New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WebAC ACL Interface #4
Conversation
* @author whikloj | ||
* @since 2015-08-25 | ||
*/ | ||
public interface AbstractFedoraWebAcl { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why "Abstract"FedoraWebAcl? Any reason not to drop the "Abstract" prefix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an interface. It is in the Fedora codebase. Why does it have either Abstract
or Fedora
as part of its name?
Would this interface be able to support a method that takes a resource and/or an agent (as URIs) and returns the authorization(s) that mention that resource and/or agent? Alternatively, a method that returned the list of authorizations in the ACL, and the client class could iterate over that list to find the authorizations that were relevant to its interests? If either of these are desired, I would suggest an additional interface/class to represent a single authorization ("authorization" being the WebAC terminology for a single rule relating an agent(Class) to an accessTo(Class) resource with an access mode. |
@peichman-umd, Although per the WebAC "spec", agents are represented as URIs. My understanding was that most installations would only be able to support Strings. How are you defining "authorizations"? I thought this interface represented a single "authorization", i.e. all principals that have these modes on these resources (and resource classes). |
@awoods, The way I read the WebAC "spec", an ACL is a graph containing one or more acl:Authorization resources, which all seem to be represented as blank nodes with acl:accessTo, acl:agent, acl:mode, etc. properties. Thus I was assuming that an ACL class would represent that graph. Maybe this is a case of terminological confusion? If so, I would suggest renaming this interface to something like WebACAuthorization. |
@awoods, For the issue of representing agents as strings or URIs, would the new |
From: https://wiki.duraspace.org/display/FF/2015-07-22+-+WebAccessControl+Authorization+Delegate+Planning+Meeting |
Those |
My grasp of some of the W3C lingo is weak. But based on this My assumption is that one Authorization contains:
|
@whikloj, I had a similar representation in mind. I think we need to take a moment and decide on a clear, clean, consistent perspective on how Authorizations are represented in the repository. |
Ok, I can change the name to WebACAuthorization. As for your first question @peichman-umd. As the acl:mode will be the same for all users and resources referenced by this ACL. |
Is there a reason to even create hash resources? In other words, does an ACL resource need to contain a sub-graph of Authorizations, versus simply having all of the triples @whikloj described attached to the ACL resource itself? |
8cb44ee
to
5d56184
Compare
@awoods, I don't think so. Based on my understanding we would have simple triples on the Acl resource where the Acl resource would always be the subject. |
@whikloj: The way I have been reading the W3C spec is that the ACL is never actually the subject of any triples. There is an |
@peichman-umd, are you saying that your understanding is that "protected resources" have a property that points to their ACL? |
@awoods That was my understanding of this section of the spec: http://www.w3.org/wiki/WebAccessControl#Modifying_Access_Control_information |
@peichman-umd, yes I see what you mean. |
I have no understanding of nor opinion about this issue, but just from the diction and tone of this conversation, perhaps this is a question best put to whomever is writing or maintaining WebAC? |
Also, from the WAC and LDP section:
|
This seems a bit confusing: maybe check with the (ex-)LDP WG for some clarification? @azaroth42? |
* Set/Modify the acl:agents of this ACL. | ||
* @param users a Set of agents | ||
*/ | ||
void setUsers(Set<String> users); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we use acl:Agent
terminology? If so, are userIds different than groupIds?
* Set/Modify the rdf:types to apply this ACL to. | ||
* @param objectClasses set of RDF objects | ||
*/ | ||
void setObjectClasses(Set<RDF> objectClasses); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ditto.
👍 |
1 similar comment
👍 |
I agree, what fine work. Someone press the button. |
Someone should squash the commits before pressing the button. |
I'll give it a try, never done that before. |
i.e.
Assuming you already did a "git pull" with the following ".git/config" update: [remote "origin"]
url = https://github.com/fcrepo4-labs/fcrepo-module-auth-webac.git
fetch = +refs/heads/*:refs/remotes/origin/*
fetch = +refs/pull/*/head:refs/remotes/origin/pull/* |
1b5f9dd
to
8b04366
Compare
I hope that works. |
I does not look like it. Now I see 7 commits instead of one squashed commit. Was that intentional, @whikloj? |
Sorry, I should have asked. I just removed some of the commits. I'll squash it all. |
Change permissions to modes Change interface name Make method names closer to spec Removing setters acl:agents cover both users and groups Object classes are URIs Re-add agentClasses rename methods change Set<URI> to Set<String> for getAccessToURIs() Update javadoc
8b04366
to
187f993
Compare
LIBFCREPO-1061. Reuse the cachedAclHandle if the session is still live.
No description provided.