1 |
878
|
berkley
|
<!--
|
2 |
|
|
* acontrol.html
|
3 |
|
|
*
|
4 |
|
|
* Authors: Jivka Bojilova
|
5 |
|
|
* Copyright: 2000 Regents of the University of California and the
|
6 |
|
|
* National Center for Ecological Analysis and Synthesis
|
7 |
|
|
* For Details: http://www.nceas.ucsb.edu/
|
8 |
|
|
* Created: 2000 April 5
|
9 |
|
|
* Version: 0.01
|
10 |
|
|
* File Info: '$Id$'
|
11 |
|
|
*
|
12 |
|
|
* October Meeting SDSC, 2000
|
13 |
|
|
-->
|
14 |
|
|
<HTML>
|
15 |
|
|
<HEAD>
|
16 |
|
|
<TITLE>Metacat</TITLE>
|
17 |
|
|
<link rel="stylesheet" type="text/css" href="@docrooturl@default.css">
|
18 |
|
|
</HEAD>
|
19 |
|
|
<BODY>
|
20 |
|
|
<table width="100%">
|
21 |
|
|
<tr>
|
22 |
|
|
<td class="tablehead" colspan="2"><p class="label">Metacat User
|
23 |
|
|
Authentication and Access Control</p></td>
|
24 |
|
|
<td class="tablehead" colspan="2" align="right">
|
25 |
|
|
<a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
|
26 |
|
|
<a href="./metacatout.html">Next</a>
|
27 |
|
|
</td>
|
28 |
|
|
</tr>
|
29 |
|
|
</table>
|
30 |
|
|
<p><b>Authentication</b></p>
|
31 |
|
|
<p>Metacat has a public interface for porting authentication
|
32 |
881
|
berkley
|
schemes to Metacat. Currently an LDAP scheme is implemented.
|
33 |
878
|
berkley
|
LDAP stands for Lightweight Directory Access Protocol.
|
34 |
881
|
berkley
|
It is an optimized database for fast retrival of stored data:
|
35 |
878
|
berkley
|
It is used by Metacat to store its users and their information.
|
36 |
|
|
The users can be organized in one or more groups.
|
37 |
|
|
</p>
|
38 |
|
|
<P> <img src="auth.gif">
|
39 |
|
|
<P> <b>Access control in Metacat. </b></p>
|
40 |
|
|
<ul>
|
41 |
881
|
berkley
|
<li> Metacat users stored in the LDAP directory database are authenticated
|
42 |
|
|
to use Metacat services and resources.</li>
|
43 |
878
|
berkley
|
<li> A persistant session is assigned to an authenticated user.</li>
|
44 |
881
|
berkley
|
<li> Metacat also allows document level access control via Access Control
|
45 |
|
|
Lists (ACLs).</li>
|
46 |
878
|
berkley
|
</ul>
|
47 |
|
|
<!--<img src="acontrol.gif">-->
|
48 |
|
|
<b>ACLs</b>
|
49 |
881
|
berkley
|
<p>Metacat allows a user to set permissions for users or groups on individual
|
50 |
|
|
documents by using
|
51 |
|
|
a special XML file called an Access file.
|
52 |
|
|
The <a href="./packages.html">Package</a> file
|
53 |
878
|
berkley
|
specifies which documents the Access file refers to.
|
54 |
|
|
A sample Access file looks like the following:</p>
|
55 |
|
|
<pre>
|
56 |
|
|
<?xml version="1.0"?>
|
57 |
|
|
<!DOCTYPE acl PUBLIC "-//NCEAS//eml-access-2.0//EN" "eml-access-2.0.dtd">
|
58 |
|
|
<acl authSystem="knb" order="allowFirst">
|
59 |
|
|
<identifier>nceas.36.1</identifier>
|
60 |
|
|
<allow>
|
61 |
|
|
<principal>jones</principal>
|
62 |
|
|
<principal>higgins</principal>
|
63 |
|
|
<principal>berkley</principal>
|
64 |
|
|
<principal>bojilova</principal>
|
65 |
|
|
<permission>read</permission>
|
66 |
|
|
<duration>
|
67 |
|
|
<startDate>10/9/2000</startDate>
|
68 |
|
|
<stopDate>10/9/2001</stopDate>
|
69 |
|
|
</duration>
|
70 |
|
|
<ticketCount>100</ticketCount>
|
71 |
|
|
</allow>
|
72 |
|
|
<allow>
|
73 |
|
|
<principal>bojilova</principal>
|
74 |
|
|
<permission>write</permission>
|
75 |
|
|
<ticketCount>10</ticketCount>
|
76 |
|
|
</allow>
|
77 |
|
|
<allow>
|
78 |
|
|
<principal>reviewers</principal>
|
79 |
|
|
<permission>read</permission>
|
80 |
|
|
<ticketCount>5</ticketCount>
|
81 |
|
|
</allow>
|
82 |
|
|
<allow>
|
83 |
|
|
<principal>blankman</principal>
|
84 |
|
|
<permission>all</permission>
|
85 |
|
|
</allow>
|
86 |
|
|
<deny>
|
87 |
|
|
<principal>eddins</principal>
|
88 |
|
|
<permission>all</permission>
|
89 |
|
|
</deny>
|
90 |
|
|
</acl>
|
91 |
|
|
</pre>
|
92 |
|
|
|
93 |
|
|
<p>This file is read into Metacat like any other XML file. Like
|
94 |
|
|
<a href="./packages.html">Packages</a> the doctype is checked against
|
95 |
|
|
the accessdoctype parameter in the <a href="./properties.html">Metacat
|
96 |
|
|
Properties</a> file. If the doctype matches, special postprocessing
|
97 |
|
|
is performed on the document and the persmissions described in the file
|
98 |
|
|
are applied to the specified document.
|
99 |
|
|
</p>
|
100 |
|
|
<p>The main tag <acl> has attributes 'order' and 'authSystem'.
|
101 |
|
|
Order refers to which permission type to process first, allow or deny.
|
102 |
|
|
The allowed values are "allowFirst" and "denyFirst". The default is "allowFirst".
|
103 |
|
|
</p>
|
104 |
|
|
<p>The <identifier> tag specifies the document identifier for the Access file
|
105 |
|
|
itself as stored in Metacat.
|
106 |
|
|
</p>
|
107 |
|
|
<p>Next are the permissions themselves. An allow tag gives permissions to
|
108 |
881
|
berkley
|
the specified user(s) (<principal>) and a deny tag takes the permissions
|
109 |
878
|
berkley
|
away from the user(s). A principal should be a registered user or group.
|
110 |
|
|
A timed duration can be set on the permission after
|
111 |
|
|
which the user(s) will no longer have the specified permission. A ticket count
|
112 |
|
|
can also be set. This gives the user the number of accesses specified. After
|
113 |
|
|
the user has accessed the document that number of times, the permissions are
|
114 |
|
|
revoked.
|
115 |
|
|
</p>
|
116 |
|
|
|
117 |
|
|
<br>
|
118 |
|
|
<a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
|
119 |
881
|
berkley
|
<a href="./ldap.html">Next</a>
|
120 |
878
|
berkley
|
</BODY>
|
121 |
|
|
</HTML>
|