Hello
I've attached a patch which lets me use the value/s in the
FEDORA_AUX_SUBJECT_ATTRIBUTES servlet attribute to refine queries.
The extraction of the appropriate attribute values and their use in an
in-search filter is probably quite specific to the archiving project I'm
working on. But it should give an idea of how it can be done.
In our archive, we will store objects related to many different projects.
Each project has resources of 3 different types: data, source code and
documentation. Different users will be allowed to see objects belonging to
some or all of these different resource types for projects they are
involved with.
The Fedora PIDs are made up of 3 parts - a two part prefix and a UUID
generated outside of Fedora. The prefix is made up of a project code and a
resource type code, so a PID looks like this:
rps-data:13c771d4-93c4-4b98-94fe-10dbd53258d5
Here is what the patch does:
The HTTP request comes into RESTImpl.java, and is passed to the
gfindObjects method. The FEDORA_AUX_SUBJECT_ATTRIBUTES attribute is a Map
with String keys and Set<String> values. I'm interested in the fedoraRole
key, and convert the Set of strings into an array of strings.
This string array gets passed to the Config object's getOperationsImpl
method, which passes it on to the GenericOperationsImpl object's init
method. Here it is stored in a protected class member.
OperationsImpl's gfindObjects method can then pass this on to
rewriteQueryForInsearch method in the SearchResultFilteringDemoImpl
object.
Here, the values for fedoraRole are examined. If there are no roles, then
the user shouldn't see anything. If one of the roles is 'administrator',
then no extra filtering is needed, as they are allowed to see everything.
Otherwise, each role is examined to see if it contains a _ (underscore).
If it does, then the role value is composed of a project prefix and a
project role suffix.
One suffix is 'admin', which means that the user can see everything in a
project. Another suffix is 'reader', which means they can see data
resources. So, if a user has 'rps_admin' as a fedoraRole value, then
'PID:rps-*' is added to the query. If the user has 'rps_reader' as a
fedoraRole, then 'PID:rps-data*' is added to the query. There is no need
for an extra field(s) in the index. This mimics the effect of the XACML
policies in Fedora.
I haven't tried this yet with the LDAP filter that comes with
fedora-server.jar, or the SSO filter that Adam and Scott have produced.
But it works with the XML user file filter, and the Lucene engine.
Shall I document this for FCREPO-1008?
Swithun.
--
The University of St Andrews is a charity registered in Scotland: SC013532
diff -r
./FedoraGenericSearch/src/java/dk/defxws/fedoragsearch/server/Config.java
../../gsearch/FedoraGenericSearch/src/java/dk/defxws/fedoragsearch/server/Config.java
1152a1153,1157
>
> public GenericOperationsImpl getOperationsImpl(String
> fgsUserNameParam, String indexNameParam)
> throws ConfigException {
> return getOperationsImpl(fgsUserNameParam, indexNameParam, null);
> }
1154c1159
< public GenericOperationsImpl getOperationsImpl(String fgsUserNameParam,
String indexNameParam)
---
> public GenericOperationsImpl getOperationsImpl(String fgsUserNameParam,
> String indexNameParam, String[] fedoraRoles)
1194c1199
< ops.init(fgsUserNameParam, indexName, this);
---
> ops.init(fgsUserNameParam, indexName, this, fedoraRoles);
diff -r
./FedoraGenericSearch/src/java/dk/defxws/fedoragsearch/server/GenericOperationsImpl.java
../../gsearch/FedoraGenericSearch/src/java/dk/defxws/fedoragsearch/server/GenericOperationsImpl.java
55a56
> protected String[] fedoraRoles;
152a154,157
>
> public void init(String fgsUserName, String indexName, Config
> currentConfig) {
> init(fgsUserName, indexName, currentConfig, null);
> }
154c159
< public void init(String fgsUserName, String indexName, Config
currentConfig) {
---
> public void init(String fgsUserName, String indexName, Config
