Resource Manager Description

The term Resource Manager is used for compatibility with the CLARIN Language Resource and Technology Federation document, in which the topic 5 (Requirements) leaves resource management to the centers. The Resource Manager is the authorization component that automatically allows or denies access to files according to user attributes. A linguistic resource or corpus can contain one or several files. There is also owner-controlled resource management defined by RequirementsSpecification.

Demo

CSC has created the CRAS system (CSC Resource Accounting System, https://wiki.csc.fi/twiki/bin/view/Storage/CRAS) which can store stat and hash data of files in a relational database. In the Demo, the same database was implemented to control access. The URL of the demo is https://hotpage.csc.fi/shib-cgi-bin/r/list.

The source code of the demo is attached:

  • dl: Python program to download files
  • list: Python program to show the allowed files

The current database structure includes a table called resurssi:

describe resurssi;
+------------+-----------------------+------+-----+---------+-------+
| Field      | Type                  | Null | Key | Default | Extra |
+------------+-----------------------+------+-----+---------+-------+
| path_hash  | varchar(32)           | NO   | PRI |         |       | 
| path       | text                  | YES  |     | NULL    |       | 
| path_utf8  | text                  | YES  |     | NULL    |       | 
| owner      | varchar(64)           | YES  |     | NULL    |       | 
| right_type | mediumint(8) unsigned | YES  |     | NULL    |       | 
| rights     | varchar(255)          | YES  |     | NULL    |       | 
+------------+-----------------------+------+-----+---------+-------+

Each record in the resurssi table contains a file. A resource can contain one or several files.
The path_hash is an index and ensures the security of the demo system. It's generated by a python md5 object by the md5.new(realname).hexdigest() command, where realname is realpath(join(root, name)).
The owner is Shibboleth EPPN (EduPersonPrincipalName). In the future, the owner can set rights.
Only path information is shown to the user.
Only right_type 0 is used.
The rights field contains a Shibboleth attribute key value string. The rights field can contain one of the following sample strings :

HTTP_SHIB_SCHACHOMEORGANIZATIONTYPE=urn:mace:terena.org:schac:homeOrganizationType:fi:university
HTTP_SHIB_SCHACHOMEORGANIZATION=csc.fi
REMOTE_USER=pj@csc.fi
The program list only shows the user the files that the user has the ight to access. The list of files has links to the dl program, which can send the requested file to the user if the rights allow sending.

The implementation of the demo took less than one week's work.

Required features for production

We recommend that the Resource Manager model described as Demo will be chosen for production to grant automatic access to the chosen resources. In addition to the features of Demo, the following features are needed for production:

  • Using the CRAS database instead of the current demo database.
  • Adding AND and OR operations for the rights, may be implemented as a new right_type 1 or just by adding some parsing for right_type 0.
  • Really carefully planning the database structure.
  • An owner's page to set the rights. * this should include some (limited) prescribed usage right types (e.g. 1.free for all purposes; 2. free for research and education; 3) restricted; consent to specific terms required). Moreover, this page should allow for the deposition of the specific terms for usage which the applicant may sign electronically.
  • Recursive views and functionality per resources for all subdirectories and files under them like unix chmod -r
  • Showing the owner a list of all of his/her files/resources.
  • Showing the user the file sizes and adding the size information into the database.
  • An interface to add resources to database, planning and implementation, may be a command line program because linguistic resources are static.
  • Usage statistics (they are already httpd server log published by analog, but is it enough?).
  • Groups. Groups are functionally equal to an OR operation for the list of users, but long lists are more efficient and user-friendly for storing their own tables.

Doing everything above will take about a month.

Shibboleth Service Provider (SP) (Excluded from the contract)

Shibboleth SP has the Resource Manager functionality which is controlled by XML settings:

<?xml version="1.0" encoding="UTF-8"?>
<AccessControl xmlns="urn:mace:shibboleth:target:config:1.0">
   <Rule require="schacHomeOrganizationType">fi:university</Rule>
</AccessControl>
The rules can be combined with And and Or tags. Rules are called by the Shibboleth configuration file shibboleth.xml
<Path name="shib/appl/ling/kielipankki/amph" authType="shibboleth" requireSession="true">
    <AccessControlProvider uri="/v/net/hotpage.csc.fi/sec/shiblingacl.xml" type="edu.internet2.middleware.shibboleth.sp.provider.XMLAccessControl"/>
</Path>
This example does not work for an unknown reason. A similar example has worked on the test machine. The server uses Shibboleth 1.3 and it may work better with Shibboleth 2. Every change also requires restarting the Shibboleth SP, which is not acceptable in production use. Administering the Shibboleth SP will be very difficult and there is no sense to use insecure authorization.

If it is possible to get the Shibboleth Access Control working, it will require at least a week of work.

Topic revision: r2 - 2009-04-24 - SatuTorikka
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2018 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback