Navigation:
Documentation
Archive



Page Tree:

Child pages
  • Protected Resource Service Contract Description - v0.9-alpha

This wiki space contains archival documentation of Project Bamboo, April 2008 - March 2013.

Skip to end of metadata
Go to start of metadata

Brief description

The Protected Resource service enables a Bamboo Person to extend access to resources they own to other Bamboo Persons, groups, or institutions. The information maintained by the Protected Resource service is used by BSP as part of the authorization process for a request.

Version

This page describes the Protected Resource service API, v. 0.9.

To discover the version and other metadata about deployed service code that fulfills this API, please utilize the Service Catalog Service.

Overview and Definitions

The Protected Resource service provides two APIs:

  • ROA API:  Authorization decisions are based on a policy-driven process that takes into account rules previously established for the resource in question, the action requested, and a set of user data that includes identity, their attributes, and any group memberships. The Protected Resource service maintains collections of sourced roles (for institutions) and groups that have been granted permissions for a resource
  • SOA API: BSP services can make an OSGi call to create protected resources

Terms:

  • A group is a collection whose members are Bamboo Persons. Group membership is managed via the Group Service API
  • An institution, or more specifically a role within an institution, is one or more attributes asserted about an authenticated user by their application

Assumptions

  • A resource exists, and the user is in possession of its identifier
  • The authenticated user making the request is the owner of the resource

 

References

  • Codebase: ${REPOSITORY_ROOT}/platform-services/bsp/trunk/bsp/utility-services/protected-resource-service/

Known Issues

n/a

ROA Layer API

 

Base URLs

It is assumed in this documentation that no centrally-run instances of the Bamboo Services Platform will be running after the project ends on 31 March 2013. Therefore, base URLs are assumed to be on a developer's machine, localhost. The base URL with a port number assumes that the BSP is running unsecured; the URL without a port number assumes that security is enforced and Apache Web Server is intercepting and redirecting service calls. Please see the page Identity and Access Management - Authentication and Authorization for context, as well as links to installation and configuration instructions for secured instances of BSP.

Note that ONLY services at v0.9 or greater will run properly in a secured instance of the BSP.

Currently available base URLs:

 

 

Client Responsibilities in Requests to Secured BSP Web Services

This section of the Service API documentation describes a client application's responsibilities when making requests to secured Web Services hosted on the Bamboo Services Platform (including this service).

A secured instance of the Bamboo Services Platform (BSP) implies a significant set of installation and configuration tasks for which the operator of the BSP is responsible. These are described in overview on the wiki page Identity and Access Management - Authentication and Authorization, and in detail on pages linked from that one.

(1) A client must be configured as a Trusted Application if requests are to be treated other than as Anonymous

A client application – whether a web app or a simple testing client such as Firefox Poster or curl – may make requests anonymously or as a "Trusted Application." Only a Trusted Application may assert the identity of a user on behalf of whom the request is made, and scoped roles to be assigned to that user; Bamboo Services trust such clients to assert the identity and assigned-roles only of users who have authenticated in the current session of application activity. (A special-case type of client application, termed Innovation Licensed applications, are trusted to assert the identity of and roles assigned to a fixed set of special-case users without those users having to authenticate in the current session.)

Configuration of client applications are described in detail in this wiki page: Configure Apache Web Server for Client Auth. It is assumed in #2, below, that this configuration has been performed.

(2) A Trusted client is expected to pass HTTP Request Headers to identify itself and an authenticated user

A client application that is Trusted in the security context of the Bamboo Trust Federation (cf. Identity and Access Management - Authentication and Authorization) must augment each request to a service hosted by a secured instance of the Bamboo Services Platform (BSP) with a set of HTTP headers, as follows:

  • X-Bamboo-AppID: A UUID that identifies the client research environment, application, tool, or service; this UUID is issued as part of the process of registering a trusted client in the Bamboo Trust Federation as described in overview on the page Identity and Access Management - Authentication and Authorization; and in detail with respect to physical establishment of trust on the page Configure Apache Web Server for Client Auth. The value of this header is linked to the X.509 certificate by which the application establishes an SSL connection to the BSP host in the registration process, and a match between this Application ID and the linked X.509 certificate is checked by the BSP on receipt of every request.

