Authentication

Metacat has a public interface for porting authentication schemes to Metacat. Currently an LDAP scheme is implemented. LDAP stands for Lightweight Directory Access Protocol. It is an optimized database for fast retrival of stored data: It is used by Metacat to store its users and their information. The users can be organized in one or more groups.

Access control in Metacat.

• Metacat users stored in the LDAP directory database are authenticated to use Metacat services and resources.
• A persistant session is assigned to an authenticated user.
• Metacat also allows document level access control via Access Control Lists (ACLs).

Metacat allows a user to set permissions for users or groups on individual documents by using a special XML file called an Access file. The Package file specifies which documents the Access file refers to. A sample Access file looks like the following:

    <?xml version="1.0"?>
    <!DOCTYPE acl PUBLIC "-//NCEAS//eml-access-2.0//EN" "eml-access-2.0.dtd">
    <acl authSystem="knb" order="allowFirst">
      <identifier>nceas.36.1</identifier>
      <allow>
        <principal>jones</principal>
        <principal>higgins</principal>
        <principal>berkley</principal>
        <principal>bojilova</principal>
        <permission>read</permission>
        <duration>
          <startDate>10/9/2000</startDate>
          <stopDate>10/9/2001</stopDate>
        </duration>
        <ticketCount>100</ticketCount>
      </allow>
      <allow>
        <principal>bojilova</principal>
        <permission>write</permission>
        <ticketCount>10</ticketCount>
      </allow>
      <allow>
        <principal>reviewers</principal>
        <permission>read</permission>
        <ticketCount>5</ticketCount>
      </allow>
      <allow>
        <principal>blankman</principal>
        <permission>all</permission>
      </allow>
      <deny>
        <principal>eddins</principal>
        <permission>all</permission>
      </deny>
    </acl>
  

This file is read into Metacat like any other XML file. Like Packages the doctype is checked against the accessdoctype parameter in the Metacat Properties file. If the doctype matches, special postprocessing is performed on the document and the persmissions described in the file are applied to the specified document.

The main tag <acl> has attributes 'order' and 'authSystem'. Order refers to which permission type to process first, allow or deny. The allowed values are "allowFirst" and "denyFirst". The default is "allowFirst".

The <identifier> tag specifies the document identifier for the Access file itself as stored in Metacat.

Next are the permissions themselves. An allow tag gives permissions to the specified user(s) (<principal>) and a deny tag takes the permissions away from the user(s). A principal should be a registered user or group. A timed duration can be set on the permission after which the user(s) will no longer have the specified permission. A ticket count can also be set. This gives the user the number of accesses specified. After the user has accessed the document that number of times, the permissions are revoked.