For open datasets, currently the policies file allows for an attribute_type="ANY" rule, but we need to distinguish between two cases:
(a) resource is completely open (available for anonymous access in addition to all authenticated users)
(b) resource is available to all users but requires authentication
If I have correctly understood, #34 will allow for the possibility of the filters making SAML authz queries regarding anonymous access, prior to querying about authenticated access only if necessary, which is a necessary prerequisite for implementing the above but does not in itself provide the means for the authorizationService to respond differently in these two cases. Maybe @watucker can confirm this?
If this is correct, then maybe the required steps are:
(1) decide what syntax in the policies file is appropriate to represent cases (a) and (b) above
(2) implement support for it in the authorization service
(3) in the THREDDS web.xml in the ESGF stack, remove the policyFiles entry that makes THREDDS inspect the policies file directly (causing it to bypass the call to the authorizationService in the case of an attribute_type="ANY" rule), so that all authz decisions are handled by the authorizationService.
For open datasets, currently the policies file allows for an
attribute_type="ANY"rule, but we need to distinguish between two cases: (a) resource is completely open (available for anonymous access in addition to all authenticated users) (b) resource is available to all users but requires authenticationIf I have correctly understood, #34 will allow for the possibility of the filters making SAML authz queries regarding anonymous access, prior to querying about authenticated access only if necessary, which is a necessary prerequisite for implementing the above but does not in itself provide the means for the authorizationService to respond differently in these two cases. Maybe @watucker can confirm this?
If this is correct, then maybe the required steps are:
(1) decide what syntax in the policies file is appropriate to represent cases (a) and (b) above
(2) implement support for it in the authorization service
(3) in the THREDDS
web.xmlin the ESGF stack, remove thepolicyFilesentry that makes THREDDS inspect the policies file directly (causing it to bypass the call to the authorizationService in the case of anattribute_type="ANY"rule), so that all authz decisions are handled by the authorizationService.