[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Handle-info] CNRI Web Admin application: handle permissions are not observed
Robert,
It is great to have a web admin tool with full set of permissions, but we also need a way to limit permissions for some users to only create handles (with HS_ADMIN settings done on create from a preset configuration) and add/modify/delete values but not admin values. Currently, we use a list of admin values to be set on create based on handle prefix, e.g. on create
for prefix 1711.COL1 set HS_ADMINs for 200:1711/admin1, 200:1711/admin, 300:0.NA/1711,
for prefix 1711.COL2 set HS_ADMINs for 200:1711/admin2, 200:1711/admin, 300:0.NA/1711, etc.
We use vlists extensively to manage handle admin values. This could be used to differentiate between the two groups of users: full permissions vs restricted. I would think, this would be another common approach used in the community. I have not seen a section in documentation about best practices, but this is an obvious one to use for fine grained access control and ease of maintenance.
Ev
________________________________________
From: handle-info-bounces@cnri.reston.va.us <handle-info-bounces@cnri.reston.va.us> on behalf of Robert R Tupelo-Schneck <schneck@cnri.reston.va.us>
Sent: Monday, February 22, 2016 10:02 AM
To: Evguenia Krylova
Cc: handle-info@cnri.reston.va.us
Subject: Re: [Handle-info] CNRI Web Admin application: handle permissions are not observed
Do I understand correctly, that your primary need is to have users who can edit all handle values except for HS_ADMIN values? If so, I think that's something that we should provide and can provide reasonably easily. I'll see if it's possible to get a patch release to you for that.
If any HS_ADMIN gives a user permission, then the user has that permission; other HS_ADMIN values lacking that permission will be ignored.
Robert
> On Feb 22, 2016, at 10:41 AM, Evguenia Krylova <evguenia.krylova@wisc.edu> wrote:
>
> Robert,
>
> We used two groups of handle editors: one with full control and the other with the rights limited to editing only handle values.
> The users with full control use Java client to manipulate handles. For the second group we have a custom web application that auto-creates appropriate HS_ADMIN values for handles based on the prefix. The users can only add/modify/delete handle value. This way we ensure that handles are not deleted, and authorization is set appropriately while handle creation and maintenance is delegated to administrators of various handle collections.
> We were hoping to replace this app, which is based on aged technology, with the CNRI delivered one. It's easy to make a change to the CNRI js to auto create HS_ADMIN values based on the prefix, would be nice to have it in a config. I am not sure what we'll do now though. I would think delegated handle administration would be a typical scenario for most of the users.
>
> We do not have a use case when we discriminate between add admin but not remove admin. As you rightly pointed out, adding HS_ADMIN is equivalent to giving an admin handle any rights, i.e. full control. By the way, I have not tested what happens if an admin handle is in two vlists of HS_ADMIN with conflicting permissions. For example, one HS_ADMIN gives it the right to delete admin and the other does not.
>
> Ev
> ___________________________________
> ziFrom: handle-info-bounces@cnri.reston.va.us <handle-info-bounces@cnri.reston.va.us> on behalf of Robert R Tupelo-Schneck <schneck@cnri.reston.va.us>widest
> Sent: Saturday, February 20, 2016 8:59 AM
> To: Evguenia Krylova
> Cc: handle-info@cnri.reston.va.us
> Subject: Re: [Handle-info] CNRI Web Admin application: handle permissions are not observed
>
> The REST API generally uses a Handle call which replaces the entire handle record. That call is authorized by "ADD_ADMIN" permission.
>
> In v8, you can access the same call in the hdl-admintool Java GUI client using "Replace Mode". Otherwise, the hdl-admintool uses different calls that affect only one value at a time, each of which is authorized separately.
>
> This is something we might reconsider. Do you have a use case for a user to add but not remove HS_ADMIN values? (Even though, in principle, such a user could give the user's own identity the extra permission to remove them?)
>
> Robert
>
>> On Feb 19, 2016, at 6:07 PM, Evguenia Krylova <evguenia.krylova@wisc.edu> wrote:
>>
>> I have to add that Java client does not allow deleting or modifying admin values for this handle.
>>
>> Ev
>>
>>
>> From: handle-info-bounces@cnri.reston.va.us <handle-info-bounces@cnri.reston.va.us> on behalf of Evguenia Krylova <evguenia.krylova@wisc.edu>
>> Sent: Friday, February 19, 2016 4:48 PM
>> To: handle-info@cnri.reston.va.us
>> Subject: [Handle-info] CNRI Web Admin application: handle permissions are not observed
>>
>> I am testing CNRI Web Admin tool and have come across something that does not make sense to me.
>>
>> I a handle 1712/evtest that can be managed by 200:1712/dladmins_test
>> handle with the following permissions: 011001110011. These are listed as
>> read, add, modify, delete value, list handle and add admin.
>> Index 200 contains vlist with 200:1712/dladmins_test handle in it (see the data below).
