You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Hydra does not rely on Fedora 3's AuthN/Z capabilities, but rather stores it access policy on the "rightsMetadata" datastream of Fedora objects. The handling of access controls is then managed at the application level above Fedora.

The intent of this document is twofold:

  1. To clearly record how Hydra is currently designed to manage user access to resources across:
    • Fedora REST API
    • Fedora Resource Index
    • Repository Search
  2. To describe how Hydra could potentially leverage the nascent Fedora 4 AuthN/Z framework

Hydra AuthN/Z Design

Hydra in simple terms is the Blacklight discovery interface on top of ActiveFedora, with the addition of access controls.  A good and fairly up-to-date overview of basic Hydra access controls can be found at https://github.com/projecthydra/hydra-head/wiki/Access-Controls-with-Hydra.  

In addition to object-level permissions recorded in the rightsMetadata datastream, an object can have a relationship (via RELS-EXT) to special "admin policy object" (APO) which stores "inheritable" permissions in a "defaultRights" datastream using the same XML schema as rightsMetadata.  The inheritable permissions of an APO are effectively added to the object's "direct" permissions stored in rightsMetadata in determining authorization.

For the actual application-level (Ruby on Rails) authorization enforcement mechanism, Hydra uses the CanCan library (or the CanCanCan fork in hydra-head 7.0).  Additional access controls – for example, for types of access not specifically provided in rightsMetadata – can be defined in the Ability class.  A simple example can be seen in Hydra::Ability, which provides a special "download" permission on datastreams (by default mapping to read permission on the object).

Fedora REST API

ActiveFedora uses the Rubydora library to handle Fedora REST API requests and responses.  The credentials of the Hydra application authenticated user, however, are not used for authorization of Fedora REST API requests.  A single Fedora user account provided in a configuration file is used for access to restricted methods (API-M).

Fedora Resource Index

Hydra makes no direct usage of the Fedora RI, since it relies on Solr for repository queries (via Blacklight and ActiveFedora).

Repository Search

The principal means that Hydra enforces access controls on repository search is by adding permissions-related clauses to the Solr select queries.

Hydra and Fedora 4

The potential delegation of AuthN/Z responsibility from Hydra to Fedora 4 is captured in the following use cases.

Title (Goal) 
Primary Actor 
Scope 
Level 
Story (A paragraph or two describing what happens) 
  • No labels

All content on the LYRASIS Wiki is licensed under the CC BY (Attribution) license, unless otherwise noted.