Project

General

Profile

1 878 berkley
<!--
2
  * acontrol.html
3
  *
4
  *      Authors: Jivka Bojilova
5
  *    Copyright: 2000 Regents of the University of California and the
6
  *               National Center for Ecological Analysis and Synthesis
7
  *  For Details: http://www.nceas.ucsb.edu/
8
  *      Created: 2000 April 5
9
  *      Version: 0.01
10
  *    File Info: '$Id$'
11
  *
12
  * October Meeting SDSC, 2000
13
-->
14
<HTML>
15
<HEAD>
16
<TITLE>Metacat</TITLE>
17 3780 daigle
<link rel="stylesheet" type="text/css" href="./default.css">
18 878 berkley
</HEAD>
19
<BODY>
20
  <table width="100%">
21
    <tr>
22
      <td class="tablehead" colspan="2"><p class="label">Metacat User
23
      Authentication and Access Control</p></td>
24
      <td class="tablehead" colspan="2" align="right">
25
        <a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
26 3569 berkley
        <a href="./ldap.html">Next</a>
27 878 berkley
      </td>
28
    </tr>
29
  </table>
30
  <p><b>Authentication</b></p>
31
    <p>Metacat has a public interface for porting authentication
32 881 berkley
      schemes to Metacat.  Currently an LDAP scheme is implemented.
33 878 berkley
      LDAP stands for Lightweight Directory Access Protocol.
34 881 berkley
      It is an optimized database for fast retrival of stored data:
35 878 berkley
      It is used by Metacat to store its users and their information.
36
      The users can be organized in one or more groups.
37
    </p>
38
    <P> <img src="auth.gif">
39
    <P> <b>Access control in Metacat. </b></p>
40
    <ul>
41 881 berkley
      <li> Metacat users stored in the LDAP directory database are authenticated
42
      to use Metacat services and resources.</li>
43 878 berkley
      <li> A persistant session is assigned to an authenticated user.</li>
44 881 berkley
      <li> Metacat also allows document level access control via Access Control
45
      Lists (ACLs).</li>
46 878 berkley
    </ul>
47 2310 jones
  <p style="color: red; font-face: bold">WARNING: The rest of this page is
48
   out-of-date and no longer accurate. It is left only for reference purposes.
49
   ACL information is now set through EML 2.0.0 access control elements.
50
  </p>
51 878 berkley
  <!--<img src="acontrol.gif">-->
52
  <b>ACLs</b>
53 881 berkley
  <p>Metacat allows a user to set permissions for users or groups on individual
54
  documents by using
55
  a special XML file called an Access file.
56
  The <a href="./packages.html">Package</a> file
57 878 berkley
  specifies which documents the Access file refers to.
58
  A sample Access file looks like the following:</p>
59
  <pre>
60
    &lt;?xml version="1.0"?&gt;
61
    &lt;!DOCTYPE acl PUBLIC "-//NCEAS//eml-access-2.0//EN" "eml-access-2.0.dtd"&gt;
62
    &lt;acl authSystem="knb" order="allowFirst"&gt;
63
      &lt;identifier&gt;nceas.36.1&lt;/identifier&gt;
64
      &lt;allow&gt;
65
        &lt;principal&gt;jones&lt;/principal&gt;
66
        &lt;principal&gt;higgins&lt;/principal&gt;
67
        &lt;principal&gt;berkley&lt;/principal&gt;
68
        &lt;principal&gt;bojilova&lt;/principal&gt;
69
        &lt;permission&gt;read&lt;/permission&gt;
70
        &lt;duration&gt;
71
          &lt;startDate&gt;10/9/2000&lt;/startDate&gt;
72
          &lt;stopDate&gt;10/9/2001&lt;/stopDate&gt;
73
        &lt;/duration&gt;
74
        &lt;ticketCount&gt;100&lt;/ticketCount&gt;
75
      &lt;/allow&gt;
76
      &lt;allow&gt;
77
        &lt;principal&gt;bojilova&lt;/principal&gt;
78
        &lt;permission&gt;write&lt;/permission&gt;
79
        &lt;ticketCount&gt;10&lt;/ticketCount&gt;
80
      &lt;/allow&gt;
81
      &lt;allow&gt;
82
        &lt;principal&gt;reviewers&lt;/principal&gt;
83
        &lt;permission&gt;read&lt;/permission&gt;
84
        &lt;ticketCount&gt;5&lt;/ticketCount&gt;
85
      &lt;/allow&gt;
86
      &lt;allow&gt;
87
        &lt;principal&gt;blankman&lt;/principal&gt;
88
        &lt;permission&gt;all&lt;/permission&gt;
89
      &lt;/allow&gt;
90
      &lt;deny&gt;
91
        &lt;principal&gt;eddins&lt;/principal&gt;
92
        &lt;permission&gt;all&lt;/permission&gt;
93
      &lt;/deny&gt;
94
    &lt;/acl&gt;
95
  </pre>
96
97
  <p>This file is read into Metacat like any other XML file.  Like
98
     <a href="./packages.html">Packages</a> the doctype is checked against
99
     the accessdoctype parameter in the <a href="./properties.html">Metacat
100
     Properties</a> file.  If the doctype matches, special postprocessing
101
     is performed on the document and the persmissions described in the file
102
     are applied to the specified document.
103
  </p>
104
  <p>The main tag &lt;acl&gt; has attributes 'order' and 'authSystem'.
105
     Order refers to which permission type to process first, allow or deny.
106
     The allowed values are "allowFirst" and  "denyFirst".  The default is "allowFirst".
107
  </p>
108
  <p>The &lt;identifier&gt; tag specifies the document identifier for the Access file
109
     itself as stored in Metacat.
110
  </p>
111
  <p>Next are the permissions themselves.  An allow tag gives permissions to
112 881 berkley
  the specified user(s) (&lt;principal&gt;) and a deny tag takes the permissions
113 878 berkley
  away from the user(s).  A principal should be a registered user or group.
114
  A timed duration can be set on the permission after
115
  which the user(s) will no longer have the specified permission.  A ticket count
116
  can also be set.  This gives the user the number of accesses specified.  After
117
  the user has accessed the document that number of times, the permissions are
118
  revoked.
119
  </p>
120
121
  <br>
122
  <a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
123 881 berkley
  <a href="./ldap.html">Next</a>
124 878 berkley
</BODY>
125
</HTML>