Project

General

Profile

1
<!--
2
  * acontrol.html
3
  *
4
  *      Authors: Jivka Bojilova
5
  *    Copyright: 2000 Regents of the University of California and the
6
  *               National Center for Ecological Analysis and Synthesis
7
  *  For Details: http://www.nceas.ucsb.edu/
8
  *      Created: 2000 April 5
9
  *      Version: 0.01
10
  *    File Info: '$Id: acontrol.html 2310 2004-09-21 09:01:22Z jones $'
11
  * 
12
  * October Meeting SDSC, 2000
13
-->
14
<HTML>
15
<HEAD>
16
<TITLE>Metacat</TITLE>
17
<link rel="stylesheet" type="text/css" href="@docrooturl@default.css">
18
</HEAD> 
19
<BODY>
20
  <table width="100%">
21
    <tr>
22
      <td class="tablehead" colspan="2"><p class="label">Metacat User 
23
      Authentication and Access Control</p></td>
24
      <td class="tablehead" colspan="2" align="right">
25
        <a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> | 
26
        <a href="./metacatout.html">Next</a>
27
      </td>
28
    </tr>
29
  </table>
30
  <p><b>Authentication</b></p>
31
    <p>Metacat has a public interface for porting authentication 
32
      schemes to Metacat.  Currently an LDAP scheme is implemented. 
33
      LDAP stands for Lightweight Directory Access Protocol. 
34
      It is an optimized database for fast retrival of stored data:
35
      It is used by Metacat to store its users and their information. 
36
      The users can be organized in one or more groups.
37
    </p>
38
    <P> <img src="auth.gif"> 
39
    <P> <b>Access control in Metacat. </b></p>
40
    <ul>
41
      <li> Metacat users stored in the LDAP directory database are authenticated
42
      to use Metacat services and resources.</li>
43
      <li> A persistant session is assigned to an authenticated user.</li>
44
      <li> Metacat also allows document level access control via Access Control 
45
      Lists (ACLs).</li>
46
    </ul>
47
  <p style="color: red; font-face: bold">WARNING: The rest of this page is 
48
   out-of-date and no longer accurate. It is left only for reference purposes.
49
   ACL information is now set through EML 2.0.0 access control elements.
50
  </p>
51
  <!--<img src="acontrol.gif">-->
52
  <b>ACLs</b>
53
  <p>Metacat allows a user to set permissions for users or groups on individual 
54
  documents by using
55
  a special XML file called an Access file.  
56
  The <a href="./packages.html">Package</a> file
57
  specifies which documents the Access file refers to. 
58
  A sample Access file looks like the following:</p>
59
  <pre>
60
    &lt;?xml version="1.0"?&gt;
61
    &lt;!DOCTYPE acl PUBLIC "-//NCEAS//eml-access-2.0//EN" "eml-access-2.0.dtd"&gt;
62
    &lt;acl authSystem="knb" order="allowFirst"&gt;
63
      &lt;identifier&gt;nceas.36.1&lt;/identifier&gt;
64
      &lt;allow&gt;
65
        &lt;principal&gt;jones&lt;/principal&gt;
66
        &lt;principal&gt;higgins&lt;/principal&gt;
67
        &lt;principal&gt;berkley&lt;/principal&gt;
68
        &lt;principal&gt;bojilova&lt;/principal&gt;
69
        &lt;permission&gt;read&lt;/permission&gt;
70
        &lt;duration&gt;
71
          &lt;startDate&gt;10/9/2000&lt;/startDate&gt;
72
          &lt;stopDate&gt;10/9/2001&lt;/stopDate&gt;
73
        &lt;/duration&gt;
74
        &lt;ticketCount&gt;100&lt;/ticketCount&gt;
75
      &lt;/allow&gt;
76
      &lt;allow&gt;
77
        &lt;principal&gt;bojilova&lt;/principal&gt;
78
        &lt;permission&gt;write&lt;/permission&gt;
79
        &lt;ticketCount&gt;10&lt;/ticketCount&gt;
80
      &lt;/allow&gt;
81
      &lt;allow&gt;
82
        &lt;principal&gt;reviewers&lt;/principal&gt;
83
        &lt;permission&gt;read&lt;/permission&gt;
84
        &lt;ticketCount&gt;5&lt;/ticketCount&gt;
85
      &lt;/allow&gt;
86
      &lt;allow&gt;
87
        &lt;principal&gt;blankman&lt;/principal&gt;
88
        &lt;permission&gt;all&lt;/permission&gt;
89
      &lt;/allow&gt;
90
      &lt;deny&gt;
91
        &lt;principal&gt;eddins&lt;/principal&gt;
92
        &lt;permission&gt;all&lt;/permission&gt;
93
      &lt;/deny&gt;
94
    &lt;/acl&gt;
95
  </pre>
96
  
97
  <p>This file is read into Metacat like any other XML file.  Like 
98
     <a href="./packages.html">Packages</a> the doctype is checked against
99
     the accessdoctype parameter in the <a href="./properties.html">Metacat
100
     Properties</a> file.  If the doctype matches, special postprocessing
101
     is performed on the document and the persmissions described in the file
102
     are applied to the specified document.
103
  </p>
104
  <p>The main tag &lt;acl&gt; has attributes 'order' and 'authSystem'.  
105
     Order refers to which permission type to process first, allow or deny.
106
     The allowed values are "allowFirst" and  "denyFirst".  The default is "allowFirst".
107
  </p>
108
  <p>The &lt;identifier&gt; tag specifies the document identifier for the Access file
109
     itself as stored in Metacat.
110
  </p>
111
  <p>Next are the permissions themselves.  An allow tag gives permissions to 
112
  the specified user(s) (&lt;principal&gt;) and a deny tag takes the permissions
113
  away from the user(s).  A principal should be a registered user or group.
114
  A timed duration can be set on the permission after
115
  which the user(s) will no longer have the specified permission.  A ticket count
116
  can also be set.  This gives the user the number of accesses specified.  After
117
  the user has accessed the document that number of times, the permissions are 
118
  revoked. 
119
  </p>
120
    
121
  <br>
122
  <a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> | 
123
  <a href="./ldap.html">Next</a>
124
</BODY>
125
</HTML>
126

    
(3-3/51)