Date: Thu, 28 Mar 2024 05:37:27 -0400 (EDT) Message-ID: <341699618.27334.1711618647749@lyrasis1-roc-mp1> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_27333_21628324.1711618647749" ------=_Part_27333_21628324.1711618647749 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
In WebAC you can use the acl:agentClass
proper=
ty of an Authorization<=
/a> to point to a resource that holds a list of usernames. This allows you =
to create and manage groups of users within Fedora, and to assign different=
permissions to different groups. This how-to will guide you through the pr=
ocess of creating a resource, creating an agentClass
grou=
p, and limiting access to that resource through an ACL that references that=
agentClass
group.
Create these four files:
@prefix= webac: <http://fedora.info/definitions/v4/webac#>. @prefix ldp: <http://www.w3.org/ns/ldp#>. <> a webac:Acl .
@prefix= ldp: <http://www.w3.org/ns/ldp#>. @prefix foaf: <http://xmlns.com/foaf/0.1/> . <> a foaf:Group; foaf:member "testuser".
@prefix= ldp: <http://www.w3.org/ns/ldp#>. @prefix acl: <http://www.w3.org/ns/auth/acl#>. @prefix dc: <http://purl.org/dc/elements/1.1/>. <> a acl:accessControl </fcrepo/rest/acl>; dc:title "Hello, World!".
@prefix= acl: <http://www.w3.org/ns/auth/acl#>. <> a acl:Authorization; acl:accessTo </fcrepo/rest/foo>; acl:agentClass </fcrepo/rest/group>; acl:mode acl:Read.
Upload these resources into Fedora:
$ curl = -X PUT http://localhost:8080/fcrepo/rest/acl -u fedoraAdmin:secret3 \ -H "Content-Type: text/turtle" --data-binary @acl.ttl $ curl -X PUT http://localhost:8080/fcrepo/rest/foo -u fedoraAdmin:secret3 = \ -H "Content-Type: text/turtle" --data-binary @foo.ttl $ curl -X PUT http://localhost:8080/fcrepo/rest/group -u fedoraAdmin:secret= 3 \ -H "Content-Type: text/turtle" --data-binary @group.ttl $ curl -X PUT http://localhost:8080/fcrepo/rest/acl/authz -u fedoraAdmin:se= cret3 \ -H "Content-Type: text/turtle" --data-binary @authz.ttl
(Note: The order you upload these in is =
important, since foo
references acl
, and au=
thz
references foo
and group
)
Test that testuser
can read the foo resource, while
adminuser
cannot:
$ curl = -i http://localhost:8080/fcrepo/rest/foo -u testuser:password1 $ curl -i http://localhost:8080/fcrepo/rest/foo -u adminuser:password2
The first request should respond with 200 OK= , while the second should be 403 Forbidden.
To allow=
adminuser
to also read the foo
resourc=
e, we can add adminuser
to the members of the group.
Create group.sparql with the following contents:
PREFIX = foaf: <http://xmlns.com/foaf/0.1/> INSERT { <> foaf:member "adminuser" . } WHERE {}
Run this command to update the group and add adminuser to it:
$ curl = -i -X PATCH http://localhost:8080/fcrepo/rest/group \ -u fedoraAdmin:secret3 \ -H "Content-Type: application/sparql-update" \ --data-binary @group.sparql
You should receive a 204 No Content response on s= uccess.
Now you should be able to repeat the command from step 3 and success=
fully retrieve the foo
resource as adminuser=
code>:
$ curl = -i http://localhost:8080/fcrepo/rest/foo -u adminuser:password2
This time, you should get a 200 OK response.
<= /li>agentClass
Groupsfoaf:member properties of an authorization need to be names that your authenticatio=
n system will provide to Fedora. Remember, Fedora does no authenticatio=
n of its own.
acl:agentClass
groups is distinct =
from any group mechanism your existing authentication system may have (e.g.=
, LDAP or ActiveDirectory groups). The groups provided by the authenticatio=
n system would be passed to Fedora as security principals, which the WebAC =
module compares against the acl:agent
prope=
rty. In other words, externally defined groups are opaque to Fedora, thus i=
t treats them as simple agents.