Project

General

Profile

Story #6296

authMN SM.accessPolicy out of synch with CN and replicaMN

Added by ben leinfelder almost 6 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Start date:
12/12/2013
Due date:
% Done:

75%

Estimated time:
(Total: 0.00 h)

Description

Lauren noticed some replica packages from urn:node:GOA on urn:node:KNB today that did not have public read allowed on their data files. The CN also does not have public read for these data objects. I suspect that the EML <access> was updated at some point after the package was initially saved and the CN harvested it from the GOA node. The updates to the SystemMetadata.accessPolicy are correctly reflected on the GOA (which is the authoritative MN for these objects).

This is somewhat of a "known" issue in that SM.accessPolicy can only be updated on the CN using the CN.setAccessPolicy() method which then calls back the all MNs that hold replicas (or originals) and informs them of the change. A long time ago we realized that this robs the authMN of their primary authority on the object but have not been able to re-architect DataONE to support authMN-control.

In the interim, which could be forever, we should make sure Metacat calls CN.setAccessPolicy() whenever it changes on the authMN. Typically this will happen when parsing an updated EML file that contains additional (or fewer) access control rules but there is also a Metacat servlet API call to set access blocks (action=setaccess, I believe).

While we can put in place code to deal with future changes to the SM.accessPolicy, we also want a mechanism for fixing the ones that we have today. There are a couple options for that: manually with a bash script and a few curl commands, or an upgrade routine included for the next release of Metacat that is run automatically during upgrade, or after Metacat has been completely [re]configured as a Member Node. (There are client certificate configuration issues to think about if using an upgrade routine).


Subtasks

Task #6297: Create MN->CN sync scriptResolvedPeter Slaughter

Task #6298: Call CN.setAccessPolicy() whenever access control rules are updated in MetacatResolvedPeter Slaughter

Task #6299: Incorporate synch script as Metacat utility or upgrade routineResolvedPeter Slaughter

Task #6407: Add syncing test to metacat test suiteClosed


Related issues

Blocked by Metacat - Bug #6183: CNodeService API calls don't honor authoritative MN certificatesResolved

History

#1 Updated by ben leinfelder almost 6 years ago

  • Assignee set to Peter Slaughter
  • Description updated (diff)

#3 Updated by ben leinfelder over 5 years ago

  • Status changed from New to In Progress

This is in progress - Peter and I have been discussing different ways access control policies can be updated on the MN using both the Metacat API and the new DataONE MN API.

#4 Updated by ben leinfelder over 5 years ago

  • Status changed from In Progress to Closed

Also available in: Atom PDF