the normal operation or if it's not what could possibly be the problem.

[SebastianOpriel]

Dear @jmartinezsqs, I would have expected a rejection here, like:

{
  "reason": {
    "properties": null,
    "@id": "https://w3id.org/idsa/code/NOT_FOUND"
  },
  "payload": "Could not find any matching contract offers for your request.",
  "type": "de.fraunhofer.iais.eis.RejectionMessageImpl"
}

Maybe we can have a call and see together whats going on. I will write you a mail.

[jmartinezsqs]

After the call with Sebastian Opriel, we managed to make the policy work correctly as expected. Now the negotiation can be completely done on a connector that doesn't have permission to access and once the data is tried to be requested, the connector cannot access the data and get a policy rejection message as shown. That way from my side the policy is validated to be correctly working. Even though, during the call, we thought it would be better if a connector that doesn't have access to a specific data should get a rejection message during the negotiation process informing that a policy is forbidding the connector to access the data.