Skip to content

ESGF_Access_Control

Jump to bottom Edit New page
Sam Fries edited this page Nov 17, 2016 · 10 revisions
Wiki Reorganisation
This page has been classified for reorganisation. It has been given the category REVISE.
This page contains useful content but needs revision. It may contain out of date or inaccurate content.

Configuring Access Control for Publishing and Downloading Data

Access control in ESGF is based on regular-expressions: a class of resources, identified by a regular expression, is matched to one or more groups and roles that are authorized to execute specific operations.

Specifically, let's assume that we want to configure the access control for all resources that are part of _ projectX _ . We will assume that, when publishing, all datasets and files that are part of _ projectX _ will be assigned an ID that contains _ projectX _ . For example, a typical ID for one of these files will be something like _ projectX.roswell_1947.nc _ , and the corresponding download URL will be _ http://<your data node here>/thredds/projectX/projectX.roswell_1947.nc _ . In order to make these files be published and downloaded only by a very, very restricted group of people, follow the steps below:

  • Create a new user group in the database, for example named _ Area_51 _ . You can either do so by logging in as rootAdmin in the web front end (recommended), using the esgf shell CLI interface _ (esgf-sh) _ or by issuing SQL statements directly to your database (not recommended!). All access control groups within ESGF are _ exported _ by the P2P node manager from the individual databases to the common federation registry, and are written on each node into the local file /esg/config/esgf_ats.xml . After creating your new group, you can verify that (within a few minutes) the group shows up in this file, together with an attribute service and a registration service endpoint. For example, the entry for the _ Area_51 _ group will look something like:
<attribute type="Area_51"
           description="Secret Base Group"
           attributeService="https://<your data node here>/esgf-security/saml/soap/secure/attributeService.htm"
           registrationService="https://<your data node here>/esgf-security/secure/registrationService.htm" />
  • You must edit the file /esg/config/esgf_policies_local.xml to contain the following instructions, which will grant download privileges (aka _ Read _ ) to members of the _ Area_51 _ group with role=user (the default), and publishing privileges (aka _ Write _ ) to members of the same group that are granted the special role=publisher.
<policy resource=".*projectX.*" attribute_type="Area_51" attribute_value="user" action="Read"/>
<policy resource=".*projectX.*" attribute_type="Area_51" attribute_value="publisher" action="Write"/>

  • Note that there is a difference in vocabulary between the user administration context and the policy/registry (attribute) context. More specifically here is the lexicon mapping:

    • "group" => "attribute_type"

    • "role" => "attribute_value"

  • The file esg/config/esgf_policies_common.xml is also used by the access control system, but it contains policy statements that are _ not _ node-specific, and therefore should _ not _ be edited by the local administrator. The file _ esgf_policies_common.xml _ will be overridden by the installation script if a new version is available, while the file _ esgf_policies_local.xml _ is left untouched so that local policies can be preserved throughout software upgrades.

  • Finally, you must assign the users you want to authorize to the _ Area_51 _ group, granting them role=user to download the data, and role=publisher' if you want them to be able to publish data. Note that at this time, users can be assigned to a group with role=user through the web interface, but in order to grant them role=publisher you need to issue a SQL statement like (substitute the correct values from your database where appropriate):

    • _ insert into esgf_security.permission (user_id, group_id, role_id, approved) values (, , , true); _

Notes

  • If a resource matches one or more statements in the file _ esgf_policies_local.xml _ and _ esgf_policies_common.xml _ , authorization will be granted if the user is granted either set of privileges. For example, the following two statements:
<policy resource=".*projectX.*" attribute_type="Area_51" attribute_value="user" action="Read"/>
<policy resource=".*projectX.*" attribute_type="UsGov" attribute_value="user" action="Read"/>

will grant reading privileges to the projectX resources to members of the _ Area_51 _ group, and members of the _ UsGov _ group.

  • The special group _ ANY _ can be used to allow unrestricted access to all users, independently of role. For example, the following statement:
<policy resource=".*test.*" attribute_type="ANY" attribute_value="" action="Read"/>
  • allows all test resources to be read by all, with no restrictions. Note that _ ANY _ is a special group, and does not need to be contained in the esgf_policies_local.xml
Add a custom footer
Add a custom sidebar
Clone this wiki locally