>> The permissions do not include modify or delete admin, yet when
>> authenticated as 310:1712/batchuser, I can modify and delete admin values and save the handle.
>> This does not look right to me.
>>
>> Ev
>>
>> 1712/dladmins_test:
>> ------------------
>> {
>> "responseCode": 1,
>> "handle": "1712/dladmins_test",
>> "values": [
>> {
>> "index": 200,
>> "type": "HS_VLIST",
>> "data": {
>> "format": "vlist",
>> "value": [
>> {
>> "handle": "1711/ltg",
>> "index": 200
>> },
>> {
>> "handle": "1712/batchuser",
>> "index": 310
>> }
>> ]
>> },
>> "ttl": 60,
>> "timestamp": "2016-02-19T22:09:13Z"
>> }
>>
>> ,
>> {
>> "index": 100,
>> "type": "HS_ADMIN",
>> "data": {
>> "format": "admin",
>> "value": {
>> "handle": "0.NA/1711",
>> "index": 200,
>> "permissions": "111111111111",
>> "legacyByteLength": true
>> }
>> },
>> "ttl": 60,
>> "timestamp": "2016-02-11T20:19:19Z"
>> },
>> {
>> "index": 103,
>> "type": "HS_ADMIN",
>> "data": {
>> "format": "admin",
>> "value": {
>> "handle": "0.NA/1711",
>> "index": 300,
>> "permissions": "111111111111",
>> "legacyByteLength": true
>> }
>> },
>> "ttl": 86401,
>> "timestamp": "2016-02-11T20:19:19Z"
>> },
>> {
>> "index": 2,
>> "type": "NAME",
>> "data": {
>> "format": "string",
>> "value": "Digital Library Handle Administrators"
>> },
>> "ttl": 86400,
>> "timestamp": "2016-02-11T20:19:19Z"
>> },
>> {
>> "index": 101,
>> "type": "HS_ADMIN",
>> "data": {
>> "format": "admin",
>> "value": {
>> "handle": "1711/ltg",
>> "index": 200,
>> "permissions": "111111111111",
>> "legacyByteLength": true
>> }
>> },
>> "ttl": 86400,
>> "timestamp": "2016-02-11T20:19:19Z"
>> }
>> ]
>> }
>>
>>
>> 1712/batchuser:
>> --------------
>> {
>> "responseCode": 1,
>> "handle": "1712/batchuser",
>> "values": [
>> {
>> "index": 1,
>> "type": "NAME",
>> "data": {
>> "format": "string",
>> "value": "Batch user for 1712"
>> },
>> "ttl": 86400,
>> "timestamp": "2016-02-19T22:12:40Z"
>> },
>> {
>> "index": 101,
>> "type": "HS_ADMIN",
>> "data": {
>> "format": "admin",
>> "value": {
>> "handle": "1711/ltg",
>> "index": 200,
>> "permissions": "111111111111"
>> }
>> },
>> "ttl": 86400,
>> "timestamp": "2016-02-19T22:06:56Z"
>> },
>> {
>> "index": 100,
>> "type": "HS_ADMIN",
>> "data": {
>> "format": "admin",
>> "value": {
>> "handle": "0.NA/1712",
>> "index": 200,
>> "permissions": "111111111111"
>> }
>> },
>> "ttl": 86400,
>> "timestamp": "2016-02-19T22:06:56Z"
>> }
>> ]
>> }
>>
>>
>> 1712/evtest:
>> -----------------------
>> {
>> "responseCode": 1,
>> "handle": "1712/evtest",
>> "values": [
>> {
>> "index": 100,
>> "type": "HS_ADMIN",
>> "data": {
>> "format": "admin",
>> "value": {
>> "handle": "0.NA/1712",
>> "index": 200,
>> "permissions": "111111111111"
>> }
>> },
>> "ttl": 86400,
>> "timestamp": "2016-02-19T22:05:11Z"
>> },
>> {
>> "index": 2,
>> "type": "NAME",
>> "data": {
>> "format": "string",
>> "value": "test handle for Ev"
>> },
>> "ttl": 86400,
>> "timestamp": "2016-02-19T22:23:59Z"
>> },
>> {
>> "index": 102,
>> "type": "HS_ADMIN",
>> "data": {
>> "format": "admin",
>> "value": {
>> "handle": "1712/dladmins_test",
>> "index": 200,
>> "permissions": "011001110011"
>> }
>> },
>> "ttl": 86400,
>> "timestamp": "2016-02-19T22:28:55Z"
>> }
>> ]
>> }
>>
>>
>> _______________________________________________
>> Handle-Info mailing list
>> Handle-Info@cnri.reston.va.us
>> http://www.handle.net/mailman/listinfo/handle-info
>
> _______________________________________________
> Handle-Info mailing list
> Handle-Info@cnri.reston.va.us
> http://www.handle.net/mailman/listinfo/handle-info
> _______________________________________________
> Handle-Info mailing list
> Handle-Info@cnri.reston.va.us
> http://www.handle.net/mailman/listinfo/handle-info
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info