There are two major authorization commands acl and auth. acl creates new webac:acl sets, and associates them with containers. auth allows users to see and modify access to an existing acl. We expect that acl is not used often, but auth is.
acl
Be design the acl command is not well integrated into the other tooling. That's because we want users to have to think about using it.
There are three main methods for the acl command, create, list, delete. The
acl show --full dir
acl add --acl=[aclname] --create --(no-)defaults [dirs]
acl del [dirs]
acl dirs --acl=[aclname] [-r] [--auth] [dirnames]
acl show
This command will list the webac:Acl that is in effect for the passed directory. If [dir] is unspecified, then the CWD is used.
--full by default the relative path is shown, but the --full will show the full path.
--verbose show the content of the webac:Acl
--dir-entry. Instead of the webac:Acl, show the directory that specifies the webac:Acl
Note, that the webac specification includes the ACL in the HEAD of any request. So, except of the ---dir-entry command, we can simply interrogates that header. The verbose just ls the ACL file.
for --dir-entry, recursively follow the parent until we actually find the directory that has the '<> acl:accessControl ?c' specified.
acl show .
../../.acl
acl show --full .
/fcrepo/rest/user/quinn/.acl
acl add
This adds an ACL to a set of [dirs]. If [dirs] is not specified use the CWD. You can specify the name of the acl either with --acl or with --acl=dirname. Using --acl uses the default of the first [dir] followed by the ''/.acl". If another acl:accessControl exists,it will be replaced. If no --acl is specified, then this is an error.
--create By default, if the acl does not exist, or is not of type webac:Acl, the command will fail. However, if the --create is included the command with either add <> a webac:Acl to an existing container, or create a new container with type webac:Acl.
--default --no-default If the command creates a new webac:Acl object, then the --default command will create two Authorizations, Read for the for acl:Agent and Read,Write for the the principal named in the current jwt token. (See the section on auth for more). This is on by default, you need to explicitly set this off with --no-default. If the webac:Acl does not have to be created then this is not included.
# Most Common format add acl to PWD
acl add --create --acl .
# No dir = ./
# Success Equivalant to
mkdir -a webac:Acl .acl
# These are the --default commands
auth --name=quinn-rw --agent=user:quinn --mode=Read,Write --dir=.
auth --name=Agent-r --agent=acl:Agent --mode=Read --dir=.
# This is the step to Add
patch -d $dir --delete-where "<> acl:accessControl ?c ."
patch -d $dir --insert "<> acl:AccessControl $acl ."
The following example uses a non-standard location for the ACL component. The first time the command fails since the locations specified is not a webac:Acl. The second command succeeds.
mkdir bar
$myacl=bar
acl --acl=$myacl $dir # Fails since bar is not an webac:Acl
acl --create --acl=$myacl $dir
# Sucess Equivalent to ...
mkdir $myacl
patch -d $myacl --insert "<> a webac:Acl"
patch -d $dir --delete-where "<> acl:accessControl ?c ."
patch -d $dir --insert "<> acl:AccessControl $acl"
acl rm
Deletes a webac:acl from the specified [dirs]. If --acl is specified then uses -acl=.url. If --acl is not specified at all removes all webac:Acl parameters.
This command will show all the directories that are using the specified --acl=aclname. If --acl is not specified, or doesn't include a aclname, then use `./.acl. If dirs are specified, then only look at that containers. Results are relative unless the --full option is included.
acl dirs --full --acl=../.url foo bar
# Succsss
bar
Including the -r flag scans down from a the passed [dirnames]
Including the -auth flag looks at every accessTo parameters in every Auth, and returns those with have this ACL set for them.
acl dirs --auth .
acl delete
This deletes an existing webac:acl Container. The command first checks every accessTo record for every Auth, and if any of them have this as the specified webac:Acl, then the command fails or removes that command if the --force command is in place. if unspecified or specified with --acl, then the path./.acl is used.
acl add --acl=.acl bar/baz
acl delete --acl
# Fails, The ACL is in use
acl delete --force --acl
# Success.. Equivalent to
patch --d bar/baz --delete-where '<> acl:accessControl </full/path/to/.acl>.'
rm .acl
auth
The auth command allows users to specify and interrogate webac:Authorizations from the command line.
auth --full --dir=[dirname] acl
Displays the webac:Acl used for the specified directory.
--dir Specify directory. Default is CWD.
--full By default specification is relative. --full gives complete item
--dir-entry. Instead of the webac:Acl, show the directory that specifies the webac:Acl
This is equivalent to the command acl show [options] [dirname]
auth show [authnames]
Display the information from the passed [authnames] used in the acl specified by --dir=dirname.
--dir=dirname Default is CWD
--acl=aclname No default.
--verbose Show the entire records
--full Show the full path to the authnames
--no-match Show all the authnames
You cannot specify a --dir and --acl at the same time. Will fail. If no authnames are included then show those that match the specified [dirname] or all if --all is specified, or if -acl is specified.
>auth show
../../.acl/Agent-r
../../.acl/quinn-w
>auth show --verbose quinn-w
# Shows the complete quinn authorization
auth add [--options] [authname]
Adds a new Authorization.
authname If specified names the authorization. Otherwise System adds one
---mode Specifies the modes, Accepts Read|Write|acl:Read|acl:Write. Default is ```--mode=Read````
--to Specifies comma separated list of dirs. Default --to=.
