Attendees
General
- Indicates who took minutes -
- Call-in: Google-hangout at:
Agenda
- Plan Sprint b1
- Themes
- AuthN/Z - next steps
- Policy driven storage - next steps
Minutes
General
- Scott to begin participating this week: Aug
- Scott to create diagram auth diagram and submit to mailing list
- PivotalTracker tickets: https://www.pivotaltracker.com/s/projects/684825
AuthN/Z
- Greg
- Coming from f3 perspective
- Looking for something that is pluggable, but with a strong contract
- Interested in jboss/xacml role-based
- Scott
- Want loose coupling of auth and fedora
- Fedora gets atts, pass them to pdp
- PDP decides if item is accessible
- Greg
- Want at least some metadata conventions that impls can rely on
- Need conventions for roles
- How to determine role from shib?
- Scott
- What roles would f4 be interested in?
- External pdp defines expected roles rights
- Need a central place for all applications to check for access rights
- Conceptual Flow
- Atts collected
- atts from shib
- obj id
- function trying to be performed
- ?is policy stored in f4?
- Some users will want a default impl
- There may be two kinds of tasks:
- Come up with api and default impl
- Default impl is useful for examples for the community
- Allow not using default impl
- Scott
- Interest in keeping policies external to f4
- There is a need to make the same policy decisions in other components of the university infrastructure
- Greg
- Agree, concern that policy in the repo creates security risk
- If policies are external, how to achieve fine-grained access control?
- Policies can be written to restrict by datastream names
- Should pdp be able to call back into the repo?
- This could introduce a significant performance hit
- Adam
- OAuth allows machine to act on a resource on behalf of a user
- Credentials last for a defined amount of time
- We can define oauth "scopes"
- Additional level of policy granularity will be needed
- Use the hierarchy of jcr to drive access control
- Scope: crud and repo geography
- Bruce
- Interest in possibility of not managing pdp themselves
- (Adam) Suggestion: accessing the external pdp through F4 API may work
- Goals from sprint b1
- Greg
- Write up contract of pdp
- Explore jboss impl?
- Users a,b,c can log in, and have different rights
- Bruce
- Willing to validate outcome of sprint
- Adam
- Osman
- Need to be able to integrate CAS
Policy driven storage
Add tickets
- Make policies hot swappable
- Need policy validation
- Need a "property-language" for storage
- Need an iRODS connector
- jaychen (VaTech), is working on aptrust bagit connector
- Bagit tickets need editing/grooming
Actions
{"serverDuration": 83, "requestCorrelationId": "2c96fda4235ee5c2"}