Time/Place
- Time: 3:00pm Eastern Daylight Time US (UTC-4)
- Call-in:
- Dial-in Number: (712) 775-7035
- Participant Code: 479307#
- International numbers: Conference Call Information
- Web Access: https://www.freeconferencecallhd.com/wp-content/themes/responsive/flashphone/flash-phone.php
Attendees
- David Wilcox
- Andrew Woods
- Nick Ruest
- Unknown User (acoburn)
- Jared Whiklo
- Joshua Westgard
- Mohamed Mohideen Abdul Rasheed
- Stefano Cossu
Agenda
- Collect stakeholder feedback on Sprint 1
- UMD Stakeholder Feedback on Phase 1
- Can we involve stakeholders during the sprint?
- What Phase1 requirements must be addressed in Sprint 2?
- Previously defined Phase 1 requirements
- Additional and restated requirements below
- Schedule Sprint 2 planning meeting: Oct 26
Candidate Sprint 2 Requirements
- Enforce ACLs on ACL resources with filesystem-based backstop
- Add ACL uris to response headers as "Link: <acl-uri>; rel=acl"
- Implement acl:Control, acl:Append, and acl:Delete modes
- F4 MUST provide a way for external services such as Solr to enforce the authorization rules defined in the repository
- Enforce ACLs on binary files
- More documentation
- Support external ACLs (ACLs not managed by fedora)
- Add support for agentClass graphs defined within F4
- Add support for agentClass graphs defined external to F4
- Verify header-based (delegated) authentication is supported (where headers are used to define the effective agent, independent of any container-based AuthN)
- Support for inclusion of other ACLs via acl:include
- Fix bug with versioned resources:
- Make webac and audit default configuration in fcrepo-webapp-plus:
Related Documents
- https://www.w3.org/wiki/WebAccessControl
- https://github.com/duraspace/pcdm/wiki#webacl
- Authorization Delegates
- http://www.w3.org/ns/auth/acl
Minutes
Collect stakeholder feedback on Sprint 1
- Suggestion: Include stakeholders during sprint-2 to help work through issues with sprint-1 verification process.
- This should also result in new integration tests (translations of stakeholders scenarios)
- Additional curl examples for creation and testing may be helpful
- UPDATE 2015-10-20: curl commands for populating a small test repository are here: WebAC Testing: Creating Resources and Authorizations
What Phase1 requirements must be addressed in Sprint 2?
- https://wiki.duraspace.org/display/FF/Design+-+WebAccessControl+Authorization+Delegate#Design-WebAccessControlAuthorizationDelegate-ProposedRequirements(Phase1)
- Note re: 3a: Sprint-1 implementation does not confine ACLs to reside in a "preconfigured location", but they can instead exist anywhere within the repository.
union of DELETE and UPDATE = WRITE
- Note re: 3a: Sprint-1 implementation does not confine ACLs to reside in a "preconfigured location", but they can instead exist anywhere within the repository.
Proposed Sprint-2 Requirements
1. Include in sprint-2: Enforce ACLs...
2. Not high-priority, nice to have: Add ACL...
3. Include in sprint-2: Implement acl:Control...
- Another meetings/emails required to discuss mode definitions
4. Include in sprint-2: F4 MUST provide...
- Solr: documentation for existing patterns,
- Triplestore: investigate approaches and document
- Nick to lead investigation on protecting triplestores
5. Include in sprint-2: Enforce ACLs on binary files
6. Include in sprint-2: More documentation
7. Not high-priority, nice to have: Support external ACLs...
8. Include in sprint-2: Add support for agentClass graphs defined within F4
- and document it
9. Not high-priority, nice to have: Add support for agentClass graphs defined external to F4
- does the resource need to be public or can it be protected?
- not for this sprint, if implemented at all in this sprint
10. Include in sprint-2: Verify header-based...
- More discussion needed to clarify possible scenarios
11. NOT in sprint-2: Support for inclusion of other ACLs via acl:include
- Risk due to vague relationship in spec
12. Include in sprint-2: Fix bug with versioned resources
13. Include in sprint-2: Make webac and audit default configuration in fcrepo-webapp-plus
Developer Sprint-2 Planning Meeting
- 11am meeting on 10/26
4 Comments
Stefano Cossu
I apologize for the long delay in my feedback, but I have been trying to get Shibboleth authentication integrated with Tomcat to verify that the header principal provider works as expected.
I have fcrepo.log.auth set to DEBUG but I cannot see any debug statements mentioning the principals set by HttpHeaderPrincipalProvider. Either the SAML headers are not making it past httpd, or the principal provider is not recognizing them, or there is actually no debug calls for that in the code.
Anybody can give me a hint on how to verify the SAML headers, possibly without patching the code?
Thanks.
Andrew Woods
Peter Eichman, you have been working on both WebAC logging and the header principal. Would you be able to help Stefano Cossu out?
Peter Eichman
Stefano Cossu, unfortunately, there is no logging of the principals found in the existing HttpHeaderPrincipalProvider class, or in the ServletContainerAuthenticationProvider#collectPrincipals method.
Andrew Woods, I can file a ticket and implement more logging in fcrepo-auth-common. It would certainly help me too, as I am currently also working on authentication integration issues.
Ticket created:
Stefano Cossu
Excellent, Peter Eichman. Thanks a lot.
Once I get the Shibboleth headers available in Fedora I am planning to open a Wiki page with my step-by-step process so it can hopefully help other implementers.