Project

General

Profile

1 878 berkley
<!--
2
  * acontrol.html
3
  *
4
  *      Authors: Jivka Bojilova
5
  *    Copyright: 2000 Regents of the University of California and the
6
  *               National Center for Ecological Analysis and Synthesis
7
  *  For Details: http://www.nceas.ucsb.edu/
8
  *      Created: 2000 April 5
9
  *      Version: 0.01
10
  *    File Info: '$Id$'
11
  *
12
  * October Meeting SDSC, 2000
13
-->
14
<HTML>
15
<HEAD>
16
<TITLE>Metacat</TITLE>
17
<link rel="stylesheet" type="text/css" href="@docrooturl@default.css">
18
</HEAD>
19
<BODY>
20
  <table width="100%">
21
    <tr>
22
      <td class="tablehead" colspan="2"><p class="label">Metacat User
23
      Authentication and Access Control</p></td>
24
      <td class="tablehead" colspan="2" align="right">
25
        <a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
26
        <a href="./metacatout.html">Next</a>
27
      </td>
28
    </tr>
29
  </table>
30
  <p><b>Authentication</b></p>
31
    <p>Metacat has a public interface for porting authentication
32 881 berkley
      schemes to Metacat.  Currently an LDAP scheme is implemented.
33 878 berkley
      LDAP stands for Lightweight Directory Access Protocol.
34 881 berkley
      It is an optimized database for fast retrival of stored data:
35 878 berkley
      It is used by Metacat to store its users and their information.
36
      The users can be organized in one or more groups.
37
    </p>
38
    <P> <img src="auth.gif">
39
    <P> <b>Access control in Metacat. </b></p>
40
    <ul>
41 881 berkley
      <li> Metacat users stored in the LDAP directory database are authenticated
42
      to use Metacat services and resources.</li>
43 878 berkley
      <li> A persistant session is assigned to an authenticated user.</li>
44 881 berkley
      <li> Metacat also allows document level access control via Access Control
45
      Lists (ACLs).</li>
46 878 berkley
    </ul>
47
  <!--<img src="acontrol.gif">-->
48
  <b>ACLs</b>
49 881 berkley
  <p>Metacat allows a user to set permissions for users or groups on individual
50
  documents by using
51
  a special XML file called an Access file.
52
  The <a href="./packages.html">Package</a> file
53 878 berkley
  specifies which documents the Access file refers to.
54
  A sample Access file looks like the following:</p>
55
  <pre>
56
    &lt;?xml version="1.0"?&gt;
57
    &lt;!DOCTYPE acl PUBLIC "-//NCEAS//eml-access-2.0//EN" "eml-access-2.0.dtd"&gt;
58
    &lt;acl authSystem="knb" order="allowFirst"&gt;
59
      &lt;identifier&gt;nceas.36.1&lt;/identifier&gt;
60
      &lt;allow&gt;
61
        &lt;principal&gt;jones&lt;/principal&gt;
62
        &lt;principal&gt;higgins&lt;/principal&gt;
63
        &lt;principal&gt;berkley&lt;/principal&gt;
64
        &lt;principal&gt;bojilova&lt;/principal&gt;
65
        &lt;permission&gt;read&lt;/permission&gt;
66
        &lt;duration&gt;
67
          &lt;startDate&gt;10/9/2000&lt;/startDate&gt;
68
          &lt;stopDate&gt;10/9/2001&lt;/stopDate&gt;
69
        &lt;/duration&gt;
70
        &lt;ticketCount&gt;100&lt;/ticketCount&gt;
71
      &lt;/allow&gt;
72
      &lt;allow&gt;
73
        &lt;principal&gt;bojilova&lt;/principal&gt;
74
        &lt;permission&gt;write&lt;/permission&gt;
75
        &lt;ticketCount&gt;10&lt;/ticketCount&gt;
76
      &lt;/allow&gt;
77
      &lt;allow&gt;
78
        &lt;principal&gt;reviewers&lt;/principal&gt;
79
        &lt;permission&gt;read&lt;/permission&gt;
80
        &lt;ticketCount&gt;5&lt;/ticketCount&gt;
81
      &lt;/allow&gt;
82
      &lt;allow&gt;
83
        &lt;principal&gt;blankman&lt;/principal&gt;
84
        &lt;permission&gt;all&lt;/permission&gt;
85
      &lt;/allow&gt;
86
      &lt;deny&gt;
87
        &lt;principal&gt;eddins&lt;/principal&gt;
88
        &lt;permission&gt;all&lt;/permission&gt;
89
      &lt;/deny&gt;
90
    &lt;/acl&gt;
91
  </pre>
92
93
  <p>This file is read into Metacat like any other XML file.  Like
94
     <a href="./packages.html">Packages</a> the doctype is checked against
95
     the accessdoctype parameter in the <a href="./properties.html">Metacat
96
     Properties</a> file.  If the doctype matches, special postprocessing
97
     is performed on the document and the persmissions described in the file
98
     are applied to the specified document.
99
  </p>
100
  <p>The main tag &lt;acl&gt; has attributes 'order' and 'authSystem'.
101
     Order refers to which permission type to process first, allow or deny.
102
     The allowed values are "allowFirst" and  "denyFirst".  The default is "allowFirst".
103
  </p>
104
  <p>The &lt;identifier&gt; tag specifies the document identifier for the Access file
105
     itself as stored in Metacat.
106
  </p>
107
  <p>Next are the permissions themselves.  An allow tag gives permissions to
108 881 berkley
  the specified user(s) (&lt;principal&gt;) and a deny tag takes the permissions
109 878 berkley
  away from the user(s).  A principal should be a registered user or group.
110
  A timed duration can be set on the permission after
111
  which the user(s) will no longer have the specified permission.  A ticket count
112
  can also be set.  This gives the user the number of accesses specified.  After
113
  the user has accessed the document that number of times, the permissions are
114
  revoked.
115
  </p>
116
117
  <br>
118
  <a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> |
119 881 berkley
  <a href="./ldap.html">Next</a>
120 878 berkley
</BODY>
121
</HTML>