Changes between Version 6 and Version 7 of tap

Mar 5, 2015 12:24:28 PM (7 years ago)



  • tap

    v6 v7  
    33The aim of the Thredds Admin Portal (TAP) project lies in the idea of solving the huge problem existing in the Unidata Thredds application with the management of users, roles and dataset access. The Thredds user authentication is delegated to Tomcat Basic which gets users and roles from a given Realm. In order to authorize users, Thredds checks whether the dataset is restricted and if so, gets the user roles to make a decision. TAP manages the datasource mentioned to control user access to protected datasets.
    5 == Environment setup ==
     5=== Derby datasource setup ===
    7 This environment consists of:
    8 -       Thredds 4.5.5
    9 -       TAP 2.4
    10 -       Apache derby network
    11 -       Apache Tomcat 7.0.59
     7TAP and Thredds get users and roles from a database created specifically to model all the entities and processes involved. The main idea is to include easily a database instance to work with. Derby embedded was discarded because it is not possible to access it in a production server from another JVM simultaneously. Derby network allow users to access db instances even from outside when they are running.
     8To accomplish this step you need two components:
    13 Attached is a preconfigured environment instance. You only need to change the ports and paths in server.xml and start the derby instance. If you are not familiar please read on the following instructions.
     10-       Derby library
     11-       Derby database
     13First, place the db-derby- library provided in a reachable folder. Second, place the preconfigured database. We suggest to include the derbydb folder provided in the Tomcat’s content folder. For example, CATALINA_HOME/content/tap/derbydb.
     14The Derby database must be initialized in the Tomcat startup. Execute the following command to initialize it:
     17$JRE_HOME/bin/java -jar $PATH_TO_DERBY_LIB /db-derby- server start -p YOUR_PORT -h &
     20To start derby successfully add a socket permission in JAVA 7 by including in $JRE_HOME/lib/security/java.policy the following line:
     22permission "HOST:PORT", "listen,resolve";
    1525=== Expose our datasource in Tomcat ===
     26Tomcat gets users and roles from conf/tomcat-users.xml by default. We are going to change this in order to get users and roles from a given database.
     27First of all, include both derbyclient.jar and derbynet.jar in $CATALINA_HOME/lib. After doing that, we need to add a new resource called “jdbc/admin” in GlobalNamingResurces:
    17 Tomcat gets users and roles from conf/tomcat-users.xml by default. We are going to change this in order to get users and roles from a given database. For this purpose, we need to add a new resource called “jdbc/admin” in GlobalNamingResurces.
    2031<Resource name="jdbc/adminDB" auth="Container" type="javax.sql.DataSource" factory="org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory"
    2132    validationQuery="SELECT count(*) FROM users" maxActive="20" maxIdle="10" username="password" password="secret"
    22     driverClassName="org.apache.derby.jdbc.ClientDriver" url="jdbc:derby://localhost:port//derbypath/derbydb" readOnly="false"/>
     33    driverClassName="org.apache.derby.jdbc.ClientDriver" url="jdbc:derby://host:port/derbypath/derbydb" readOnly="false"/>
    33 ===  ===
     45== Thredds and TAP deployment ==
     47The last part of this tutorial is manage to start both applications successfully. Move both thredds.war and tap.war to $CATALINA_HOME/webapps. Start the Tomcat instance and the Derby network instance.
     48If Thredds is not able to start due to a directory error, please create a folder called “thredds” in $CATALINA_HOME/content to solve that issue.
     50== Thredds restricted dataset ==
     52Thredds allows users to restrict dataset access in two different ways:
     54-       URL restriction using Tomcat: difficult to maintain. You need to restrict every dataset by URL and set the role in the web.xml
     55-       Dataset restriction using TDS Catalog: most commonly used by adding an attribute on a dataset or datasetScan element in the TDS catalog. Eg, restrictAccess=”roleName”
     57If you set the mentioned attribute in a Dataset, users need two roles to access it: restrictedDatasetUser and roleName. That means, every user who wants to access to a dataset needs the restrictedDatasetUser role by default and also the role of the dataset. Here is where TAP does the job for you.
     59== Initial TAP setup ==