[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Handle-info] CNRI Web Admin application: handle permissions are not observed

Robert,

    We used two groups of handle editors: one with full control and the other with the rights limited to editing only handle values.
The users with full control use Java client to manipulate handles. For the second group we have a custom web application that auto-creates appropriate HS_ADMIN values for handles based on the prefix. The users can only add/modify/delete handle value. This way we ensure that handles are not deleted, and authorization is set appropriately while handle creation and maintenance is delegated to administrators of various handle collections. 
We were hoping to replace this app, which is based on aged technology, with the CNRI delivered one.  It's easy to make a change to the CNRI js to auto create HS_ADMIN values based on the prefix, would be nice to have it in a config.  I am not sure what we'll do now though. I would think delegated handle administration would be a typical scenario for most of the users.

 We do not have a use case when we discriminate between add admin but not remove admin.  As you rightly pointed out, adding HS_ADMIN is equivalent to giving an admin handle any rights, i.e. full control. By the way, I have not tested what happens if an admin handle is in two vlists of HS_ADMIN with conflicting permissions. For example, one HS_ADMIN gives it the right to delete admin and the other does not.

Ev
___________________________________
 ziFrom: handle-info-bounces@cnri.reston.va.us <handle-info-bounces@cnri.reston.va.us> on behalf of Robert R Tupelo-Schneck <schneck@cnri.reston.va.us>widest
Sent: Saturday, February 20, 2016 8:59 AM
To: Evguenia Krylova
Cc: handle-info@cnri.reston.va.us
Subject: Re: [Handle-info] CNRI Web Admin application: handle permissions       are     not observed

The REST API generally uses a Handle call which replaces the entire handle record.  That call is authorized by "ADD_ADMIN" permission.

In v8, you can access the same call in the hdl-admintool Java GUI client using "Replace Mode".  Otherwise, the hdl-admintool uses different calls that affect only one value at a time, each of which is authorized separately.

This is something we might reconsider.  Do you have a use case for a user to add but not remove HS_ADMIN values?  (Even though, in principle, such a user could give the user's own identity the extra permission to remove them?)

