marmotta-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1460601 - in /incubator/marmotta/site/trunk: content/markdown/ content/markdown/platform/ content/markdown/platform/ pom.xml
Date Mon, 25 Mar 2013 10:38:28 GMT
Author: wikier
Date: Mon Mar 25 10:38:27 2013
New Revision: 1460601

added some documentation about security in marmotta

      - copied, changed from r1460551, incubator/marmotta/site/trunk/content/markdown/platform/

Modified: incubator/marmotta/site/trunk/content/markdown/
--- incubator/marmotta/site/trunk/content/markdown/ (original)
+++ incubator/marmotta/site/trunk/content/markdown/ Mon Mar 25 10:38:27 2013
@@ -12,7 +12,7 @@ be handled later. If you plan a producti
 directly deploy on the server you are going to use and access it via the host 
 name it will have in the future.
-## Change Database Configuration
+<h2 id="db">Change Database Configuration</h2>
 In case you are not going to use the embedded H2 database, the first step you
 should do is to configure a different database. The database can be changed
@@ -32,3 +32,28 @@ you aim to use MySQL for Marmotta, pleas
 manually and place it either in the application server `lib/` directory or 
 in the` WEB-INF/lib` directory of Apache Marmotta.
+<h2 id="production">Production deployment</h2>
+When deploying Marmotta in a production environment (i.e., public instance potentially
+open to intrusions), there are some considerations to take into account:
+ * Install a proper servlet container (e.g., Tomcat) as daemon; normally is preferrable to
use the packages provided by the system (APT, YUM or whatever), which already come with some
security considerations enabled.
+ * In the firewall, reject direct connections from outside, both to the servler container
and the database server.
+ * Configure a connector or reverse proxy throught the httpd (e.g., [AJP](
in Tomcat) for accessing the installation.
+ * Disable public access to the administration user interface (further details at the [security
module](platform/security-module.html)), for will you would need to add these rules to your
system configuration:
+    security.permission.admin_ui.pattern = /.*/admin/.*
+    security.permission.admin_ui.methods = GET
+    security.permission.admin_ui.methods = POST
+    security.permission.admin_ui.methods = PUT
+    security.permission.admin_ui.methods = OPTIONS
+    security.permission.admin_ui.roles = manager
+    security.permission.admin_ui.priority = 5
+    security.restriction.admin_ui.pattern = /.*/admin/.*
+    security.restriction.admin_ui.methods = GET
+    security.restriction.admin_ui.methods = POST
+    security.restriction.admin_ui.methods = PUT
+    security.restriction.admin_ui.methods = OPTIONS
+    security.restriction.admin_ui.priority = 4

Copied: incubator/marmotta/site/trunk/content/markdown/platform/ (from r1460551,
--- incubator/marmotta/site/trunk/content/markdown/platform/ (original)
+++ incubator/marmotta/site/trunk/content/markdown/platform/ Mon Mar 25
10:38:27 2013
@@ -1,3 +1,56 @@
 # Apache Marmotta Platform: Security
+This module provide security mechanisms for Apache Marmotta, which implements its 
+own authentication and authorization mechanism. 
+## Users and roles
+There are two default users in Marmotta: `anonymous` and `admin`. The first one
+is not an actual user, but the user all anonymous requests use. The second is the 
+user with administration rights on the system. 
+At the same time, users are group in roles for simplifying permission management.
+The system comes with three groups (`manager`, `editor` and `user`) by default,
+but this could be customized as preferred.
+For instance, by default the `admin` user is part of `manager`, `editor` and `user` groups.
+## Profiles
+There are three pre-defined profiles, `simple`, `standard`, and `restricted`:
+ * `simple` allows read access from everywhere and write access only from localhost or other
local interfaces.
+ * `standard` allows read access from everywhere and write access only for authenticated
users of the "manager" role.
+ * `restricted` allows access only for authenticated users.
+By default, Marmotta will use the `simple` profile, allowing only access from 
+localhost. If you want to change the profile, you can set the configuration 
+property `security.profile` to `standard`, e.g. via the configuration interface 
+in "Core Services" or "Security". If your instance is running on a remote server, 
+you can e.g. log in using SSH and run the following command:
+    curl -X POST -H "Content-Type: application/json" -d '["standard"]' http://<HOST>:<PORT>/marmotta/config/data/security.profile
+Afterwards, you can log in with the default admin user and password ("admin" and 
+"pass123"). Needless to say you should change this password.
+## Rules
+The configuration is based on <abbr title="Access Control List">ACL</abbr> rules
such as:
+    security.{TYPE}.{NAME}.pattern = {PATTERN}
+    security.{TYPE}.{NAME}.methods = {METHOD}
+    security.{TYPE}.{NAME}.priority = {PRIORITY}
+  * `{TYPE}` is the type of control, which can be `permission` for granting permission the
requests matching this rule or `restriction` for restricting.
+  * `{NAME}` is an arbitrary label for naming the rule, which should be unique in combination
with the type.
+  * `{PATTERN}` is the regular expression pattern which this rule matches.
+  * `{METHOD}` is the HTTP method this rule applies (`HEAD`, `OPTIONS`, `GET`, `POST`, `PUT`
or `DELETE`). If the rules applies to more than one method, additional property lines should
be added for each one.
+  * `{PRIORITY}` is the the priority of this rule in the access control list.
+The system evaluates the rules ordered by priority, allowing or rejecting access 
+whenever a rule matches each request to the system. The adminnistration user interface
+provides an overview page for the status of the current rules applied to the system.

Modified: incubator/marmotta/site/trunk/pom.xml
--- incubator/marmotta/site/trunk/pom.xml (original)
+++ incubator/marmotta/site/trunk/pom.xml Mon Mar 25 10:38:27 2013
@@ -238,6 +238,7 @@
                 <role>PPMC Member</role>
+                <role>Release Manager</role>
                 <role>Project Leader</role>
@@ -392,6 +393,12 @@
+            <artifactId>marmotta-core</artifactId>
+            <version>${project.version}</version>
+            <classifier>sources</classifier>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.marmotta</groupId>

View raw message