--agent Specifies comma separated agent(s). Accepts `foaf:Agent|Agent|user:quinn. No default
--groups Speifies comma sparated groups Accepts absolute or relative paths.
--prefix=foo=http://web/bar Allows specification of prefixes if you need to use in you're agent, or group selection.
[names] Required Authorization(s) to update
---addmode or --delmode Adds or deletes an acl:Mode
---addagent or --delagent Adds or deletes a set of acl:Agents
---addgroup or --delgroup Adds or deletes acl:agentClass
---addto or --delto adds or deletes acl:accessTo roles
If multiple auths are included, then the process acts on all of them
Authorization
There are two major authorization commands
acl
andauth
.acl
creates new webac:acl sets, and associates them with containers.auth
allows users to see and modify access to an existing acl. We expect thatacl
is not used often, butauth
is.acl
Be design the
acl
command is not well integrated into the other tooling. That's because we want users to have to think about using it.There are three main methods for the acl command, create, list, delete. The
acl show
This command will list the webac:Acl that is in effect for the passed directory. If [dir] is unspecified, then the CWD is used.
--full
by default the relative path is shown, but the--full
will show the full path.--verbose
show the content of the webac:Acl--dir-entry
. Instead of the webac:Acl, show the directory that specifies the webac:AclNote, that the webac specification includes the ACL in the HEAD of any request. So, except of the
---dir-entry
command, we can simply interrogates that header. The verbose justls
the ACL file.for
--dir-entry
, recursively follow the parent until we actually find the directory that has the '<> acl:accessControl ?c' specified.acl add
This adds an ACL to a set of [dirs]. If [dirs] is not specified use the CWD. You can specify the name of the acl either with
--acl
or with--acl=dirname
. Using--acl
uses the default of the first [dir] followed by the ''/.acl". If another acl:accessControl exists,it will be replaced. If no--acl
is specified, then this is an error.--create
By default, if the acl does not exist, or is not of type webac:Acl, the command will fail. However, if the--create
is included the command with either add<> a webac:Acl
to an existing container, or create a new container with typewebac:Acl
.--default --no-default
If the command creates a newwebac:Acl
object, then the--default
command will create two Authorizations, Read for the for acl:Agent and Read,Write for the the principal named in the current jwt token. (See the section on auth for more). This is on by default, you need to explicitly set this off with--no-default
. If thewebac:Acl
does not have to be created then this is not included.The following example uses a non-standard location for the ACL component. The first time the command fails since the locations specified is not a
webac:Acl
. The second command succeeds.acl rm
Deletes a webac:acl from the specified [dirs]. If
--acl
is specified then uses-acl=.url
. If--acl
is not specified at all removes all webac:Acl parameters.acl dirs
This command will show all the directories that are using the specified
--acl=aclname
. If--acl
is not specified, or doesn't include a aclname, then use`./.acl
. If dirs are specified, then only look at that containers. Results are relative unless the--full
option is included.Including the
-r
flag scans down from a the passed [dirnames]Including the
-auth
flag looks at every accessTo parameters in every Auth, and returns those with have this ACL set for them.acl delete
This deletes an existing
webac:acl
Container. The command first checks every accessTo record for every Auth, and if any of them have this as the specified webac:Acl, then the command fails or removes that command if the--force
command is in place. if unspecified or specified with--acl
, then the path./.acl
is used.auth
The
auth
command allows users to specify and interrogate webac:Authorizations from the command line.auth --full --dir=[dirname] acl
Displays the webac:Acl used for the specified directory.
--dir
Specify directory. Default is CWD.--full
By default specification is relative. --full gives complete item--dir-entry
. Instead of the webac:Acl, show the directory that specifies the webac:AclThis is equivalent to the command
acl show [options] [dirname]
auth show [authnames]
Display the information from the passed [authnames] used in the acl specified by
--dir=dirname
.--dir=dirname
Default is CWD--acl=aclname
No default.--verbose
Show the entire records--full
Show the full path to the authnames--no-match
Show all the authnamesYou cannot specify a
--dir
and--acl
at the same time. Will fail. If no authnames are included then show those that match the specified [dirname] or all if--all
is specified, or if-acl
is specified.auth add [--options] [authname]
Adds a new Authorization.
authname
If specified names the authorization. Otherwise System adds one---mode
Specifies the modes, AcceptsRead|Write|acl:Read|acl:Write
. Default is ```--mode=Read````--to
Specifies comma separated list of dirs. Default--to=.
--agent
Specifies comma separated agent(s). Accepts`foaf:Agent|Agent|user:quinn
. No default--groups
Speifies comma sparated groups Accepts absolute or relative paths.--prefix=foo=http://web/bar
Allows specification of prefixes if you need to use in you're agent, or group selection.auth update [--options] [authnames]
Updates existing Authorizations
[names]
Required Authorization(s) to update ---addmode or --delmode
Adds or deletes an acl:Mode ---addagent or --delagent
Adds or deletes a set of acl:Agents ---addgroup or --delgroup
Adds or deletes acl:agentClass ---addto or --delto
adds or deletes acl:accessTo rolesIf multiple auths are included, then the process acts on all of them
auth rm [authnames]
Removes and authorization(s) by name.