Versions Compared

Old Version 64

changes.mady.by.user Bethany Seeger

Saved on

compared with

New Version 65

changes.mady.by.user Bethany Seeger

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

JIRA issue: 

Jira
serverDuraSpace JIRA
serverIdc815ca92-fd23-34c2-8fe3-956808caf8c5
keyFCREPO-2583

  • If we are preserving ACLs as part of a version rather than using the original resource's, then for resources without an assigned or inherited ACLs Fedora would need to record the Default ACL at the time of the snapshot somehow. 5.3 Inheritance and Default ACLs
    • Similarly, an inherited ACL would also need to be recorded for the snapshot.


Design Questions

Open Questions

...

  1. user has access to the LDRPv but not the mementos, but can they see the TimeMap? 
    1. This imples that the LDPRv has different ACL then the LDPRm's.  The LDPCv would probably have a different one as well.  
  2. user has access to the LDPRv and the mementos - they can see everything
  3. user has access to the mementos, but not the LDPRv. They can see the TimeMap and mementos.  
To find the ACL that relates to the LDPCv: 
  1. First look at the LDPCv for the memento to see if that particular LDPCv has an ACL. 
  2. Otherwise follow the pattern specified by the SOLID WebAC specification for finding an ACL based on the original LDPRv, as outlined below.
To find the ACL that relates to a LDPRm, follow this algorithm:
  1. First look at the LDPCv for the LDPRm to see if it has an access control triple for memento items associated with it ('memento:accessControl').  If so, stop there and honor that ACL as it will apply to all mementos it the LDPCv contains.
  2. Otherwise follow the pattern specified by the SOLID WebAC specification for finding an ACL based on the original LDPRv, as outlined below.
SOLID WebAC Specification:

This is a slightly modified version of how the SOLID WebAC recommends finding the ACL.  

  1. Use the original for a LDPRv:
    Use the document's (LDPR/LDPRv) own ACL resource if it exists (in which case, stop here).
  2. Otherwise, look for authorizations to inherit from the ACL of the (LDPRv) document's container. If those are found, stop here.
  3. Failing that, check the LDPRv container's parent container to see if that has its own ACL file, and see if there are any permissions to inherit.
  4. Failing that, move up the container hierarchy for the LDPRv until you find a container with an existing ACL file, which has some permissions to inherit.
  5. The root container of a user's account MUST have an ACL resource specified. (If all else fails, the search stops there.)
    1. For fedora, there is no root container for a user - but there is a default ACL applied to the server overall.  Should this algorithm fail to find an ACL at the root of the LDPRv's tree, it shall default to this system wide default ACL. 

Given this, the following is then true: 

  • LDPCv's can have an ACL applied to them. If not If the LDPCv does not have a memento, then it uses the same memento as the LDPRv's ACL applies to all the mementos in the LDPCv..  
  • LDPRv and it's mementos can have different ACLs.  

If we are preserving ACLs as part of a version rather than using the original resource's, then for resources without an assigned or inherited ACLs Fedora would need to record the Default ACL at the time of the snapshot somehow5.3 Inheritance and Default ACLs

  • Similarly, an inherited ACL would also need to be recorded for the snapshot.

...


Internal Representation of resources

...