Hi Eddie, Vamsee's questions were extremely timely for me. Hopefully, you are able to answer questions for me as well. I just installed Fedora 3.3 and definitely see FESL as the way to go if we can. All of the documentation about configuring authentication makes sense. I have not been able to find how best to create and manage policies however. I am mostly interested in object and collection level policies that I would have stored in the POLICY datastream if I were using the old authorization mechanism. So, here are a few questions of my own:
1. Does FESL make use of the POLICY datastream similar to the XACML Engine (this appears not to be the case according to the project requirements page: http://www.fedora-commons.org/confluence/display/DEV/FeSL_Requirements)? 2. If so, are policies written in xml similar to the old engine? 3. If not, how are policies created/updated? Through the REST or some other API? The requirements page seems to imply it is done by talking to the Policy Manager. 4. It also mentions documentation for an API for Policy Manager, but I have not been able to find any yet. It appears these three items below on the nice to have list on the project requirements page are not implemented yet, but is there a target date/release for any of these yet: - FESL will implement an approach which will store policies in Fedora as Policy objects, which can then be subscribed to by the appropriate objects. - Simple, intuitive, well documented vocabulary for controlling Read, Create, Edit, Delete, and "Change Permissions" for Collections, Objects, and Datastreams - User interface & REST API for editing policies on Collections, Objects, and Datastreams * Allow repository managers to find out what policies apply to a given Object, Datastream, or Collection The User Interface item is especially important to us, because we are at the point now where we would end up creating a similar UI if it is not going to be available soon. Also, since FESL utilizes Muradora code, I am wondering if it makes sense to try and utilize some of its functionality in talking to FESL in the interim. Thanks so much for your help! Thanks, Rick -- ---------------------------------------------------------- Rick Johnson Systems Analyst Manager, Digital Library and Local Programming Unit Library Information Systems University of Notre Dame Michiana Academic Library Consortium Notre Dame, IN USA 46556 http://www.library.nd.edu 574-631-1086 ------------------------------------------------------------ ________________________________________ From: Edwin Shin [[email protected]] Sent: Wednesday, January 27, 2010 9:35 PM To: Vamsee Vanaparthy Cc: [email protected] Subject: Re: [Fedora-commons-users] Authentication and ACL on Fedora Commons Vamsee, The Fedora security documentation, which is admittedly lacking in various respects, is located at: http://www.fedora-commons.org/confluence/display/FCR30/Securing+Your+Fedora+Repository Fedora 3.3 also includes, as an option, a preview of a new security architecture (FeSL), documented here: http://www.fedora-commons.org/confluence/display/FCR30/Fedora+Security+Layer+%28FeSL%29 In short, out of the box, Fedora has support for authentication via an xml user file and ldap. FeSL notably provides authentication via JAAS, which provides a standards-based framework for implementing your own custom auth (e.g. shib, openid, etc). If this is a direction you're interested in pursuing, you can get in touch w/ me as I'd like to organize different efforts to implement different auth modules. And yes, Fedora's auth applies to both its SOAP and REST APIs. As for audit trails. Each Fedora object maintains its own audit trail datastream. There isn't a built-in facility for a multi-system audit trail, but depending on your requirements, you could build this fairly easily. Off the top of my head, I'd consider using Fedora's messaging service to build a syslog-like service. You could also write a custom Management decorator (see fedora.fcfg) to implement whatever sort of audit trail you desired (assuming you only need an audit trail for API-M operations and not API-A). Eddie On 27 Jan 2010, at 11:46 PM, Vamsee Vanaparthy wrote: > Hello Friends, > > I have few questions about Authentication and ACL on Fedora Commons. I would > appreciate if someone could answer them or at least point me in the right > direction: > > 1) Can you please let me know or direct me to a proper url where I can read > about how authentication is implemented on Fedora Commons? > > 2) Can Fedora support various authentication schemes like Ldap, Open ID etc. > I am trying to understand the single Sign on implementation from various > applications to fedora. > > 3) Does this authentication hold true for Rest API access as well. In the > current Rest API , how can I pass in User credentials for secure access? > > 4) How can different users have different access levels for the Fedora Repo. > For example admin can ingest files, anonymous can access only access API > calls. If this functionality is available where can we configure it? > > Last but not least question > > 5) We have an architecture of many private fedoras getting information from > Global repo. How is possible to have a audit trail across the systems. (Multi > tenancy) > > Thank you in advance for helping me. I sincerely appreciate it. > > Thanks, > Vamsee > > > > > ------------------------------------------------------------------------------ > The Planet: dedicated and managed hosting, cloud storage, colocation > Stay online with enterprise data centers and the best network in the business > Choose flexible plans and management services without long-term contracts > Personal 24x7 support from experience hosting pros just a phone call away. > http://p.sf.net/sfu/theplanet-com > _______________________________________________ > Fedora-commons-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Fedora-commons-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-users ------------------------------------------------------------------------------ The Planet: dedicated and managed hosting, cloud storage, colocation Stay online with enterprise data centers and the best network in the business Choose flexible plans and management services without long-term contracts Personal 24x7 support from experience hosting pros just a phone call away. http://p.sf.net/sfu/theplanet-com _______________________________________________ Fedora-commons-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
