| 1 |
878
|
berkley
|
<!--
|
| 2 |
|
|
* acontrol.html
|
| 3 |
|
|
*
|
| 4 |
|
|
* Authors: Jivka Bojilova
|
| 5 |
|
|
* Copyright: 2000 Regents of the University of California and the
|
| 6 |
|
|
* National Center for Ecological Analysis and Synthesis
|
| 7 |
|
|
* For Details: http://www.nceas.ucsb.edu/
|
| 8 |
|
|
* Created: 2000 April 5
|
| 9 |
|
|
* Version: 0.01
|
| 10 |
|
|
* File Info: '$Id$'
|
| 11 |
|
|
*
|
| 12 |
|
|
* October Meeting SDSC, 2000
|
| 13 |
|
|
-->
|
| 14 |
|
|
<HTML>
|
| 15 |
|
|
<HEAD>
|
| 16 |
|
|
<TITLE>Metacat</TITLE>
|
| 17 |
|
|
<link rel="stylesheet" type="text/css" href="@docrooturl@default.css">
|
| 18 |
|
|
</HEAD>
|
| 19 |
|
|
<BODY>
|
| 20 |
|
|
<table width="100%">
|
| 21 |
|
|
<tr>
|
| 22 |
|
|
<td class="tablehead" colspan="2"><p class="label">Metacat User
|
| 23 |
|
|
Authentication and Access Control</p></td>
|
| 24 |
|
|
<td class="tablehead" colspan="2" align="right">
|
| 25 |
|
|
<a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
|
| 26 |
|
|
<a href="./metacatout.html">Next</a>
|
| 27 |
|
|
</td>
|
| 28 |
|
|
</tr>
|
| 29 |
|
|
</table>
|
| 30 |
|
|
<p><b>Authentication</b></p>
|
| 31 |
|
|
<p>Metacat has a public interface for porting authentication
|
| 32 |
881
|
berkley
|
schemes to Metacat. Currently an LDAP scheme is implemented.
|
| 33 |
878
|
berkley
|
LDAP stands for Lightweight Directory Access Protocol.
|
| 34 |
881
|
berkley
|
It is an optimized database for fast retrival of stored data:
|
| 35 |
878
|
berkley
|
It is used by Metacat to store its users and their information.
|
| 36 |
|
|
The users can be organized in one or more groups.
|
| 37 |
|
|
</p>
|
| 38 |
|
|
<P> <img src="auth.gif">
|
| 39 |
|
|
<P> <b>Access control in Metacat. </b></p>
|
| 40 |
|
|
<ul>
|
| 41 |
881
|
berkley
|
<li> Metacat users stored in the LDAP directory database are authenticated
|
| 42 |
|
|
to use Metacat services and resources.</li>
|
| 43 |
878
|
berkley
|
<li> A persistant session is assigned to an authenticated user.</li>
|
| 44 |
881
|
berkley
|
<li> Metacat also allows document level access control via Access Control
|
| 45 |
|
|
Lists (ACLs).</li>
|
| 46 |
878
|
berkley
|
</ul>
|
| 47 |
|
|
<!--<img src="acontrol.gif">-->
|
| 48 |
|
|
<b>ACLs</b>
|
| 49 |
881
|
berkley
|
<p>Metacat allows a user to set permissions for users or groups on individual
|
| 50 |
|
|
documents by using
|
| 51 |
|
|
a special XML file called an Access file.
|
| 52 |
|
|
The <a href="./packages.html">Package</a> file
|
| 53 |
878
|
berkley
|
specifies which documents the Access file refers to.