Robert

> On Feb 19, 2016, at 6:07 PM, Evguenia Krylova <evguenia.krylova@wisc.edu> wrote:
>
> I have to add that Java client does not allow deleting or modifying admin values for this handle.
>
> Ev
>
>
> From: handle-info-bounces@cnri.reston.va.us <handle-info-bounces@cnri.reston.va.us> on behalf of Evguenia Krylova <evguenia.krylova@wisc.edu>
> Sent: Friday, February 19, 2016 4:48 PM
> To: handle-info@cnri.reston.va.us
> Subject: [Handle-info] CNRI Web Admin application: handle permissions are not observed
>
> I am testing CNRI Web Admin tool and have come across something that does not make sense to me.
>
> I a handle 1712/evtest  that can be managed by 200:1712/dladmins_test
> handle with the following permissions: 011001110011. These are listed as
> read, add, modify, delete value, list handle and add admin.
> Index 200 contains vlist with 200:1712/dladmins_test handle in it (see the data below).
> The permissions do not include modify or delete admin, yet when
> authenticated as 310:1712/batchuser, I can modify and delete admin values and save the handle.
> This does not look right to me.
>
> Ev
>
> 1712/dladmins_test:
> ------------------
> {
>   "responseCode": 1,
>   "handle": "1712/dladmins_test",
>   "values": [
>     {
>       "index": 200,
>       "type": "HS_VLIST",
>       "data": {
>         "format": "vlist",
>         "value": [
>           {
>             "handle": "1711/ltg",
>             "index": 200
>           },
>           {
>             "handle": "1712/batchuser",
>             "index": 310
>           }
>         ]
>       },
>       "ttl": 60,
>       "timestamp": "2016-02-19T22:09:13Z"
>     }
>
> ,
>     {
>       "index": 100,
>       "type": "HS_ADMIN",
>       "data": {
>         "format": "admin",
>         "value": {
>           "handle": "0.NA/1711",
>           "index": 200,
>           "permissions": "111111111111",
>           "legacyByteLength": true
>         }
>       },
>       "ttl": 60,
>       "timestamp": "2016-02-11T20:19:19Z"
>     },
>     {
>       "index": 103,
>       "type": "HS_ADMIN",
>       "data": {
>         "format": "admin",
>         "value": {
>           "handle": "0.NA/1711",
>           "index": 300,
>           "permissions": "111111111111",
>           "legacyByteLength": true
>         }
>       },
>       "ttl": 86401,
>       "timestamp": "2016-02-11T20:19:19Z"
>     },
>     {
>       "index": 2,
>       "type": "NAME",
>       "data": {
>         "format": "string",
>         "value": "Digital Library Handle Administrators"
>       },
>       "ttl": 86400,
>       "timestamp": "2016-02-11T20:19:19Z"
>     },
>     {
>       "index": 101,
>       "type": "HS_ADMIN",
>       "data": {
>         "format": "admin",
>         "value": {
>           "handle": "1711/ltg",
>           "index": 200,
>           "permissions": "111111111111",
>           "legacyByteLength": true
>         }
>       },
>       "ttl": 86400,
>       "timestamp": "2016-02-11T20:19:19Z"
>     }
>   ]
> }
>
>
> 1712/batchuser:
> --------------
> {
>   "responseCode": 1,
>   "handle": "1712/batchuser",
>   "values": [
>     {
>       "index": 1,
>       "type": "NAME",
>       "data": {
>         "format": "string",
>         "value": "Batch user for 1712"
>       },
>       "ttl": 86400,
>       "timestamp": "2016-02-19T22:12:40Z"
>     },
>     {
>       "index": 101,
>       "type": "HS_ADMIN",
>       "data": {
>         "format": "admin",
>         "value": {
>           "handle": "1711/ltg",
>           "index": 200,
>           "permissions": "111111111111"
>         }
>       },
>       "ttl": 86400,
>       "timestamp": "2016-02-19T22:06:56Z"
>     },
>     {
>       "index": 100,
>       "type": "HS_ADMIN",
>       "data": {
>         "format": "admin",
>         "value": {
>           "handle": "0.NA/1712",
>           "index": 200,
>           "permissions": "111111111111"
>         }
>       },
>       "ttl": 86400,
>       "timestamp": "2016-02-19T22:06:56Z"
>     }
>   ]
> }
>
>
> 1712/evtest:
> -----------------------
> {
>   "responseCode": 1,
>   "handle": "1712/evtest",
>   "values": [
>     {
>       "index": 100,
>       "type": "HS_ADMIN",
>       "data": {
>         "format": "admin",
>         "value": {
>           "handle": "0.NA/1712",
>           "index": 200,
>           "permissions": "111111111111"
>         }
>       },
>       "ttl": 86400,
>       "timestamp": "2016-02-19T22:05:11Z"
>     },
>     {
>       "index": 2,
>       "type": "NAME",
>       "data": {
>         "format": "string",
>         "value": "test handle for Ev"
>       },
>       "ttl": 86400,
>       "timestamp": "2016-02-19T22:23:59Z"
>     },
>     {
>       "index": 102,
>       "type": "HS_ADMIN",
>       "data": {
>         "format": "admin",
>         "value": {
>           "handle": "1712/dladmins_test",
>           "index": 200,
>           "permissions": "011001110011"
>         }
>       },
>       "ttl": 86400,
>       "timestamp": "2016-02-19T22:28:55Z"
>     }
>   ]
> }
>
>
> _______________________________________________
> Handle-Info mailing list
> Handle-Info@cnri.reston.va.us
> http://www.handle.net/mailman/listinfo/handle-info

_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info
_______________________________________________
Handle-Info mailing list
Handle-Info@cnri.reston.va.us
http://www.handle.net/mailman/listinfo/handle-info