Page History

...

Informal process for PRs
- Two thumbs-up from sprint members will approve a PR
URI constants PR
- No issues to discuss
AccessToClass Handler Interface PR
- Constant should not be mutable
AccessTo handler
- Peter still needs to implement
Example: We have an ACL that points to a resource in Fedora
- How do we determine if the ACL applies to a resource, and what gets returned?
  - Not the ACL itself but a link header that points to the ACL
  - In the case of multiple ACLs, return a link to the most permissive ACL
Do we need an RDF relationship where the resource is the subject and its ACL is the object?
- We do not - the triple will have the ACL as the subject and the protected resource as the object
Are ACLs first-class resources with associated triples, or resources with child hash resources that themselves have associated triples
- Each ACL will be a first class resource with associated triples
- Authorization is an rdf:type
- An ACL resource has an rdf:type of authorization
Global vs. collection-based access-to-class ACLs
- If accessToClass ACLs are global, all access-to-class assertions would need to be in a single ACL
  - Different rules for different collections would not be possible
  - We could get around this by keeping global accessToClass rules at the root node
    - In this way they could be overridden by ACLs at lower level collections
Proposal: Associating ACLs with resources
- Any resource can have a “hasACL” property
- If a resource has such a property it is used, if not we continue walking up the tree until a relevant ACL is found
Proposal: ACLs will be containers with child authorization resources
- ACL container will not contain any assertions about authorization. It is an aggregation of its children
- The child authorization resources contain assertions about authorization
- We traverse the children to determine whether or not a user has access to a resource

08/27

Fedora Tech Meeting

08/28

Updates
- Jared
  - Yesterday
    - PR review
    - Squashing commits
  - Today
    - Refactoring
- Mohamed
  - Yesterday
    - Minor changes to authorization interfaces
    - PR review
  - Today
    - Implementing authorization handler
- Peter
  - Yesterday
    - PR review
    - Discussion
  - Today
    - Refactoring
    - Working on other things that come up in discussion
Much of the week has been spent getting everyone on the same page and developing a shared understanding on the implementation
Things that need to happen:
- Refactoring
  - Initial tie-in point:https://github.com/fcrepo4/fcrepo4/blob/master/fcrepo-auth-common/src/main/java/org/fcrepo/auth/common/ServletContainerAuthenticationProvider.java
    - Entry point for all the work we’re doing
    - Should use this class rather than rewriting it
    - Refactor line 50 and 55
    - Review implementation of principal providers
  - https://github.com/fcrepo4/fcrepo4/blob/master/fcrepo-auth-common/src/main/java/org/fcrepo/auth/common/FedoraUserSecurityContext.java
    - Probably can only use this class for inspiration
  - Review and recommend refactoring if necessary:
    - https://github.com/fcrepo4/fcrepo-module-auth-rbacl/blob/master/fcrepo-auth-roles-common/src/main/java/org/fcrepo/auth/roles/common/AbstractRolesAuthorizationDelegate.java
    - https://github.com/fcrepo4/fcrepo-module-auth-rbacl/blob/master/fcrepo-auth-roles-common/src/main/java/org/fcrepo/auth/roles/common/AccessRolesProvider.java
- Other tasks
  - fcrepo-webapp-plus
    - Need to build in a profile for WebAC configuration
  - Integration tests
    - Leverage existing tests where possible
    - Put together a suite of integration tests in advance of an implementation
  - Documentation
    - Establish 4 scenarios that involve protecting resources with WebAC
    - Document SPARQL-Update recipes for addressing these scenarios

Page tree

Versions Compared

Old Version 3

New Version 4

Key

08/27

08/28

08/31

09/01

09/02

09/03