  • X-Bamboo-BPID: A UUID that identifies the logged-in user on whose behalf the request is being sent; this value, a Bamboo Person Identifier, or BPId, is obtained via a call to the Person Service that occurs in time between user login and any other service request. See the Read a BambooPersonId method of the Person Service API for details. []
  • X-Bamboo-Roles: A pipe-delimited (|) set of scoped roles asserted by the trusted client to belong to the logged-in user, of the form role@domain, which are to be evaluated as factors in the determination of whether the request satisfies policies (access restrictions) that apply to the requested resource. If a user is authenticated, the client is expected to include the role undefined@domain where domain identifies the organization that authenticated the user (example: undefined@google.com is a client app's assertion that the user authenticated to Google). This header is otherwise optional (depending on policies governing the requested resource that may require one or more scoped roles for access to be permitted). Example of multiple roles asserted in this header: roleA@domainOne.xxx|roleB@domainTwo []

[] The value of X-Bamboo-BPID is set to the identifier for the application itself (X-Bamboo-AppID) when a client application calls the Person Service to create a new Bamboo Person Identifier; or to retrieve the BPId for a user based on the identifier of the IdP with which she has logged in and an SHA-256 hash of that IdP's user identifier for the logged-in person.

[] Policies and policy evaluation are described on the page Authorization and Policy. Also see Conventions for representing Identity Providers in the Bamboo Trust Federation.

Schema

  • ${REPOSITORY_ROOT}//platform-services/bsp/trunk/bsp/utility-services/protected-resource-service/protected-resource-service-domain/src/main/resources/ProtectedResource.xsd

ProtectedResource

A Protected Resource is a resource to which access has been granted by the owner to other Bamboo Persons. Access is determined by the policy applicable to the service by which the resource is being accessed.

Create a ProtectedResource

The creation of a Protected Resource is usually performed by the service responsible for creating the resource itself (see SOA API). In the event that the service in question did not create the Protected Resource, or in the case where there is no service that is responsible for creating the desired resource (e.g. if the resource is itself a service), an authenticated user can use this method to create a Protected Resource.

Calling Method and Arguments

Invoked as an HTTP POST method. Send an HTTP request of the form:

POST /etc/etc/{Param1},{Param2},{Param3} HTTP/1.1

Parameter

Meaning

HTTP Body

An instance of a urn:mace:projectbamboo.org:schema:protected-resource:1.0 ProtectedResource XML document containing valid Requests data

Example

POST <url root>/bsp/protectedresources

Example XML document

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<resource:protectedResource xmlns:resource="urn:mace:projectbamboo.org:schema:protected-resource:1.0" 
                            xmlns:request="urn:mace:projectbamboo.org:schema:request:1.0" 
                            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <request:resourceId AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
        <request:resourceIdValue>urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9</request:resourceIdValue>
    </request:resourceId>
    <resource:resourceOwner AttributeId="urn:mace:projectbamboo.org:attribute:1.0:resourceOwner" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
        <resource:resourceOwnerAttributeValue>urn:uuid:c00f294d-651b-495b-9633-a900dd1a7418</resource:resourceOwnerAttributeValue>
    </resource:resourceOwner>
</resource:protectedResource>

Response

On success, a response with a "201 Created" HTTP status code will be returned.

Parameter

Meaning

HTTP Header Location

A URL of the form "/bsp/protectedresources/{resourceid}" where "resourceid" is the resource identifier

Example Location Header:

<url root>/bsp/protectedresources/urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9

Exceptions

If an error occurred, some non-2xx code will be returned. Check the HTTP Status Code that is returned in the response's HTTP headers for the specific error. The following errors may be returned in response to the request:

Error (Status Code)

Meaning

Returned When

400

Bad Request

The XML document was invalid

401

Unauthorized

The user is not the owner of the resource

500

Internal Server Error

A service error prevented the resource from being returned

Read a Protected Resource

An authenticated user can read a protected resource.

