Versions Compared

Old Version 75

changes.mady.by.user Anonymous

Saved on

compared with

New Version Current

changes.mady.by.user David Wilcox

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt
Fedora 4 authorization is designed to be fine grained, while at the same time manageable by administrators and end users. Authentication is tied to managed by the servlet container or OAuth tokensexternally, but authorization mechanisms are open to extension and many reference implementations are included. Roles-based access control is an included feature that makes permissions more manageable and at the same time easier for external applications to retrieve, index and enforce. Finer grained security checks have no impact on the performance of requests that have a Fedora administrator role.

Use Cases

  1. Researcher Researchers control the polices on their own objects
  2. Distributed authentication and authorization
  3. University of North Carolina at Chapel Hill
    1. Unified Authorization
    2. Setting Individual Permissions
  4. Yale University
    1. Fedora managing access conditions 
    2. Programmers use API for access condition support in external systems, i.e. HydraTitle (goal)
    3. Applications use API for updating access conditions stored in Fedora
  5. University of Wisconsin - Madison
    1.   External authentication and authorization
  6. Islandora
  7. Hydra
  8. Avalon Media System

...

Fedora supports both end users and application users. It is helpful to feed both local and forwarded security credentials into a same pipeline for extracting security principals that are the basis for authorization.

The ability to forward credentials in request headers must be restricted to specific users:

  • In servlet container authentication, forwarding with require the container role of fedoraProxy.
  • In OAuth token authentication, the token must include the scope forward credentials.

Access Roles API

The access roles API allows you manage the assignment of access roles throughout the repository tree. For details, please see the Access Roles Module.

...

Info
titleExtension Point: Policy Enforcement Point (PEP)

A policy enforcement point enforces appropriate access for fedora Fedora users and their proxies, i.e. applications acting on their behalf. One policy enforcement point may be configured at a time.

...

Info
titleReference Implementation: XACML PEP

In Development:  The XACML PEP forwards authorization requests to a XACML policy decision point. It is aware of access roles and may also make determinations on the basis of a wide range of Fedora object and datastream resource properties. Policy sets may be customized for different part of the repository tree. For detail please see the XACML Authorization Delegate.

Authorization for Non-Node REST API

These endpoints in the REST API will require the fedoraAdmin container role or the fedora administrator OAuth token scope:

...

/rest/fcr:tx

...

or OAuth token with equivalent scope

 

OAuth 2.0

...

.

...