Authorization Commands

[qjhart]

Authorization

There are two major authorization commands acl and auth. acl creates new webac:acl sets, and associates them with containers. auth allows users to see and modify access to an existing acl. We expect that acl is not used often, but auth is.

acl

Be design the acl command is not well integrated into the other tooling. That's because we want users to have to think about using it.

There are three main methods for the acl command, create, list, delete. The

acl show --full dir
acl add --acl=[aclname] --create --(no-)defaults [dirs]
acl del [dirs]
acl dirs --acl=[aclname] [-r] [--auth] [dirnames]

acl show

This command will list the webac:Acl that is in effect for the passed directory. If [dir] is unspecified, then the CWD is used.

• --full by default the relative path is shown, but the --full will show the full path.
• --verbose show the content of the webac:Acl
• --dir-entry. Instead of the webac:Acl, show the directory that specifies the webac:Acl

Note, that the webac specification includes the ACL in the HEAD of any request. So, except of the ---dir-entry command, we can simply interrogates that header. The verbose just ls the ACL file.

for --dir-entry, recursively follow the parent until we actually find the directory that has the '<> acl:accessControl ?c' specified.

acl show  .
../../.acl
acl show --full .
/fcrepo/rest/user/quinn/.acl

acl add

This adds an ACL to a set of [dirs]. If [dirs] is not specified use the CWD. You can specify the name of the acl either with --acl or with --acl=dirname. Using --acl uses the default of the first [dir] followed by the ''/.acl". If another acl:accessControl exists,it will be replaced. If no --acl is specified, then this is an error.

• --create By default, if the acl does not exist, or is not of type webac:Acl, the command will fail. However, if the --create is included the command with either add <> a webac:Acl to an existing container, or create a new container with type webac:Acl.
  • --default --no-default If the command creates a new webac:Acl object, then the --default command will create two Authorizations, Read for the for acl:Agent and Read,Write for the the principal named in the current jwt token. (See the section on auth for more). This is on by default, you need to explicitly set this off with --no-default. If the webac:Acl does not have to be created then this is not included.

# Most Common format add acl to PWD
acl add --create --acl .
# No dir = ./
# Success Equivalant to
mkdir  -a webac:Acl .acl
# These are the --default commands
auth --name=quinn-rw --agent=user:quinn --mode=Read,Write --dir=.
auth --name=Agent-r --agent=acl:Agent --mode=Read --dir=.
# This is the step to Add
patch -d $dir --delete-where "<> acl:accessControl ?c ."
patch -d $dir --insert "<> acl:AccessControl $acl ."

The following example uses a non-standard location for the ACL component. The first time the command fails since the locations specified is not a webac:Acl. The second command succeeds.

mkdir bar
$myacl=bar
acl --acl=$myacl $dir  #  Fails since bar is not an webac:Acl
acl --create --acl=$myacl $dir
# Sucess Equivalent to ...
mkdir $myacl
patch -d $myacl --insert "<> a webac:Acl" 
patch -d $dir --delete-where "<> acl:accessControl ?c ."
patch -d $dir --insert "<> acl:AccessControl $acl"

acl rm

Deletes a webac:acl from the specified [dirs]. If --acl is specified then uses -acl=.url. If --acl is not specified at all removes all webac:Acl parameters.

acl rm . foo
# Success equivalent to 
patch -d . --delete-where '<> webAcl ?c .'
patch -d foo --delete-where '<> webAcl ?c .'

acl --acl=.url rm foo
# Success! equivalant to 
patch -d foo --delete-where '<> webac:Acl </fully/qualitifed/path/to/.url> .'

acl dirs

This command will show all the directories that are using the specified --acl=aclname. If --acl is not specified, or doesn't include a aclname, then use `./.acl. If dirs are specified, then only look at that containers. Results are relative unless the --full option is included.

acl dirs --full --acl=../.url foo bar
# Succsss
bar

Including the -r flag scans down from a the passed [dirnames]

acl dirs -r --acl=../.url .
# Success!
./foo/bar/baz

Including the -auth flag looks at every accessTo parameters in every Auth, and returns those with have this ACL set for them.

acl dirs --auth . 

acl delete

This deletes an existing webac:acl Container. The command first checks every accessTo record for every Auth, and if any of them have this as the specified webac:Acl, then the command fails or removes that command if the --force command is in place. if unspecified or specified with --acl, then the path./.acl is used.

acl add --acl=.acl bar/baz
acl delete --acl
# Fails, The ACL is in use
acl delete --force --acl
# Success.. Equivalent to 
patch --d bar/baz --delete-where '<> acl:accessControl </full/path/to/.acl>.'
rm .acl

auth

The auth command allows users to specify and interrogate webac:Authorizations from the command line.

auth --full --dir=[dirname] acl

Displays the webac:Acl used for the specified directory.

• --dir Specify directory. Default is CWD.
• --full By default specification is relative. --full gives complete item
• --dir-entry. Instead of the webac:Acl, show the directory that specifies the webac:Acl

This is equivalent to the command acl show [options] [dirname]

auth show [authnames]

Display the information from the passed [authnames] used in the acl specified by --dir=dirname.

• --dir=dirname Default is CWD
• --acl=aclname No default.
• --verbose Show the entire records
• --full Show the full path to the authnames
• --no-match Show all the authnames

You cannot specify a --dir and --acl at the same time. Will fail. If no authnames are included then show those that match the specified [dirname] or all if --all is specified, or if -acl is specified.

>auth show 
../../.acl/Agent-r
../../.acl/quinn-w

>auth show --verbose quinn-w
# Shows the complete quinn authorization 

auth add [--options] [authname]

Adds a new Authorization.

• authname If specified names the authorization. Otherwise System adds one
• ---mode Specifies the modes, Accepts Read|Write|acl:Read|acl:Write. Default is ```--mode=Read````
• --to Specifies comma separated list of dirs. Default --to=.
• --agent Specifies comma separated agent(s). Accepts `foaf:Agent|Agent|user:quinn. No default
• --groups Speifies comma sparated groups Accepts absolute or relative paths.
• --prefix=foo=http://web/bar Allows specification of prefixes if you need to use in you're agent, or group selection.

auth add --agent=user:quinn,user:jrmerz --to=foo,/fcrepo/rest/collection/bff bff

auth update [--options] [authnames]

Updates existing Authorizations

• [names] Required Authorization(s) to update ---addmode or --delmode Adds or deletes an acl:Mode ---addagent or --delagent Adds or deletes a set of acl:Agents ---addgroup or --delgroup Adds or deletes acl:agentClass ---addto or --delto adds or deletes acl:accessTo roles

If multiple auths are included, then the process acts on all of them

auth update --delagent=user:jrmerz,user:kimmy bff admins friends
# Success .. Equivalant to 
$acl=`auth acl .`
patch -d $acl/bff --delete-where '<> acl:agent user:jrmerz; <> acl:agent user:kimmy'
patch -d $acl/admins  --delete-where '<> acl:agent user:jrmerz; <> acl:agent user:kimmy'
patch -d $acl/friends --delete-where '<> acl:agent user:jrmerz; <> acl:agent user:kimmy'

auth rm [authnames]

Removes and authorization(s) by name.

auth rm bff
# Success! Equivalent to
$acl=`auth acl .`
rm $acl/bff