Project

General

Profile

metacat / docs / user / acontrol.html @ 881

1
<!--
2
  * acontrol.html
3
  *
4
  *      Authors: Jivka Bojilova
5
  *    Copyright: 2000 Regents of the University of California and the
6
  *               National Center for Ecological Analysis and Synthesis
7
  *  For Details: http://www.nceas.ucsb.edu/
8
  *      Created: 2000 April 5
9
  *      Version: 0.01
10
  *    File Info: '$Id: acontrol.html 881 2001-12-18 19:50:12Z berkley $'
11
  * 
12
  * October Meeting SDSC, 2000
13
-->
14
<HTML>
15
<HEAD>
16
<TITLE>Metacat</TITLE>
17
<link rel="stylesheet" type="text/css" href="@docrooturl@default.css">
18
</HEAD> 
19
<BODY>
20
  <table width="100%">
21
    <tr>
22
      <td class="tablehead" colspan="2"><p class="label">Metacat User 
23
      Authentication and Access Control</p></td>
24
      <td class="tablehead" colspan="2" align="right">
25
        <a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> | 
26
        <a href="./metacatout.html">Next</a>
27
      </td>
28
    </tr>
29
  </table>
30
  <p><b>Authentication</b></p>
31
    <p>Metacat has a public interface for porting authentication 
32
      schemes to Metacat.  Currently an LDAP scheme is implemented. 
33
      LDAP stands for Lightweight Directory Access Protocol. 
34
      It is an optimized database for fast retrival of stored data:
35
      It is used by Metacat to store its users and their information. 
36
      The users can be organized in one or more groups.
37
    </p>
38
    <P> <img src="auth.gif"> 
39
    <P> <b>Access control in Metacat. </b></p>
40
    <ul>
41
      <li> Metacat users stored in the LDAP directory database are authenticated
42
      to use Metacat services and resources.</li>
43
      <li> A persistant session is assigned to an authenticated user.</li>
44
      <li> Metacat also allows document level access control via Access Control 
45
      Lists (ACLs).</li>
46
    </ul>
47
  <!--<img src="acontrol.gif">-->
48
  <b>ACLs</b>
49
  <p>Metacat allows a user to set permissions for users or groups on individual 
50
  documents by using
51
  a special XML file called an Access file.  
52
  The <a href="./packages.html">Package</a> file
53
  specifies which documents the Access file refers to. 
54
  A sample Access file looks like the following:</p>
55
  <pre>
56
    &lt;?xml version="1.0"?&gt;
57
    &lt;!DOCTYPE acl PUBLIC "-//NCEAS//eml-access-2.0//EN" "eml-access-2.0.dtd"&gt;
58
    &lt;acl authSystem="knb" order="allowFirst"&gt;
59
      &lt;identifier&gt;nceas.36.1&lt;/identifier&gt;
60
      &lt;allow&gt;
61
        &lt;principal&gt;jones&lt;/principal&gt;
62
        &lt;principal&gt;higgins&lt;/principal&gt;
63
        &lt;principal&gt;berkley&lt;/principal&gt;
64
        &lt;principal&gt;bojilova&lt;/principal&gt;
65
        &lt;permission&gt;read&lt;/permission&gt;
66
        &lt;duration&gt;
67
          &lt;startDate&gt;10/9/2000&lt;/startDate&gt;
68
          &lt;stopDate&gt;10/9/2001&lt;/stopDate&gt;
69
        &lt;/duration&gt;
70
        &lt;ticketCount&gt;100&lt;/ticketCount&gt;
71
      &lt;/allow&gt;
72
      &lt;allow&gt;
73
        &lt;principal&gt;bojilova&lt;/principal&gt;
74
        &lt;permission&gt;write&lt;/permission&gt;
75
        &lt;ticketCount&gt;10&lt;/ticketCount&gt;
76
      &lt;/allow&gt;
77
      &lt;allow&gt;
78
        &lt;principal&gt;reviewers&lt;/principal&gt;
79
        &lt;permission&gt;read&lt;/permission&gt;
80
        &lt;ticketCount&gt;5&lt;/ticketCount&gt;
81
      &lt;/allow&gt;
82
      &lt;allow&gt;
83
        &lt;principal&gt;blankman&lt;/principal&gt;
84
        &lt;permission&gt;all&lt;/permission&gt;
85
      &lt;/allow&gt;
86
      &lt;deny&gt;
87
        &lt;principal&gt;eddins&lt;/principal&gt;
88
        &lt;permission&gt;all&lt;/permission&gt;
89
      &lt;/deny&gt;
90
    &lt;/acl&gt;
91
  </pre>
92
  
93
  <p>This file is read into Metacat like any other XML file.  Like 
94
     <a href="./packages.html">Packages</a> the doctype is checked against
95
     the accessdoctype parameter in the <a href="./properties.html">Metacat
96
     Properties</a> file.  If the doctype matches, special postprocessing
97
     is performed on the document and the persmissions described in the file
98
     are applied to the specified document.
99
  </p>
100
  <p>The main tag &lt;acl&gt; has attributes 'order' and 'authSystem'.  
101
     Order refers to which permission type to process first, allow or deny.
102
     The allowed values are "allowFirst" and  "denyFirst".  The default is "allowFirst".
103
  </p>
104
  <p>The &lt;identifier&gt; tag specifies the document identifier for the Access file
105
     itself as stored in Metacat.
106
  </p>
107
  <p>Next are the permissions themselves.  An allow tag gives permissions to 
108
  the specified user(s) (&lt;principal&gt;) and a deny tag takes the permissions
109
  away from the user(s).  A principal should be a registered user or group.
110
  A timed duration can be set on the permission after
111
  which the user(s) will no longer have the specified permission.  A ticket count
112
  can also be set.  This gives the user the number of accesses specified.  After
113
  the user has accessed the document that number of times, the permissions are 
114
  revoked. 
115
  </p>
116
    
117
  <br>
118
  <a href="./xmlindex.html">Back</a> | <a href="./metacattour.html">Home</a> | 
119
  <a href="./ldap.html">Next</a>
120
</BODY>
121
</HTML>
122