Docstoc

Collections

Document Sample
Collections Powered By Docstoc
					Collections
[edit] What are Collections?
In Simple words Collection in Fedora represents group of Objects.

Fedora Commons Supports two types of Collections

* Explicit Collection
* Implicit Collection

[edit] Explicit Collection

Explicit Collection is defined by listing its member objects within the collection object. It is not a
very flexible way of creating collections because if you were to add a new object to the
collection you would not only create an object but also alter the collection object itself. (Two
Objects to work on).

This collection can be very well used if there are finite objects in collection. Example books by
Shakespeare, this collection is limited set of objects.

[edit] Implicit Collection

Implicit Collection works other way up. Instead of Collection Object listing the members, the
members list the collection object. In other words, each member of the collection individually
claims "I am a member of the 'abc' collection".

Example of this collection is "My Photos". The number of objects in the collection can
dynamically change. So this way there is no need to alter the parent collection at all. One call
less.

[edit] Technical Implementation
In Fedora, we can establish relationships using a RELS-EXT datastream.

A collection object is just another fedora object, which has the rdf element like this example.

 <rdf:RDF
xmlns:fedora="info:fedora/fedora-system:def/relations-external#"
xmlns:myns="http://www.nsdl.org/ontologies/relationships#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#">
<rdf:Description rdf:about="info:fedora/collection:vmdk">
   <fedora:isCollection>true</fedora:isCollection>
 </rdf:Description>
</rdf:RDF>
A member of this collection would have a RELS-EXT datastream of this kind

 <rdf:RDF
xmlns:fedora="info:fedora/fedora-system:def/relations-external#"
xmlns:myns="http://www.nsdl.org/ontologies/relationships#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:rdfs="http://www.w3.org/2000/01/rdf-schema#">
<rdf:Description rdf:about="info:fedora/csc:2">
   <fedora:isMemberOf
rdf:resource="info:fedora/collection:vmdk"></fedora:isMemberOf>
 </rdf:Description>
</rdf:RDF>


[edit] Retrieve Objects in a collection
All relationships specified in RELS-EXT are indexed by the resource index provided it is turned
on during Fedora Installation automatically. We can query the resource index for all relationship
based data.

Syntax for requesting Triples from Resource Index

http://localhost:8080/fedora/risearch?type=triples
                                     &flush=[*true* (default is false)]
                                     &lang=*SPO|iTQL*
                                     &format=*N-Triples|Notation
3|RDF/XML|Turtle*
                                     &limit=[*1* or more (default is no
limit)]
                                     &distinct=[*on* (default is off)]
                                     &stream=[*on* (default is off)]
                                     &query=*QUERY_TEXT_OR_URL*

Here is the example query that can be used to retrieve all the objects under the collection:vmdk

http://localhost:8080/fedora/risearch?type=triples&lang=spo&format=*N-
Triples*&
query=*+*+%3Cinfo%3afedora%2fcollection%3avmdk%3E




[edit] ACL on Collections
Default Fedora Installation does not support ACL on the collections. To solve this problem we
have to install Fedora Security Layer (FeSL) that overwrites default authentication and policy
mechanism of Fedora.

[edit] Fedora Security Layer (FESL)
The Fedora Security Layer (FeSL) is the future replacement of Fedora's legacy authentication
and authorization system.

FeSL offers a new authentication layer that reduces complexity and allows for integration with
more authentication systems. FeSL authentication is built on the Java Authentication and
Authorization Service (JAAS).

FeSL extends and improves upon Fedora's legacy XACML-based authorization. Notably, FeSL
provides hierarchical enforcement of access control policies. Access controls can be set at the
collection level, object level or datastream level. As a result collection level policies can be
applied to all collection members.

FESL restricts access of objects or collections in Admin UI, Search access, API Access and RI
search.

[edit] Installation of FESL Module

FESL is introduced as an experimental feature in Fedora Version 3.3.

[edit] Prerequisite for FESL

FESL needs oracle db xml software to be installed prior for policy storage.

[edit] Installation Instructions

FESL can be installed during installation of Fedora Commons repository. Answer true for the
below question to install FESL


Enable FeSL (Experimental Feature)
----------------------------------
Enable FeSL? The Fedora Security Layer is a replacement for Fedora's
legacy authentication and authorization modules.
This feature is considered experimental and still under development.
Production repositories should NOT enable this.
For more information, see: http://fedora-commons.org/confluence/x/h4Ov


Enter a value [default is false] ==> true



[edit] Configuration of FESL

Assuming we have installed Fedora with FESL, below are the steps to configure module to work
correctly.

