Versions Compared

Old Version 2

changes.mady.by.user Andrew Woods

Saved on

compared with

New Version 3

changes.mady.by.user Peter Eichman

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

In WebAC you can use the acl:agentClassagentGroup property of an Authorization to point to a resource that holds a list of usernames. This allows you to create and manage groups of users within Fedora, and to assign different permissions to different groups. This how-to will guide you through the process of creating a resource, creating an agentClass groupagentGroup, and limiting access to that resource through an ACL that references that agentClass group agentGroup.

Prerequisites

Steps

  1. Create these four files:

    Code Block
    languagetext
    titleacl.ttl
    @prefix webac: <http://fedora.info/definitions/v4/webac#>.
@prefix ldp: <http://www.w3.org/ns/ldp#>.

<> a webac:Acl .


    Code Block
    languagetext
    titlegroup.ttl
    @prefix ldp: <http://www.w3.org/ns/ldp#>.
@prefix foafvcard: <http://xmlnswww.w3.comorg/foaf2006/0.1vcard/>ns#> .

<> a foafvcard:Group;
    foafvcard:memberhasMember "testuser".


    Code Block
    languagetext
    titlefoo.ttl
    @prefix ldp: <http://www.w3.org/ns/ldp#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix dc: <http://purl.org/dc/elements/1.1/>.

<> a acl:accessControl </fcrepo/rest/acl>;
    dc:title "Hello, World!".


    Code Block
    languagetext
    titleauthz.ttl
    @prefix acl: <http://www.w3.org/ns/auth/acl#>.

<> a acl:Authorization;
    acl:accessTo </fcrepo/rest/foo>;
    acl:agentClassagentGroup </fcrepo/rest/group>;
    acl:mode acl:Read.


  2. Upload these resources into Fedora:

    Code Block
    languagetext
    $ curl -X PUT http://localhost:8080/fcrepo/rest/acl -u fedoraAdmin:secret3 \
    -H "Content-Type: text/turtle" --data-binary @acl.ttl
$ curl -X PUT http://localhost:8080/fcrepo/rest/foo -u fedoraAdmin:secret3 \
    -H "Content-Type: text/turtle" --data-binary @foo.ttl
$ curl -X PUT http://localhost:8080/fcrepo/rest/group -u fedoraAdmin:secret3 \
    -H "Content-Type: text/turtle" --data-binary @group.ttl
$ curl -X PUT http://localhost:8080/fcrepo/rest/acl/authz -u fedoraAdmin:secret3 \
    -H "Content-Type: text/turtle" --data-binary @authz.ttl

    (Note: The order you upload these in is important, since foo references acl, and authz references foo and group)

  3. Test that testuser can read the foo resource, while adminuser cannot: 

    Code Block
    languagetext
    $ curl -i http://localhost:8080/fcrepo/rest/foo -u testuser:password1
$ curl -i http://localhost:8080/fcrepo/rest/foo -u adminuser:password2

    The first request should respond with 200 OK, while the second should be 403 Forbidden.

    To allow adminuser to also read the foo resource, we can add adminuser to the members of the group.

  1. Create group.sparql with the following contents:

    Code Block
    languagetext
    titlegroup.sparql
    PREFIX foafvcard: <http://xmlnswww.w3.comorg/foaf2006/0.1vcard/>ns#>

INSERT {
    <> foafvcard:member "adminuser" .
}
WHERE {}


  2. Run this command to update the group and add adminuser to it:

    Code Block
    languagetext
    $ curl -i -X PATCH http://localhost:8080/fcrepo/rest/group \
    -u fedoraAdmin:secret3 \
    -H "Content-Type: application/sparql-update" \
    --data-binary @group.sparql

    You should receive a 204 No Content response on success.

  1. Now you should be able to repeat the command from step 3 and successfully retrieve the foo resource as adminuser

    Code Block
    languagetext
    $ curl -i http://localhost:8080/fcrepo/rest/foo -u adminuser:password2

    This time, you should get a 200 OK response.

Caveats for

...

agentGroup Groups

  • For it to be useful, the names listed in the foafthe vcard:member properties of an authorization need to be names that your authentication system will provide to Fedora. Remember, Fedora does no authentication of its own.
  • The purpose of the acl:agentClassagentGroup groups is distinct from any group mechanism your existing authentication system may have (e.g., LDAP or ActiveDirectory groups). The groups provided by the authentication system would be passed to Fedora as security principals, which the WebAC module compares against the acl:agent property. In other words, externally defined groups are opaque to Fedora, thus it treats them as simple agents.

Differences from 4.x

The WebAC implementation in Fedora 4.x used the acl:agentClass predicate to point to group listing resources, and those group listing resources were expected to have the class foaf:Group and identify their members using the foaf:member property. We have changed this implementation in Fedora 5.x to align with the "Groups of Agents" section of the SOLID WebAC specification.