|
| 54 |
|
|
A sample Access file looks like the following:</p>
|
| 55 |
|
|
<pre>
|
| 56 |
|
|
<?xml version="1.0"?>
|
| 57 |
|
|
<!DOCTYPE acl PUBLIC "-//NCEAS//eml-access-2.0//EN" "eml-access-2.0.dtd">
|
| 58 |
|
|
<acl authSystem="knb" order="allowFirst">
|
| 59 |
|
|
<identifier>nceas.36.1</identifier>
|
| 60 |
|
|
<allow>
|
| 61 |
|
|
<principal>jones</principal>
|
| 62 |
|
|
<principal>higgins</principal>
|
| 63 |
|
|
<principal>berkley</principal>
|
| 64 |
|
|
<principal>bojilova</principal>
|
| 65 |
|
|
<permission>read</permission>
|
| 66 |
|
|
<duration>
|
| 67 |
|
|
<startDate>10/9/2000</startDate>
|
| 68 |
|
|
<stopDate>10/9/2001</stopDate>
|
| 69 |
|
|
</duration>
|
| 70 |
|
|
<ticketCount>100</ticketCount>
|
| 71 |
|
|
</allow>
|
| 72 |
|
|
<allow>
|
| 73 |
|
|
<principal>bojilova</principal>
|
| 74 |
|
|
<permission>write</permission>
|
| 75 |
|
|
<ticketCount>10</ticketCount>
|
| 76 |
|
|
</allow>
|
| 77 |
|
|
<allow>
|
| 78 |
|
|
<principal>reviewers</principal>
|
| 79 |
|
|
<permission>read</permission>
|
| 80 |
|
|
<ticketCount>5</ticketCount>
|
| 81 |
|
|
</allow>
|
| 82 |
|
|
<allow>
|
| 83 |
|
|
<principal>blankman</principal>
|
| 84 |
|
|
<permission>all</permission>
|
| 85 |
|
|
</allow>
|
| 86 |
|
|
<deny>
|
| 87 |
|
|
<principal>eddins</principal>
|
| 88 |
|
|
<permission>all</permission>
|
| 89 |
|
|
</deny>
|
| 90 |
|
|
</acl>
|
| 91 |
|
|
</pre>
|
| 92 |
|
|
|
| 93 |
|
|
<p>This file is read into Metacat like any other XML file. Like
|
| 94 |
|
|
<a href="./packages.html">Packages</a> the doctype is checked against
|
| 95 |
|
|
the accessdoctype parameter in the <a href="./properties.html">Metacat
|
| 96 |
|
|
Properties</a> file. If the doctype matches, special postprocessing
|
| 97 |
|
|
is performed on the document and the persmissions described in the file
|
| 98 |
|
|
are applied to the specified document.
|
| 99 |
|
|
</p>
|
| 100 |
|
|
<p>The main tag <acl> has attributes 'order' and 'authSystem'.
|
| 101 |
|
|
Order refers to which permission type to process first, allow or deny.
|
| 102 |
|
|
The allowed values are "allowFirst" and "denyFirst". The default is "allowFirst".
|
| 103 |
|
|
</p>
|
| 104 |
|
|
<p>The <identifier> tag specifies the document identifier for the Access file
|
| 105 |
|
|
itself as stored in Metacat.
|
| 106 |
|
|
</p>
|
| 107 |
|
|
<p>Next are the permissions themselves. An allow tag gives permissions to
|
| 108 |
881
|
berkley
|
the specified user(s) (<principal>) and a deny tag takes the permissions
|
| 109 |
878
|
berkley
|
away from the user(s). A principal should be a registered user or group.
|
| 110 |
|
|
A timed duration can be set on the permission after
|
| 111 |
|
|
which the user(s) will no longer have the specified permission. A ticket count
|
| 112 |
|
|
can also be set. This gives the user the number of accesses specified. After
|
| 113 |
|
|
the user has accessed the document that number of times, the permissions are
|
| 114 |
|
|
revoked.
|
| 115 |
|
|
</p>
|
| 116 |
|
|
|
| 117 |
|
|
<br>
|
| 118 |
|
|
<a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
|
| 119 |
881
|
berkley
|
<a href="./ldap.html">Next</a>
|
| 120 |
878
|
berkley
|
</BODY>
|
| 121 |
|
|
</HTML>
|