      Edit /usr/lib/fedora/tomcat/webapps/fedora/WEB-INF/web.xml
Remove this mapping

<!--<filter-mapping>
      <filter-name>RestApiFlashFilter</filter-name>
      <servlet-name>RestServlet</servlet-name>
    </filter-mapping>-->

Remove these Filters

<!-- <filter>
      <filter-name>SetupFilter</filter-name>
      <filter-
class>fedora.server.security.servletfilters.FilterSetup</filter-class>
    </filter>
    <filter>
      <filter-name>XmlUserfileFilter</filter-name>
      <filter-
class>fedora.server.security.servletfilters.xmluserfile.FilterXmlUserfile</fi
lter-class>
    </filter>
    <filter>
      <filter-name>RestApiAuthnFilter</filter-name>
      <filter-
class>fedora.server.security.servletfilters.FilterRestApiAuthn</filter-class>
    </filter>
    <filter>
      <filter-name>RestApiFlashFilter</filter-name>
      <filter-
class>fedora.server.security.servletfilters.FilterRestApiFlash</filter-class>
    </filter>
    <filter>
      <filter-name>EnforceAuthnFilter</filter-name>
      <filter-
class>fedora.server.security.servletfilters.FilterEnforceAuthn</filter-class>
    </filter>
    <filter>
      <filter-name>FinalizeFilter</filter-name>
      <filter-
class>fedora.server.security.servletfilters.FilterFinalize</filter-class>
    </filter><filter>
      <filter-name>RestApiFlashFilter</filter-name>
      <filter-
class>fedora.server.security.servletfilters.FilterRestApiFlash</filter-class>
    </filter>-->

      Edit /usr/lib/fedora/server/config/config-melcoe-pep.xml

Replace this line

<!-- <handler operation="risearch"
class="melcoe.fedora.pep.rest.filters.RISearchFilter" />

with this code
<handler operation="/risearch"
class="melcoe.fedora.pep.rest.filters.RISearchFilter" />

      Restart Apache Tomcat for the changes to take effect and viola we have successfully
       installed FESL and configured it to work with Fedora Commons instance.

[edit] XACML Policies
Few important Points to note before writing new policies:

      Installation of FESL disables default system level and Object level Policies.
      FESL XACML policy directory /usr/lib/fedora/pdp/policies.
      The vocabulary for writing FESL XACML policies is quite different from default xacml
       policies.
      Unfortunately every new policy inclusion needs dbxml policy cache to be cleared
       manually and tomcat to be restarted. (Something that we have to take care in future)

[edit] Example Policies

Image:Deny-csc2-user.xml Object access Denial Policy
Image:Access-vapp-1-owner.xml Object access provision Policy
Image:Access-public-global-collection.xml Collection access provision Policy

[edit] User Story
Lets say that we have 3 objects and 3 collections.

      Objects: vapp:1, csc:1 and csc:2
      Collections: collection:global, collection:vmdk, collection:ovf

[edit] Collection data model

collection:global is a parent collection that has two sub collections collection:vmdk,
collection:ovf

collection:vmdk has one member object csc:2

collection:ovf has 2 member objects csc:1, vapp:1

[edit] ACL Matrix

              Access            Access          Access         Access Access Access
User Type
              collection:global collection:vmdk collection:ovf vapp:1 csc:1 csc:2
Administrator YES               YES             YES            YES    YES    YES
Owner            YES                 YES                 YES              YES       YES   YES
John             YES                 YES                 YES              NO        NO    NO

[edit] Implementation

       Administrator has access to all actions for all access in the Repository.

<Subjects>
<Subject>
  <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
     <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">administrator</AttributeVa
lue>
     <SubjectAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:subject:role"
      DataType="http://www.w3.org/2001/XMLSchema#string"/>
  </SubjectMatch>
</Subject>
</Subjects>

<Rule Effect="Permit"
RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit" />

       Owner has access to all collections to and also all the objects in collections.


<Subjects>
<Subject>
  <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">owner</AttributeValue>
    <SubjectAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:subject:role"
     DataType="http://www.w3.org/2001/XMLSchema#string"/>
  </SubjectMatch>
</Subject>
</Subjects>


<Resources>
  <Resource>
  <ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-
regexp-match">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
/collection:global/.*</AttributeValue>
    <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
    DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
  </ResourceMatch>
  </Resource>
  <Resource>
  <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-
equal">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">
/collection:global</AttributeValue>
    <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
    DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
  </ResourceMatch>
  </Resource>
<Resources>


<Rule Effect="Permit"
RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"/>

     John has access to collections but he does not have access to objects. As we already know
      how to grant access we will see how to deny access to objects in this policy.

<Subjects>
<Subject>
  <SubjectMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
    <AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string">John</AttributeValue>
    <SubjectAttributeDesignator
AttributeId="urn:fedora:names:fedora:2.1:subject:role"
DataType="http://www.w3.org/2001/XMLSchema#string"/>
  </SubjectMatch>
</Subject>
</Subjects>

<Resources>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-
match">
  <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
  /collection:global/collection:ovf/vapp:1/.*</AttributeValue>
  <ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-
match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
/collection:global/collection:ovf/csc:1/.*</AttributeValue>
  ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</ResourceMatch>
</Resource>
<Resource>
<ResourceMatch MatchId="urn:oasis:names:tc:xacml:2.0:function:anyURI-regexp-
match">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
/collection:global/collection:vmdk/csc:2/.*</AttributeValue>
  ResourceAttributeDesignator
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"
DataType="http://www.w3.org/2001/XMLSchema#anyURI" />
</ResourceMatch>
</Resource>
</Resources>



<Rule Effect="Deny"
RuleId="au:edu:mq:melcoe:ramp:fedora:xacml:2.0:rule:generic-permit"/>

				
DOCUMENT INFO
Categories:
Tags:
Stats:
views:2
posted:3/30/2012
language:
pages:8