Old Release

This documentation covers an old version of Fedora. Looking for another version? See all documentation.

For any resource that does not have it's own ACL, the WebAC authorization module will look in the parent container until it reaches the root resource. If there is no user-defined ACL for the root resource, then the repository will use a "backstop" ACL defined outside of the repository. A default "backstop" ACL is included in the fcrepo webapp.

The default policy is to allow read access to the repository to any user:

Default "Backstop" ACL
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
@prefix webac: <http://fedora.info/definitions/v4/webac#> .

<info:fedora/fcr:acl> a webac:Acl .

<info:fedora/fcr:acl#authz> a acl:Authorization ;
   rdfs:label "Root Authorization" ;
   rdfs:comment "By default, all non-Admin agents (foaf:Agent) only have read access (acl:Read) to the repository" ;
   acl:agentClass foaf:Agent ;
   acl:mode acl:Read ;
   acl:accessTo <info:fedora/> ;
   acl:default <info:fedora/> .

In most cases, this default is appropriate, but it is also possible to override this with a custom ACL.

The recommended method is to add a configuration value to JAVA_OPTS, pointing to your custom ACL:

Setting a custom "Backstop" ACL
export JAVA_OPTS="${JAVA_OPTS} -Dfcrepo.auth.webac.authorization=/path/to/acl.ttl"

When overriding the default ACL, be aware that the WebAC module expects that file to be in Turtle format.

For instance, in order to prohibit access to the entire repository:

ACL that disallows access by default
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
@prefix webac: <http://fedora.info/definitions/v4/webac#> .

<info:fedora/fcr:acl> a webac:Acl .

# note the lack of an acl:mode predicate
<info:fedora/fcr:acl#authz> a acl:Authorization ;
   rdfs:label "Root Authorization" ;
   acl:agentClass foaf:Agent ;
   acl:accessTo <info:fedora/> ;
   acl:default <info:fedora/> .

Please note that any use of acl:accessTo will use a different URI scheme to refer to Fedora locations, since this file is not aware of the HTTP location of the repository. This way, the default policy is portable across hostname or port changes. The URIs are created by taking info:fedora and appending the repository path. The root thus becomes info:fedora/ and a container at /pcdm would be info:fedora/pcdm.

 

  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.