Versions Compared

Old Version 31

changes.mady.by.user Greg Jansen

Saved on

compared with

New Version 32

changes.mady.by.user Greg Jansen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ModeShape has a pending pull request that implements part of the Access Control spec from JCR 2.0 (MODE-1920). Their implementation includes defined internal node properties and API for manipulating access control lists in the JCR repository. These are features of objects that are only accessed by clients through the AccessControlManager API.

Fedora Admin Authorization Module

This is a very simple, servlet-based authorization system. It's authentication provider will only create sessions for servlet requests that have the fedoraAdmin container role. It authorizes admins users to perform all actions.

XACML Authorization Module

...

  • Owner - This is a read/write role that also allows the user to assign roles to others.
  • Content roles are stored on a Fedora object mixin node - authorization mechanism must enforce edit privileges on this node.
  • Content roles are inherited from higher up in the tree of Fedora objects.
  • New roles may be added assigned lower in the tree of Fedora objects.
  • Role inheritance can be blocked at any point in the tree.
  • Content roles have no effect on the privileges granted to user roles (originating in container auth) or conferred by other means.
  • Roles can be assigned to any security principal that is available in the Fedora security context.
    • This can include things like a user, a named IP range, LDAP group or organizational affiliation.
    • Can be based of on Shibboleth supplied x.520 headers
    • Are there useful CAS attributes other than username? Do CAS implementations use LDAP, for instance?
    • You can also assign roles to the Everyone principal, present in every Fedora security context.
  • A query can retrieve all content roles assigned to an object or a principal.

...

Fedora provides a reference set of XACML policies formulated around each content rolesrole. These policies are written per role, so you can add whichever role/policy combinations you need to your repository. These example policies can be modified to support authorization specific to a repository.

  • Do we support policies with additive permissions? (role B policy has all permissions of role A policy)
  • Provide examples of custom attributes being used in policies (a publication flag or embargo date, for instance)

...