Bug #7094: Metacat is not expanding groups in the rightsHolder field during authorization - Metacat - Ecoinformatics Redmine

Actions

Copy link

Bug #7094

closed

Metacat is not expanding groups in the rightsHolder field during authorization

Added by Chris Jones about 8 years ago. Updated about 8 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jing Tao

Category:

metacat

Target version:

2.8.0

Start date:

08/26/2016

Due date:

% Done:

Estimated time:

Bugzilla-Id:

Description

With a SystemMetadata document like:

<?xml version="1.0" encoding="UTF-8"?>
<d1_v2.0:systemMetadata xmlns:d1_v2.0="http://ns.dataone.org/service/types/v2.0" xmlns:d1="http://ns.dataone.org/service/types/v1">
  <serialVersion>0</serialVersion>
  <identifier>urn:uuid:a0f68bc4-1b67-4376-964f-70df0b58376c</identifier>
  <formatId>image/jpeg</formatId>
  <size>223220</size>
  <checksum algorithm="SHA256">60be2e67512b6f444be407a9cb87018b12e5bbf214deab3248c8d1834db8cb38</checksum>
  <submitter>CN=Bryce Mecum A27576,O=Google,C=US,DC=cilogon,DC=org</submitter>
  <rightsHolder>CN=arctic-data-admins,DC=dataone,DC=org</rightsHolder>
  <accessPolicy>
    <allow>
      <subject>public</subject>
      <permission>read</permission>
    </allow>
    <allow>
      <subject>CN=Bryce Mecum A27576,O=Google,C=US,DC=cilogon,DC=org</subject>
      <permission>write</permission>
    </allow>
    <allow>
      <subject>CN=Bryce Mecum A27576,O=Google,C=US,DC=cilogon,DC=org</subject>
      <permission>read</permission>
      <permission>write</permission>
      <permission>changePermission</permission>
    </allow>
  </accessPolicy>
  <replicationPolicy replicationAllowed="true" numberReplicas="3"/>
  <archived>false</archived>
  <dateUploaded>2016-03-17T19:25:16.840+00:00</dateUploaded>
  <dateSysMetadataModified>2016-08-26T17:15:07.506+00:00</dateSysMetadataModified>
  <originMemberNode>urn:node:ARCTIC</originMemberNode>
  <authoritativeMemberNode>urn:node:ARCTIC</authoritativeMemberNode>
  <fileName>20090413_200904130059.noaa-18.4km_vis_ch1.jpeg</fileName>
</d1_v2.0:systemMetadata>

we would expect that anyone in the CN=arctic-data-admins,DC=dataone,DC=org group would have read/write/changePermission permissions. Updates to objects with access control like this by members of the group other than CN=Bryce Mecum A27576,O=Google,C=US,DC=cilogon,DC=org fail.

To get around this issue, I'm processing all 502K+ objects in the arcticdata.io Metacat to include:

    <allow>
      <subject>CN=arctic-data-admins,DC=dataone,DC=org</subject>
      <permission>read</permission>
      <permission>write</permission>
      <permission>changePermission</permission>
    </allow>

So, this isn't super critical, but it affects all Metacat systems, including the CNs.

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

Metacat

Custom queries

Bug #7094

Metacat is not expanding groups in the rightsHolder field during authorization

Updated by Chris Jones about 8 years ago

Updated by ben leinfelder about 8 years ago

Updated by Matt Jones about 8 years ago

Updated by Jing Tao about 8 years ago