Project

General

Profile

Task #2613

Convert existing deny/denyFirst rules to allowFirst rules

Added by Ben Leinfelder over 7 years ago. Updated about 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Ben Leinfelder
Category:
Metacat
Target version:
-
Start date:
2012-04-17
Due date:
% Done:

100%

Milestone:
CCI-1.0.0
Product Version:
*
Story Points:
Sprint:

Description

We decided to convert all deny/denyFirst access rules to use the allow/allowFirst approach assuming there is no loss of the semantics of the access control block.

This mostly means removing "deny public" rules which is the implicit behavior if there is no "allow public" rule.


Related issues

Related to Infrastructure - Bug #2583: Metacat CN-CN replication permOrder issue with EML-defined access rules Closed
Related to Infrastructure - Task #2614: Ignore EML access control blocks that use denyFirst permOrder Closed 2012-04-17

History

#1 Updated by Ben Leinfelder over 7 years ago

Here are my SQL notes for the "conversion"

Analyze the number of rules that need to be addressed:

select principal_name, perm_type, count(*) from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name != 'public' group by principal_name, perm_type;
select * from xml_access where guid in (select guid from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name != 'public');

Then do these steps to update all of them to use allowFirst only
1.) Delete the unnecessary public deny rules:

select count(guid) from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name = 'public';
delete from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name = 'public';

2.) Delete the non-public deny rules (after examining them!):

select * from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name != 'public';
delete from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name != 'public';

3.) Update all denyFirst rules

select perm_type, count(*) from xml_access where perm_order = 'denyFirst' group by perm_type;
update xml_access set perm_order = 'allowFirst' where perm_order = 'denyFirst';

#2 Updated by Ben Leinfelder about 7 years ago

  • Status changed from New to Closed
  • translation missing: en.field_remaining_hours set to 0.0

This has been completed on our big three (KNB, LTER, PISCO)

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)