|
1
|
<!--
|
|
2
|
* acontrol.html
|
|
3
|
*
|
|
4
|
* Authors: Jivka Bojilova
|
|
5
|
* Copyright: 2000 Regents of the University of California and the
|
|
6
|
* National Center for Ecological Analysis and Synthesis
|
|
7
|
* For Details: http://www.nceas.ucsb.edu/
|
|
8
|
* Created: 2000 April 5
|
|
9
|
* Version: 0.01
|
|
10
|
* File Info: '$Id: acontrol.html 878 2001-12-18 18:11:42Z berkley $'
|
|
11
|
*
|
|
12
|
* October Meeting SDSC, 2000
|
|
13
|
-->
|
|
14
|
<HTML>
|
|
15
|
<HEAD>
|
|
16
|
<TITLE>Metacat</TITLE>
|
|
17
|
<link rel="stylesheet" type="text/css" href="@docrooturl@default.css">
|
|
18
|
</HEAD>
|
|
19
|
<BODY>
|
|
20
|
<table width="100%">
|
|
21
|
<tr>
|
|
22
|
<td class="tablehead" colspan="2"><p class="label">Metacat User
|
|
23
|
Authentication and Access Control</p></td>
|
|
24
|
<td class="tablehead" colspan="2" align="right">
|
|
25
|
<a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
|
|
26
|
<a href="./metacatout.html">Next</a>
|
|
27
|
</td>
|
|
28
|
</tr>
|
|
29
|
</table>
|
|
30
|
<p><b>Authentication</b></p>
|
|
31
|
<p>Metacat has a public interface for porting authentication
|
|
32
|
schemes to Metacat. Currently LDAP scheme is implemented.
|
|
33
|
LDAP stands for Lightweight Directory Access Protocol.
|
|
34
|
It is optimized database for fast retrival of stored data:
|
|
35
|
It is used by Metacat to store its users and their information.
|
|
36
|
The users can be organized in one or more groups.
|
|
37
|
</p>
|
|
38
|
<P> <img src="auth.gif">
|
|
39
|
<P> <b>Access control in Metacat. </b></p>
|
|
40
|
<ul>
|
|
41
|
<li> Metacat users stored in the LDAP directory database are authenticated to use Metacat services and resources.</li>
|
|
42
|
<li> A persistant session is assigned to an authenticated user.</li>
|
|
43
|
<li> Metacat also allows document level access control via Access Control Lists (ACLs).</li>
|
|
44
|
</ul>
|
|
45
|
<!--<img src="acontrol.gif">-->
|
|
46
|
<b>ACLs</b>
|
|
47
|
<p>Metacat allows a user to set permissions for users or groups on individual documents by using
|
|
48
|
a special XML file called an Access file. The <a href="./packages.html">Package</a> file
|
|
49
|
specifies which documents the Access file refers to.
|
|
50
|
These are the same documents the permissions are assigned for.
|
|
51
|
A sample Access file looks like the following:</p>
|
|
52
|
<pre>
|
|
53
|
<?xml version="1.0"?>
|
|
54
|
<!DOCTYPE acl PUBLIC "-//NCEAS//eml-access-2.0//EN" "eml-access-2.0.dtd">
|
|
55
|
<acl authSystem="knb" order="allowFirst">
|
|
56
|
<identifier>nceas.36.1</identifier>
|
|
57
|
<allow>
|
|
58
|
<principal>jones</principal>
|
|
59
|
<principal>higgins</principal>
|
|
60
|
<principal>berkley</principal>
|
|
61
|
<principal>bojilova</principal>
|
|
62
|
<permission>read</permission>
|
|
63
|
<duration>
|
|
64
|
<startDate>10/9/2000</startDate>
|
|
65
|
<stopDate>10/9/2001</stopDate>
|
|
66
|
</duration>
|
|
67
|
<ticketCount>100</ticketCount>
|
|
68
|
</allow>
|
|
69
|
<allow>
|
|
70
|
<principal>bojilova</principal>
|
|
71
|
<permission>write</permission>
|
|
72
|
<ticketCount>10</ticketCount>
|
|
73
|
</allow>
|
|
74
|
<allow>
|
|
75
|
<principal>reviewers</principal>
|
|
76
|
<permission>read</permission>
|
|
77
|
<ticketCount>5</ticketCount>
|
|
78
|
</allow>
|
|
79
|
<allow>
|
|
80
|
<principal>blankman</principal>
|
|
81
|
<permission>all</permission>
|
|
82
|
</allow>
|
|
83
|
<deny>
|
|
84
|
<principal>eddins</principal>
|
|
85
|
<permission>all</permission>
|
|
86
|
</deny>
|
|
87
|
</acl>
|
|
88
|
</pre>
|
|
89
|
|
|
90
|
<p>This file is read into Metacat like any other XML file. Like
|
|
91
|
<a href="./packages.html">Packages</a> the doctype is checked against
|
|
92
|
the accessdoctype parameter in the <a href="./properties.html">Metacat
|
|
93
|
Properties</a> file. If the doctype matches, special postprocessing
|
|
94
|
is performed on the document and the persmissions described in the file
|
|
95
|
are applied to the specified document.
|
|
96
|
</p>
|
|
97
|
<p>The main tag <acl> has attributes 'order' and 'authSystem'.
|
|
98
|
Order refers to which permission type to process first, allow or deny.
|
|
99
|
The allowed values are "allowFirst" and "denyFirst". The default is "allowFirst".
|
|
100
|
</p>
|
|
101
|
<p>The <identifier> tag specifies the document identifier for the Access file
|
|
102
|
itself as stored in Metacat.
|
|
103
|
</p>
|
|
104
|
<p>Next are the permissions themselves. An allow tag gives permissions to
|
|
105
|
the specified user(s) (<principal>) and a deny tag take the permissions
|
|
106
|
away from the user(s). A principal should be a registered user or group.
|
|
107
|
A timed duration can be set on the permission after
|
|
108
|
which the user(s) will no longer have the specified permission. A ticket count
|
|
109
|
can also be set. This gives the user the number of accesses specified. After
|
|
110
|
the user has accessed the document that number of times, the permissions are
|
|
111
|
revoked.
|
|
112
|
</p>
|
|
113
|
|
|
114
|
<br>
|
|
115
|
<a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
|
|
116
|
<a href="./metacatout.html">Next</a>
|
|
117
|
</BODY>
|
|
118
|
</HTML>
|
|
119
|
|
