1
|
<!--
|
2
|
* acontrol.html
|
3
|
*
|
4
|
* Authors: Jivka Bojilova
|
5
|
* Copyright: 2000 Regents of the University of California and the
|
6
|
* National Center for Ecological Analysis and Synthesis
|
7
|
* For Details: http://www.nceas.ucsb.edu/
|
8
|
* Created: 2000 April 5
|
9
|
* Version: 0.01
|
10
|
* File Info: '$Id: acontrol.html 3569 2007-11-05 19:22:13Z berkley $'
|
11
|
*
|
12
|
* October Meeting SDSC, 2000
|
13
|
-->
|
14
|
<HTML>
|
15
|
<HEAD>
|
16
|
<TITLE>Metacat</TITLE>
|
17
|
<link rel="stylesheet" type="text/css" href="@docrooturl@default.css">
|
18
|
</HEAD>
|
19
|
<BODY>
|
20
|
<table width="100%">
|
21
|
<tr>
|
22
|
<td class="tablehead" colspan="2"><p class="label">Metacat User
|
23
|
Authentication and Access Control</p></td>
|
24
|
<td class="tablehead" colspan="2" align="right">
|
25
|
<a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
|
26
|
<a href="./ldap.html">Next</a>
|
27
|
</td>
|
28
|
</tr>
|
29
|
</table>
|
30
|
<p><b>Authentication</b></p>
|
31
|
<p>Metacat has a public interface for porting authentication
|
32
|
schemes to Metacat. Currently an LDAP scheme is implemented.
|
33
|
LDAP stands for Lightweight Directory Access Protocol.
|
34
|
It is an optimized database for fast retrival of stored data:
|
35
|
It is used by Metacat to store its users and their information.
|
36
|
The users can be organized in one or more groups.
|
37
|
</p>
|
38
|
<P> <img src="auth.gif">
|
39
|
<P> <b>Access control in Metacat. </b></p>
|
40
|
<ul>
|
41
|
<li> Metacat users stored in the LDAP directory database are authenticated
|
42
|
to use Metacat services and resources.</li>
|
43
|
<li> A persistant session is assigned to an authenticated user.</li>
|
44
|
<li> Metacat also allows document level access control via Access Control
|
45
|
Lists (ACLs).</li>
|
46
|
</ul>
|
47
|
<p style="color: red; font-face: bold">WARNING: The rest of this page is
|
48
|
out-of-date and no longer accurate. It is left only for reference purposes.
|
49
|
ACL information is now set through EML 2.0.0 access control elements.
|
50
|
</p>
|
51
|
<!--<img src="acontrol.gif">-->
|
52
|
<b>ACLs</b>
|
53
|
<p>Metacat allows a user to set permissions for users or groups on individual
|
54
|
documents by using
|
55
|
a special XML file called an Access file.
|
56
|
The <a href="./packages.html">Package</a> file
|
57
|
specifies which documents the Access file refers to.
|
58
|
A sample Access file looks like the following:</p>
|
59
|
<pre>
|
60
|
<?xml version="1.0"?>
|
61
|
<!DOCTYPE acl PUBLIC "-//NCEAS//eml-access-2.0//EN" "eml-access-2.0.dtd">
|
62
|
<acl authSystem="knb" order="allowFirst">
|
63
|
<identifier>nceas.36.1</identifier>
|
64
|
<allow>
|
65
|
<principal>jones</principal>
|
66
|
<principal>higgins</principal>
|
67
|
<principal>berkley</principal>
|
68
|
<principal>bojilova</principal>
|
69
|
<permission>read</permission>
|
70
|
<duration>
|
71
|
<startDate>10/9/2000</startDate>
|
72
|
<stopDate>10/9/2001</stopDate>
|
73
|
</duration>
|
74
|
<ticketCount>100</ticketCount>
|
75
|
</allow>
|
76
|
<allow>
|
77
|
<principal>bojilova</principal>
|
78
|
<permission>write</permission>
|
79
|
<ticketCount>10</ticketCount>
|
80
|
</allow>
|
81
|
<allow>
|
82
|
<principal>reviewers</principal>
|
83
|
<permission>read</permission>
|
84
|
<ticketCount>5</ticketCount>
|
85
|
</allow>
|
86
|
<allow>
|
87
|
<principal>blankman</principal>
|
88
|
<permission>all</permission>
|
89
|
</allow>
|
90
|
<deny>
|
91
|
<principal>eddins</principal>
|
92
|
<permission>all</permission>
|
93
|
</deny>
|
94
|
</acl>
|
95
|
</pre>
|
96
|
|
97
|
<p>This file is read into Metacat like any other XML file. Like
|
98
|
<a href="./packages.html">Packages</a> the doctype is checked against
|
99
|
the accessdoctype parameter in the <a href="./properties.html">Metacat
|
100
|
Properties</a> file. If the doctype matches, special postprocessing
|
101
|
is performed on the document and the persmissions described in the file
|
102
|
are applied to the specified document.
|
103
|
</p>
|
104
|
<p>The main tag <acl> has attributes 'order' and 'authSystem'.
|
105
|
Order refers to which permission type to process first, allow or deny.
|
106
|
The allowed values are "allowFirst" and "denyFirst". The default is "allowFirst".
|
107
|
</p>
|
108
|
<p>The <identifier> tag specifies the document identifier for the Access file
|
109
|
itself as stored in Metacat.
|
110
|
</p>
|
111
|
<p>Next are the permissions themselves. An allow tag gives permissions to
|
112
|
the specified user(s) (<principal>) and a deny tag takes the permissions
|
113
|
away from the user(s). A principal should be a registered user or group.
|
114
|
A timed duration can be set on the permission after
|
115
|
which the user(s) will no longer have the specified permission. A ticket count
|
116
|
can also be set. This gives the user the number of accesses specified. After
|
117
|
the user has accessed the document that number of times, the permissions are
|
118
|
revoked.
|
119
|
</p>
|
120
|
|
121
|
<br>
|
122
|
<a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
|
123
|
<a href="./ldap.html">Next</a>
|
124
|
</BODY>
|
125
|
</HTML>
|
126
|
|