reusable acl nodes #324
reusable acl nodes #324
Conversation
| @@ -59,6 +60,8 @@ | |||
|
|
|||
| public static final Map<String, List<String>> DEFAULT_ACCESS_ROLES = emptyMap(); | |||
|
|
|||
| public static final String ACCESS_ROLES_FOLDER = "/fedora:system/fedora:accessroles"; | |||
There was a problem hiding this comment.
Instead of defining this twice, simply include value from AccessRoles.java
|
How are you handling AccessRoles.deleteNodeType()? |
| continue; | ||
| } | ||
| rbaclID = prop.getValues()[0].getString(); | ||
| break;//todo test after lunch |
|
We will need to work out the details of who has write access to an existing ACL node in the fedora:system space. |
|
"If multiple Fedora resources all reference a central ACL node, who can update that ACL?" Maybe leave it admin for now, but you could always allow these system acls to have their own other systems acls, for the cases where one may want something like a "collection admin" - not full repo-admin - but admin specific to a certain subset of the repo. |
|
Yes, putting them in their own folder probably means central management of the ACLs, since they do not fall within the hierarchy they limit. I wonder if centralized assignments will be reused often, given there is already a tree. In any case, this implementation makes several improvements to the role namespace. I think a REFERENCE property is definitely the way to link the tree to things like this. I guess the only question is where to assignment nodes go when you use the REST API. If we made it a two step API, then assignments could be created wherever, then linked to the tree. |
| } | ||
| if (pathFound) { | ||
| //rbaclID = prop.getValues()[0].getString(); | ||
| rbaclID = prop.getValue().getString(); |
There was a problem hiding this comment.
Just wondering if you can dereference the Node directly here, instead of the lookup on L269. prop.getValue().getNode() might be available.
|
Remaining tasks related to this PR: https://www.pivotaltracker.com/s/projects/684825/stories/70609770 - Remove or modify fcrepo:hasAccessRoles https://www.pivotaltracker.com/s/projects/684825/stories/70587988 - Refactor integration tests to support referenced model of fcrepo4 access control |
|
Hello @yulgit1, If we don't hear from you before November 20th, 2015, we will close it for you. Thank you! |
|
Closed as this PR seems no longer relevant |
functionality enabling creation of reusuable acl nodes that can be referenced via fedora:acReference
curl -X POST -H "Content-Type: application/json" --data-binary "@reader_role.txt" "http://testadmin:password@localhost:8080/rest/testaddrole1/fcr:accessroles"
@reader_role.txt
{"testuser":["reader"],"testuser2":["patron","editor","curator"]}
which creates rbacl nodes under:
http://localhost:8080/rest/fedora:system/fedora:accessroles/testaddrole1
curl -X PATCH -H "Content-Type: application/sparql-update" --data-binary "@rbacl_assignment.txt" "http://testadmin:password@localhost:8080/rest/example2"
@rbacl_assignment.txt
INSERT {
<> http://fedora.info/definitions/v4/rest-api#acReference http://localhost:8080/rest/fedora:system/fedora:accessroles/testaddrole1 .
} WHERE { }