On access and permissions - mlibrary/hydra-prototype GitHub Wiki

WORK IN PROGRESS

Access and Permissions in Hydra

An object in the repository (qb98mf449) gets assigned one or more Hydra::AccessControls::Permission (4635f850-afe2-47b8-a787-3ff12916fecf), which has this RDF:

@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix ns001: <info:fedora/fedora-system:def/model#> .
@prefix ns008: <http://www.w3.org/ns/auth/acl#> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix fedora: <http://fedora.info/definitions/v4/repository#> .
@prefix ldp: <http://www.w3.org/ns/ldp#> .

<http://127.0.0.1:8983/fedora/rest/njaffer-dev/46/35/f8/50/4635f850-afe2-47b8-a787-3ff12916fecf> 
   a ldp:RDFSource , 
     ldp:Container , 
     <http://www.jcp.org/jcr/nt/1.0folder> , 
     <http://www.jcp.org/jcr/nt/1.0hierarchyNode> , 
     <http://www.jcp.org/jcr/nt/1.0base> , 
     <http://www.jcp.org/jcr/mix/1.0created> , 
     fedora:Container , 
     fedora:Resource , 
     fedora:Resource , 
     <http://www.jcp.org/jcr/mix/1.0created> , 
     <http://www.jcp.org/jcr/mix/1.0lastModified> , 
     <http://www.jcp.org/jcr/mix/1.0referenceable> ;
	ns008:accessTo <http://127.0.0.1:8983/fedora/rest/njaffer-dev/qb/98/mf/44/qb98mf449> ;
	fedora:lastModifiedBy "bypassAdmin"^^<http://www.w3.org/2001/XMLSchema#string> ;
	fedora:createdBy "bypassAdmin"^^<http://www.w3.org/2001/XMLSchema#string> ;
	fedora:primaryType "nt:folder"^^<http://www.w3.org/2001/XMLSchema#string> ;
	fedora:created "2015-10-28T17:04:42.741Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> ;
	fedora:mixinTypes "fedora:Container"^^<http://www.w3.org/2001/XMLSchema#string> , "fedora:Resource"^^<http://www.w3.org/2001/XMLSchema#string> ;
	fedora:lastModified "2015-10-28T17:04:42.741Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> ;
	ns008:mode ns008:Write ;
	ns001:hasModel "Hydra::AccessControls::Permission"^^<http://www.w3.org/2001/XMLSchema#string> ;
	ns008:agent <http://projecthydra.org/ns/auth/person#[email protected]> ;
	fedora:writable "true"^^<http://www.w3.org/2001/XMLSchema#boolean> ;
	fedora:hasParent <http://127.0.0.1:8983/fedora/rest/njaffer-dev> .

tl;dr:

  • accessTo points to the collection/work
  • agent defines either the user or the group governed by this permission
  • mode defines the action being permitted

The Permissions document gets indexed in Solr as

{
        "system_create_dtsi": "2015-10-28T17:04:42Z",
        "system_modified_dtsi": "2015-10-28T17:04:42Z",
        "active_fedora_model_ssi": "Hydra::AccessControls::Permission",
        "has_model_ssim": [
          "Hydra::AccessControls::Permission"
        ],
        "id": "4635f850-afe2-47b8-a787-3ff12916fecf",
        "object_profile_ssm": [
          "{\"id\":\"4635f850-afe2-47b8-a787-3ff12916fecf\",\"mode\":[{\"id\":\"http://www.w3.org/ns/auth/acl#Write\"}],\"agent\":[{\"id\":\"http://projecthydra.org/ns/auth/person#[email protected]\"}],\"access_to_id\":\"qb98mf449\"}"
        ],
        "accessTo_ssim": [
          "qb98mf449"
        ],
        "_version_": 1516295299110273000,
        "timestamp": "2015-10-28T17:04:42.848Z",
        "score": 1
      }

And the collection/work also gets the aggregated version of this data incorporated into this Solr document:

#...
"edit_access_person_ssim": [
          "[email protected]"
        ],
#...

Given an object obj:

# assign users who can edit this object; can this use User objects?
> obj.edit_users = [ '[email protected]', '[email protected]' ]
> obj.save
> obj.permissions =>
[
 <Hydra::AccessControls::Permission id: 4635f850-afe2-47b8-a787-3ff12916fecf agent: "http://projecthydra.org/ns/auth/person#[email protected]" mode: "http://www.w3.org/ns/auth/acl#Write" access_to: "qb98mf449">, 
 <Hydra::AccessControls::Permission id: 7f96f26a-c4a2-4b5c-8ec0-183d6b3cb430 agent: "http://projecthydra.org/ns/auth/person#[email protected]" mode: "http://www.w3.org/ns/auth/acl#Write" access_to: "qb98mf449">
]

Access Policies in Hydra

(These are described in Project Hydra as a way to define permissions by collection, in that all the objects in a collection could share the same access policy. Objects can only be linked to one policy, and that policy would have to describe the possible CRUD permissions for the collection and its works.)

Indexed Permissions

By default, Hydra indexes whether a user or group has

  • discover access
  • read access
  • edit access

These are used for testing access via cancancan and when presenting results via Blacklight.

Setting Permissions

Given an object obj, the simple out-of-the-box approach is to assign one of the permission arrays to a list of usernames or user objects: obj.edit_users = [ @user ] or obj.edit_users = [ '[email protected]' ].

So say you're working on a form that the admin will use to lock a collection to its managers:

> managers_groups = [ 'bentley.photographers' ]
> managers_users = [ '[email protected]' ]
> collection.edit_users = managers_users
> collection.edit_groups = managers_groups
> collection.save

Prototyping

  • define Deposit mode for WebACL (extends http://www.w3.org/ns/auth/acl#Access)
  • define Manage mode for WebACL
  • define DefaultReadAccess mode for WebACL
  • extend Collection
    • deposit_users
    • deposit_groups
    • manage_users
    • manage_groups
    • default_read_access - if this is empty, MHydra will assume "public" (Hydra's version of DSpace's Anonymous)
      • the anonymous user has the groups public --- so xx_groups need to be set to [ public ]
  • update ability.rb
    • use Hydra::Ability as guide for parameterized cancancan tests
    • e.g. can :deposit, Collection, Work do |collection, obj|
    • ability logic would
      • load the Collection from Fedora (for now)
      • test whether current_user is in deposit_users or current_user.groups is in deposit_groups
  • set the default permissions on work and files as they're created in the collection
    • read and discover should be simple, most of the time
    • edit should be the current_user and the managers of the collection

WebACL

See: http://www.w3.org/wiki/WebAccessControl and http://www.umich.edu/~roger/acl.rdf.xml

Access modes:

access Any kind of access to a resource. Don't use this, use R W and RW
append Append accesses are specific write access which only add information, and do not remove information. For text files, for example, append access allows bytes to be added onto the end of the file. For RDF graphs, Append access allows adds triples to the graph but does not remove any. Append access is useful for dropbox functionality. Dropbox can be used for link notification, which the information added is a notification that a some link has been made elsewhere relevant to the given resource.
authorization An element of access control, allowing agent to agents access of some kind to resources or classes of resources
control Allows read/write access to the ACL for the resource(s)
read The class of read operations
write

Application can define custom modes/usage, e.g. hydra:Discover: see: https://github.com/projecthydra/hydra-head/blob/master/hydra-access-controls/app/vocabularies/hydra/acl.rb

⚠️ **GitHub.com Fallback** ⚠️