> currentConfig, String[] fedoraRoles) {
156a162
> this.fedoraRoles = fedoraRoles;
diff -r
./FedoraGenericSearch/src/java/dk/defxws/fedoragsearch/server/RESTImpl.java
../../gsearch/FedoraGenericSearch/src/java/dk/defxws/fedoragsearch/server/RESTImpl.java
15a16,18
> import java.util.HashMap;
> import java.util.Map;
> import java.util.Set;
213c216,236
< Operations ops = config.getOperationsImpl(request.getRemoteUser(),
indexName);
---
>
> String fedoraRoles[] = null;
> do
> {
> Map<String, Set<String>>
> attributes = (Map) request.getAttribute("FEDORA_AUX_SUBJECT_ATTRIBUTES");
> if (null == attributes)
> {
> break;
> }
>
> Set<String> roles =
> attributes.get("fedoraRole");
> if (null == roles || 0 ==
> roles.size())
> {
> break;
> }
>
> fedoraRoles = roles.toArray(new
> String[roles.size()]);
> }
> while (false);
>
> Operations ops = config.getOperationsImpl(request.getRemoteUser(),
> indexName, fedoraRoles);
331c354
< }
\ No newline at end of file
---
> }
diff -r
./FedoraGenericSearch/src/java/dk/defxws/fedoragsearch/server/SearchResultFiltering.java
../../gsearch/FedoraGenericSearch/src/java/dk/defxws/fedoragsearch/server/SearchResultFiltering.java
19a20
> public String rewriteQueryForInsearch(String fgsUserName, String
> indexName, String query, String[] fedoraRoles) throws
> java.rmi.RemoteException;
diff -r
./FedoraGenericSearch/src/java/dk/defxws/fedoragsearch/server/SearchResultFilteringDemoImpl.java
../../gsearch/FedoraGenericSearch/src/java/dk/defxws/fedoragsearch/server/SearchResultFilteringDemoImpl.java
59a60,137
> return rewriteQueryForInsearch(fgsUserName, indexName,
> query, null);
> }
>
> public String rewriteQueryForInsearch(String fgsUserName, String
> indexName, String query, String[] fedoraRoles) throws
> java.rmi.RemoteException {
> String rewrittenQuery = null;
>
> do
> {
> // no role, so can't see anything
> if (null == fedoraRoles)
> {
> // need some
> way to make the query match nothing
> rewrittenQuery
> = " ( " + query + " ) AND NOT ( " + query + " )";
> break;
> }
>
> // has admin role, so can see
> everything
> boolean isAdmin = false;
> for (String role : fedoraRoles)
> {
> if
> (role.equals("administrator"))
> {
>
> isAdmin = true;
>
> break;
> }
> }
> if (isAdmin)
> {
> rewrittenQuery
> = query; // no filtering
> break;
> }
>
> // use roles to create disjointed
> clause for filter
> String clause = "";
> for (String role : fedoraRoles)
> {
> // need to
> split on _
> if (-1 ==
> role.indexOf('_'))
> {
>
> continue;
> }
>
> String[] parts
> = role.split("_");
>
> if
> (!clause.equals(""))
> {
>
> clause += " OR ";
> }
>
> // admin of
> project can get objects under any resource type
> if
> (parts[1].equals("admin"))
> {
>
> clause += " PID:" + parts[0] + "-*";
> }
> // readers of
> project can get objects under data resource type
> else if
> (parts[1].equals("reader"))
> {
>
> clause += " PID:" + parts[0] + "-data*";
> }
> }
>
> // no clause generated, so can't get
> anything
> if (clause.equals(""))
> {
> rewrittenQuery
> = " ( " + query + " ) AND NOT ( " + query + " )";
> break;
> }
>
> // add clause to query
> rewrittenQuery = " ( " + query + " )
> AND ( " + clause + " )";
> }
> while (false);
>
> return rewrittenQuery;
> }
>
> /*
> public String rewriteQueryForInsearch(String fgsUserName, String
> indexName, String query) throws java.rmi.RemoteException {
68a147
> */
diff -r ./FgsLucene/src/java/dk/defxws/fgslucene/OperationsImpl.java
../../gsearch/FgsLucene/src/java/dk/defxws/fgslucene/OperationsImpl.java
82c82
< usingQuery = srf.rewriteQueryForInsearch(fgsUserName,
usingIndexName, query);
---
> usingQuery = srf.rewriteQueryForInsearch(fgsUserName,
> usingIndexName, query, fedoraRoles);
683c683
< }
\ No newline at end of file
---
> }
------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Fedora-commons-users mailing list
Fedora-commons-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fedora-commons-users
