In roles-based access control, users or groups are not granted specific actions on resources; rather, users and groups have roles assigned to them on resources, and these roles are mapped onto permitted actions elsewhere. This makes it much easier to manage permissions globally: rarely will masses of resources need to be updated if their permissions change. Only the role-to-permission mapping will be updated. Role-based access control is a common pattern in security, providing extensible role-specific behavior while retaining straightforward management.
This module does not define any specific roles or enforce permissions granted to roles. For roles to be effective, this module must be configured alongside an authorization delegate that is aware of roles. One roles-aware authorization delegate is provided as a reference implementation, the Basic RoleRoles-based Based Authorization Delegate.
By default, role names are not validated, since the module does not define the set of role names that may be assigned in Fedora. However, you may configure a set of specific roles and then the API will validate roles.
root/ (default content roles, i.e. no roles for anyone) ├── Container A (EVERYONE => reader; johndoe => admin) │ ├── Binary 1 (johndoe => admin) │ └── Container Q (EVERYONE => reader; johndoe => admin) │ └── Container R (janedee => admin) ├── Container B (EVERYONE => reader; johndoe => admin) │ └── Container T │ └── Container V └── Container C
Inheritance of Effective Roles
- Container Authentication: A user comes into the system. They are assigned a user principal:
- If they authenticate through some authentication gateway, then their principal may be generated from some of the person's attributes;
- Whether they authenticate or not, the request will always acquire an "EVERYONE" principal.
- Fedora Principal Provider extensions: Principal provider extensions may bring in more principals after authentication, such as groups, from sources like LDAP.
- Fedora Roles Authorization Delegate Queries for Assigned Roles on Content: What roles have been assigned?
- The authorization layer queries the requested repository resource(s) for any content-assigned roles.
- If none are found locally, then it will query each ancestor in turn until role assignments are found.
- If no role assignments are found in the tree of resources, then a default set of role assignments is used. (see Container C above)
- Fedora Roles Authorization Delegate - Role Resolution: What roles does this request have?
- The set of principals in the request are compared to the principals in the ACLs on the resource. The roles for each matching principal in the Container ACL are the effective roles for the user.
- At this point we have the effective access roles for this operation
- Fedora Roles Authorization Delegate - Policy Enforcement: Does this role have permission to perform the requested action?
- Note: The Fedora Authorization Delegate is an extension point, so enforcement will vary by the chosen implementation. We assume that installations will combine the access roles module with a roles-based authorization delegate.
- The effective roles, assigned to the user on the content, are used to determine if the user has permission to perform the action on a given resource.
- Basic Role-based Authorization DelegateRoles authorization delegate implementation does permission checks in java code:
- Permission is determined by evaluating at a minimum the effective roles for the user on the resource in question, and the action requested.
- In other roles-based authorization delegate implementations, more factors may also enter into the equation to determine permission.
- The authorization delegate will return a response to ModeShape, which will throw an exception to Fedora if access has been denied.
- Fedora will respond with a 403 if the given REST operation is denied.
- The one exception to this process is the fedoraAdmin container role . If the request has a fedoraAdmin user role (in the container), then no resource checks are made. The authorization delegate is not consulted as admins have permission to do everything. Resources will never have the fedoraAdmin role explicitly assigned to them, since it is a container role and not a content role. (e.g. a tomcat user role)