Skip to content

Attribute based access control implementation

Georgy Litvinov requested to merge github/fork/litvinovg/abac_pr into main

VIVO GitHub issue

VIVO PR

What does this pull request do?

Re-implements authorization subsystem to use attribute based access control allowing to define flexible access rules: For example rules that only apply to certain roles and or conditions computed by SPARQL queries. Provides the same interface to control access to entities as was provided in Advanced Role Management PR

Policy logic

Policy configuration contains set of access rules, each access rule has attributes. If attributes match, then rule is enforced to authorize or not authorize request. If at least one of attributes didn't match, then the rule is skipped. Policies can be prioritized by setting priority to a long value. By default policy priority is 0. Attribute matching is firstly done for less computation expensive attributes:

  1. Equality checks
  2. Contains in set checks
  3. Attributes that use SPARQL to check matching.

What's new?

  • A new graph http://vitro.mannlib.cornell.edu/default/access-control has been created to store access control configurations.
  • Created Dynamic policies to be loaded from graph configurations that replaced old policies in java files, stored in accessControl/firsttime/ directory.
  • Created PolicyStore instead of PolicyList to store policy instances
  • Permissions were converted into simple permission policies.
  • Policies were converted into dynamic policy configurations in n3 files.
  • AuthorizationRequests was refactored to only serve as a container for authorization request, action classes were converted into access objects.
  • Created access rules
  • Removed outdated identifier factories
  • Created attributes, attribute types, access objects
  • All java policies were replaced by dynamically loaded policy configuration from n3 files.
  • Fixed authorization requests to provide more information
  • Some singleton classes were refactored to remove not needed dependencies on servlet context.
  • Created code to load policies and update test data sets in policies.
  • Created migration code for migrations from annotation based authorization currently in use in Vitro and VIVO
  • Created migration code for migrations from ARM based authorization used by some Vitro and VIVO community members.
  • Test were created to test policy loading and migration

How should this be tested?

There are 2 ways to test it:

  • Migration from currently in use VIVO instance Apply changes in PR for Vitro and for VIVO, build and deploy your VIVO. Check if access works the same as it worked before for object properties, data properties, faux object properties and faux data properties. If you want to try new policies, try edit policies in firsttime directory, reload VIVO and see results.
  • Migration from Advanced role management Apply changes in PR for Vitro and for VIVO Make sure to retain entity permission configurations you had in auth firsttime folder you used for ARM for conversion of ARM permissions into policy datasets. Build and deploy your VIVO. Check if access works the same as it worked in ARM. Standard VIVO checks are required to test this PR. If you want to try new policies, try edit policies in firsttime directory, reload VIVO and see results.

Additional notes

  • Documentation will need to be updated.

Interested parties

@chenejac @vivo-project/vivo-committers

Merge request reports