...
- David Wilcox
- Andrew Woods
- Nick Ruest
- Joshua Westgard
- Stefano Cossu
- Ben Wallberg
- Peter Eichman
- Karen Estlund
Agenda
Agenda
- Collect stakeholder feedback on Sprint 1
- Review
- Review WebAC fundamentals
- Establish minimum Phase1 scope/use-cases
- Allow admin agent to always have full access to resources and ACLs
- Allow admin agent to CRUD ACLs
- Allow admin agent to assign ACLs to resources
- Allow a specific agent to READ a resource
- Allow a specific agent to READ and WRITE a resource
- Allow a specific agent to CREATE a resource, but not update it
- Allow a specific agent to assign an ACL
- START HERE — Allow a class of agent to do the above (d - g)
- Allow a specific agent to do the above over a class of resources (d - g)
- Allow a class of agent to do the above over a class of resources (d - g)
- When access is denied return a 403 and a body (or link header) with cause
- Reconfirm commitments
- Schedule initial two sprints
- What Phase1 requirements must be addressed in Sprint2?
- Link header
- Remote ACLs
- ...
- Schedule second sprintAddress questions (can also happen offline)
- ACL resource is its own ACL?
- What is the algorithm for finding an ACL on a resource?
- if is ACL (rdf:type Authorization), use itself
- if incoming reference from ACL, use it
- else traverse up ldp:contains or pcdm:hasMember or custom? relationships
How should conflicting policies be handled? e.g... - (userA=WRITE, public=READ) => result of WRITE request from userA? (userA=READ, groupB=WRITE) => result of WRITE request from userA, assuming userA is member of groupB?
- Discuss Phase2 scope/use-cases
- Allow a request from a specific I.P. address (or range?) to do the above for a resource and a class of resources (2.d - g)
- Enforce authorization policy on a resource (or class of resources) based on that resource's association to a licenses (or tag)
- Enforce datetime sensitive authorization polices (i.e. embargos / leases)
- Allow authorization decisions based on nested ACLs (i.e. acl:include)
- Demonstrate pattern for enforcing the same authorization decisions as found in the repository in the context of Solr queries
...
- https://www.w3.org/wiki/WebAccessControl
- https://github.com/duraspace/pcdm/wiki#webacl
- Authorization Delegates
- http://www.w3.org/ns/auth/acl
Minutes
Facilitate Stakeholder Verification
- Enable WebAC feature in fcrepo4-vagrant
- Script the creation of resources and ACLs that correspond to stakeholder use cases
- Stakeholders should provide additional use cases/scenarios as needed to help round out the verification
Sprint 2 Items to address
- Allow a specific agent to CREATE a resource, but not update it
- Currently, ACL resources are protected like other repository resources. Add special protection for ACL resources
- Implement "agent class" support:
- For agent classes that are found within the repository
- For agent classes that are found external to the repository (stretch, do stakeholders want this?)
- Allow repository admins to turn of "agent class" capability
- Implement "remote ACLs", if stakeholders view it as a priority
- Stretch goal: acl:include
Note: Since the WebAC "specification" does not have provisions for time-based authorization, the proposal is to move logic for policies such as leases or embargoes up into the application layer. Question for stakeholders, Is that reasonable?