Calling Method and Arguments

Invoked as an HTTP GET method. Send an HTTPS request of the form:

GET <url root>/bsp/protectedresources/{resourceid} HTTP/1.1

Example:

GET <url root>/bsp/protectedresources/urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9

Response

On success, a response with a "200 OK" HTTP status code will be returned.

Example HTTP Body:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<resource:protectedResource xmlns:request="urn:mace:projectbamboo.org:schema:request:1.0" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xacml-context="urn:oasis:names:tc:xacml:1.0:context" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:foaf="http://xmlns.com/foaf/0.1/" xmlns:bsp="http://projectbamboo.org/bsp/resource" xmlns:xacml="urn:oasis:names:tc:xacml:1.0:policy" xmlns:resource="urn:mace:projectbamboo.org:schema:protected-resource:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <dcterms:subject/>
    <dcterms:creator xsi:type="dcterms:URI">urn:uuid:c00f294d-651b-495b-9633-a900dd1a7418</dcterms:creator>
    <dcterms:created xsi:type="dcterms:W3CDTF">2013-02-22T16:26:12.627-05:00</dcterms:created>
    <bsp:modifier>urn:uuid:c00f294d-651b-495b-9633-a900dd1a7418</bsp:modifier>
    <dcterms:modified xsi:type="dcterms:W3CDTF">2013-02-22T16:37:25.564-05:00</dcterms:modified>
    <request:resourceId AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
        <request:resourceIdValue>urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9</request:resourceIdValue>
    </request:resourceId>
    <resource:resourceOwner AttributeId="urn:mace:projectbamboo.org:attribute:1.0:resourceOwner" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
        <resource:resourceOwnerAttributeValue>urn:uuid:c00f294d-651b-495b-9633-a900dd1a7418</resource:resourceOwnerAttributeValue>
    </resource:resourceOwner>
    <resource:scopedRolesWithViewhAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:scoped-role-has-view-access-rights" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
        <resource:roleAttributeValue>student@berkeley.edu</resource:roleAttributeValue>
    </resource:scopedRolesWithViewhAccessRights>
    <resource:scopedRolesWithUpdateAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:scoped-role-has-update-access-rights" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
        <resource:roleAttributeValue>member@folgerlibrary.org</resource:roleAttributeValue>
    </resource:scopedRolesWithUpdateAccessRights>
    <resource:groupsWithViewhAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:group-has-view-access-rights" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
        <resource:IsMemberOfAttributeValue>urn:uuid:d67b9bfd-8033-4082-851c-7fa464f552ac</resource:IsMemberOfAttributeValue>
    </resource:groupsWithViewhAccessRights>
    <resource:GroupsWithUpdateAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:group-has-update-access-rights" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
        <resource:IsMemberOfAttributeValue>urn:uuid:51e99f86-844d-4dc7-a4c6-8ae85d38d3ab</resource:IsMemberOfAttributeValue>
    </resource:GroupsWithUpdateAccessRights>
</resource:protectedResource>

Exceptions

If an error occurred, some non-2xx code will be returned. Check the HTTP Status Code that is returned in the response's HTTP headers for the specific error. The following errors may be returned in response to the Get request:

Error (Status Code)

Meaning

Returned When

404

Not Found

If the protected resource does not exist

401

Unauthorized

The client submitting the request is not a member of the Bamboo Trust Federation group or is not the owner of the protected resource

500

Internal Server Error

A service error prevented the resource from being returned

Update a Protected Resource

An authenticated user can update a protected resource.

