Story #6296


authMN SM.accessPolicy out of synch with CN and replicaMN

Added by ben leinfelder over 10 years ago. Updated about 10 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
(Total: 0.00 h)


Lauren noticed some replica packages from urn:node:GOA on urn:node:KNB today that did not have public read allowed on their data files. The CN also does not have public read for these data objects. I suspect that the EML <access> was updated at some point after the package was initially saved and the CN harvested it from the GOA node. The updates to the SystemMetadata.accessPolicy are correctly reflected on the GOA (which is the authoritative MN for these objects).

This is somewhat of a "known" issue in that SM.accessPolicy can only be updated on the CN using the CN.setAccessPolicy() method which then calls back the all MNs that hold replicas (or originals) and informs them of the change. A long time ago we realized that this robs the authMN of their primary authority on the object but have not been able to re-architect DataONE to support authMN-control.

In the interim, which could be forever, we should make sure Metacat calls CN.setAccessPolicy() whenever it changes on the authMN. Typically this will happen when parsing an updated EML file that contains additional (or fewer) access control rules but there is also a Metacat servlet API call to set access blocks (action=setaccess, I believe).

While we can put in place code to deal with future changes to the SM.accessPolicy, we also want a mechanism for fixing the ones that we have today. There are a couple options for that: manually with a bash script and a few curl commands, or an upgrade routine included for the next release of Metacat that is run automatically during upgrade, or after Metacat has been completely [re]configured as a Member Node. (There are client certificate configuration issues to think about if using an upgrade routine).

Subtasks 4 (0 open4 closed)

Task #6297: Create MN->CN sync scriptResolvedPeter Slaughter12/12/2013

Task #6298: Call CN.setAccessPolicy() whenever access control rules are updated in MetacatResolvedPeter Slaughter12/12/2013

Task #6299: Incorporate synch script as Metacat utility or upgrade routineResolvedPeter Slaughter12/12/2013

Task #6407: Add syncing test to metacat test suiteClosed02/04/2014


Related issues

Blocked by Metacat - Bug #6183: CNodeService API calls don't honor authoritative MN certificatesResolvedJing Tao

Actions #1

Updated by ben leinfelder over 10 years ago

  • Description updated (diff)
  • Assignee set to Peter Slaughter
Actions #3

Updated by ben leinfelder about 10 years ago

  • Status changed from New to In Progress

This is in progress - Peter and I have been discussing different ways access control policies can be updated on the MN using both the Metacat API and the new DataONE MN API.

Actions #4

Updated by ben leinfelder about 10 years ago

  • Status changed from In Progress to Closed

Also available in: Atom PDF