Time/Place

This meeting is a hybrid teleconference and IRC chat. Anyone is welcome to join...here's the info:

• Time: 11:00am Eastern Daylight Time US (UTC-4)
• U.S.A/Canada toll free: 866-740-1260, participant code: 2257295
• International toll free:  http://www.readytalk.com/intl 
  
  • Use the above link and input 2257295 and the country you are calling from to get your country's toll-free dial-in number
  • Once on the call, enter participant code 2257295
• IRC:
  
  • Join the #duraspace-ff chat room via Freenode Web IRC (enter a unique nick)
  • Or point your IRC client to #duraspace-ff on irc.freenode.net

Attendees

• Stefano Cossu

• Nikhil Trivedi
• Michael Durbin
• Kevin S. Clarke
• Unknown User (escowles@ucsd.edu) 
• Martin Dow
• Eric James 
• Osman Din
• David Wilcox 

Agenda

1. XACML Authorization Delegate

Minutes

• XACML Authorization Delegate (lead by Greg Jansen)
  • Had a meeting earlier this week to go over requirements
  • Created astraw man to get feedback
  • Primer on understanding XACML
  • How do we map policies?
    • For a given request, how do we know what is in scope?
  • Complete proposal can be found here.
  • Questions
    • Mike: Does the policy folder need to be a hard requirement?
      • What if people want to distribute policies differently?
      • More referential integrity means this should be a hard requirement
      • The folder could be put somewhere else in the graph
    • Stephano: Will XACML rules overlap with Tomcat roles?
      • It is a drop-in replacement
      • If you are a Fedora Admin Tomcat role you would bypass XACML
      • You can replicate tomcat roles in XACML
        • Make this a test case
    • Eric: Is the policy combining algorithm global to the repo?
      • At the top of any particular scope you would have one policy set that is in scope for that request
      • Evaluate all and either permit or deny depending on configuration
  • Policies will need to refer to XACML attributes to evaluate requests:
    • Resource attributes
    • Subject attributes
    • Environment attributes
      • Time of request, ip address, etc.
    • Need a way to look for resource and subject attributes
      • Can use JCR 1.0 XPath
      • Greg: Should SPARQL queries replace XPath?
        • Consensus is yes.
  • Questions
    • Eric: What is involved with making attributes available to XACML?
      • Have to create at least one class to look for attributes
      • Define attributes in config, have one class that can parse a configuration to find the data
  • Questions
    • Martin: Rights expression language?
      • Martin: want to use RDF with a rights-expression standard
        • ODRL?
      • May require additional configuration to support

Actions