Calling Method and Arguments

Invoked as an HTTP PUT method. Send an HTTPS request of the form:

PUT <url root>/bsp/protectedresources/{resourceid} HTTP/1.1

Example:

PUT <url root>/bsp/protectedresources/urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9

Example XML document

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<resource:protectedResource xmlns:resource="urn:mace:projectbamboo.org:schema:protected-resource:1.0" 
                            xmlns:request="urn:mace:projectbamboo.org:schema:request:1.0" 
                            xmlns:xs="http://www.w3.org/2001/XMLSchema" 
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <request:resourceId AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
        <request:resourceIdValue>urn:uuid:dec36b3a-60f8-448c-b1bd-7793a22098b9</request:resourceIdValue>
    </request:resourceId>
    <resource:scopedRolesWithViewhAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:scoped-role-has-view-access-rights" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
        <resource:roleAttributeValue>student@berkeley.edu</resource:roleAttributeValue>
    </resource:scopedRolesWithViewhAccessRights>
    <resource:scopedRolesWithUpdateAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:scoped-role-has-update-access-rights" DataType="urn:oasis:names:tc:xacml:1.0:data-type:rfc822Name">
        <resource:roleAttributeValue>member@folgerlibrary.org</resource:roleAttributeValue>
    </resource:scopedRolesWithUpdateAccessRights>
    <resource:groupsWithViewhAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:group-has-view-access-rights" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
        <resource:IsMemberOfAttributeValue>urn:uuid:d67b9bfd-8033-4082-851c-7fa464f552ac</resource:IsMemberOfAttributeValue>
    </resource:groupsWithViewhAccessRights>
    <resource:GroupsWithUpdateAccessRights AttributeId="urn:mace:projectbamboo.org:attribute:1.0:group-has-update-access-rights" DataType="http://www.w3.org/2001/XMLSchema#anyURI">
        <resource:IsMemberOfAttributeValue>urn:uuid:51e99f86-844d-4dc7-a4c6-8ae85d38d3ab</resource:IsMemberOfAttributeValue>
    </resource:GroupsWithUpdateAccessRights>
</resource:protectedResource>

Response

On success, a response with a "200 OK" HTTP status code will be returned.

Exceptions

If an error occurred, some non-2xx code will be returned. Check the HTTP Status Code that is returned in the response's HTTP headers for the specific error. The following errors may be returned in response to the Get request:

Error (Status Code)

Meaning

Returned When

404

Not Found

If the protected resource does not exist

401

Unauthorized

The client submitting the request is not a member of the Bamboo Trust Federation group or is not the owner of the protected resource

500

Internal Server Error

A service error prevented the resource from being returned

SOA Layer API

Also see generated Javadoc for this service. Packages are org.projectbamboo.bsp.services.utility.protectedresource.*.

Protect a Resource

/**
 * Indicates that the existing resource can have attributes that can be used during access authorization
 * 
 * @param resourceId - the unique identifier for the resource
 * @param owner -  unique identifier for the Bamboo Person who owns the resource
 * 
 * @throws <tt>IllegalArgumentException</tt> if the owner is anonymous
 * 
 */
void protectResource(URI resourceId, URI owner);

Create a Protect Resource

/**
 * Creates a <tt>ProtectedResource</tt>. 
 * 
 * @param resource - <tt>ProtectedResource</tt>
 * 
 * @return <tt>URI</tt>
 * 
 */
URI create(ProtectedResource resource);

Read a Protect Resource

/**
 * Returns a <tt>ProtectedResource</tt>. 
 * 
 * @param resourceId - the Protected-Resource's identifier
 * 
 * @return <tt>ProtectedResource</tt>
 * 
 * @throws <tt>FileNotFoundException</tt> if the resource does not exist
 */
ProtectedResource read(URI resourceId) throws FileNotFoundException;

Update a Protect Resource

/**
 * Updates a <tt>ProtectedResource</tt>. 
 * 
 * @param resource - <tt>ProtectedResource</tt>
 * 
 * @throws
 * <ul>
 * <li><tt>FileNotFoundException</tt> if the resource does not exist</li>
 * <ul>
 */
void update(ProtectedResource resource) throws FileNotFoundException;

Delete a Protect Resource

/**
 * Deletes a <tt>ProtectedResource</tt>. 
 * 
 * @param resourceId - the Protected-Resource's identifier
 * 
 * @throws <tt>FileNotFoundException</tt> if the resource does not exist
 */
void delete(URI resourceId) throws FileNotFoundException;