New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reusable acl nodes #324
reusable acl nodes #324
Conversation
@@ -59,6 +60,8 @@ | |||
|
|||
public static final Map<String, List<String>> DEFAULT_ACCESS_ROLES = emptyMap(); | |||
|
|||
public static final String ACCESS_ROLES_FOLDER = "/fedora:system/fedora:accessroles"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of defining this twice, simply include value from AccessRoles.java
How are you handling AccessRoles.deleteNodeType()? |
continue; | ||
} | ||
rbaclID = prop.getValues()[0].getString(); | ||
break;//todo test after lunch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you had lunch yet?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
late, but yes
We will need to work out the details of who has write access to an existing ACL node in the fedora:system space. |
"If multiple Fedora resources all reference a central ACL node, who can update that ACL?" Maybe leave it admin for now, but you could always allow these system acls to have their own other systems acls, for the cases where one may want something like a "collection admin" - not full repo-admin - but admin specific to a certain subset of the repo. |
Yes, putting them in their own folder probably means central management of the ACLs, since they do not fall within the hierarchy they limit. I wonder if centralized assignments will be reused often, given there is already a tree. In any case, this implementation makes several improvements to the role namespace. I think a REFERENCE property is definitely the way to link the tree to things like this. I guess the only question is where to assignment nodes go when you use the REST API. If we made it a two step API, then assignments could be created wherever, then linked to the tree. |
} | ||
if (pathFound) { | ||
//rbaclID = prop.getValues()[0].getString(); | ||
rbaclID = prop.getValue().getString(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just wondering if you can dereference the Node directly here, instead of the lookup on L269. prop.getValue().getNode() might be available.
Remaining tasks related to this PR: https://www.pivotaltracker.com/s/projects/684825/stories/70609770 - Remove or modify fcrepo:hasAccessRoles https://www.pivotaltracker.com/s/projects/684825/stories/70587988 - Refactor integration tests to support referenced model of fcrepo4 access control |
Hello @yulgit1, If we don't hear from you before November 20th, 2015, we will close it for you. Thank you! |
Closed as this PR seems no longer relevant |
functionality enabling creation of reusuable acl nodes that can be referenced via fedora:acReference
curl -X POST -H "Content-Type: application/json" --data-binary "@reader_role.txt" "http://testadmin:password@localhost:8080/rest/testaddrole1/fcr:accessroles"
@reader_role.txt
{"testuser":["reader"],"testuser2":["patron","editor","curator"]}
which creates rbacl nodes under:
http://localhost:8080/rest/fedora:system/fedora:accessroles/testaddrole1
curl -X PATCH -H "Content-Type: application/sparql-update" --data-binary "@rbacl_assignment.txt" "http://testadmin:password@localhost:8080/rest/example2"
@rbacl_assignment.txt
INSERT {
<> http://fedora.info/definitions/v4/rest-api#acReference http://localhost:8080/rest/fedora:system/fedora:accessroles/testaddrole1 .
} WHERE { }