Changes between Version 8 and Version 9 of tap


Ignore:
Timestamp:
Mar 6, 2015 11:22:15 AM (7 years ago)
Author:
vegasm
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • tap

    v8 v9  
    4242}}}
    4343
    44 
    45 === Thredds and TAP deployment ===
    46 
    47 The last part of this tutorial is manage to start both applications successfully. Move both thredds.war and tap.war to $CATALINA_HOME/webapps. Start the Tomcat instance and the Derby network instance.
    48 If Thredds is not able to start due to a directory error, please create a folder called “thredds” in $CATALINA_HOME/content to solve that issue.
    49 
    50 == Thredds restricted dataset ==
    51 
    52 Thredds allows users to restrict dataset access in two different ways:
    53 
    54 -       URL restriction using Tomcat: difficult to maintain. You need to restrict every dataset by URL and set the role in the web.xml
    55 -       Dataset restriction using TDS Catalog: most commonly used by adding an attribute on a dataset or datasetScan element in the TDS catalog. Eg, restrictAccess=”roleName”
    56 
    57 If you set the mentioned attribute in a Dataset, users need two roles to access it: restrictedDatasetUser and roleName. That means, every user who wants to access to a restricted dataset needs the restrictedDatasetUser role by default and also the role of the dataset. Here is where TAP does the job for you.
    5844
    5945== Initial TAP setup ==
     
    8874You can change the messages optionally in WEB-INF/classes/locale/messages.properties
    8975
     76=== Thredds and TAP deployment ===
     77
     78The last part of this tutorial is manage to start both applications successfully. Move both thredds.war and tap.war to $CATALINA_HOME/webapps. Start the Tomcat instance and the Derby network instance.
     79If Thredds is not able to start due to a directory error, please create a folder called “thredds” in $CATALINA_HOME/content to solve that issue.
     80
    9081== First steps in TAP ==
    9182
     
    170161TAP Manager
    171162}}}
     163
     164== Thredds restricted dataset ==
     165
     166Thredds allows users to restrict dataset access in two different ways:
     167
     168-       URL restriction using Tomcat: difficult to maintain. You need to restrict every dataset by URL and set the role in the web.xml
     169-       Dataset restriction using TDS Catalog: most commonly used by adding an attribute on a dataset or datasetScan element in the TDS catalog. Eg, restrictAccess=”roleName”
     170
     171If you set the mentioned attribute in a Dataset, users need two roles to access it: restrictedDatasetUser and roleName. That means, every user who wants to access to a restricted dataset needs the restrictedDatasetUser role by default and also the role of the dataset. Here is where TAP does the job for you.
     172
     173=== Restrict dataset access ===
     174
     175As we mentioned, TAP manages users, roles, groups, policies and their relationships. It is a common scenario to have a dataset with policies that prevent you of doing an illegal use of the data. In the given example you will find the default Thredds catalog example. The first step is to protect the dataset:
     176
     177{{{
     178<dataset name="Test Single Dataset" ID="testDataset"
     179           serviceName="dap"  urlPath="test/testData.nc" dataType="Grid" restrictAccess="testDataset"/>
     180}}}
     181
     182When a user tries to access this dataset, the Thredds authorizer expects to find the roles "testDataset" and "restrictedDatasetUser" in the user's granted authorities.
     183
     184=== Allow access to a restricted dataset from TAP ===
     185
     186To allow access to the previous dataset, create the role in /tap/admin/roles "Add new record":
     187
     188{{{#!th
     189[[Image(image-20150306-105102.png, 50%)]]
     190}}}
     191
     192Fill the form:
     193
     194-       Name: testDataset
     195-       Description: a description of the dataset
     196-       Restricted: True if you want to moderate its access. Users will wait until a confirmation from an Admin or manager
     197-       Dataset: True in this case. If you want to create an internal role in TAP set to false.
     198
     199Create a policy in /tap/admin/policies "Add new record" :
     200
     201{{{#!th
     202[[Image(image-20150306-110334.png, 50%)]]
     203}}}
     204
     205Fill the form
     206
     207- Name: TEST_DATASET_POLICY
     208- Description: Description of the policy
     209- Disable policy: ignore this in the creation. If you edit the policy and you want users accept again the agreement, set to true.
     210- Agreement: You can paste html directly by clicking in the source button.
     211
     212Create a Group in /tap/admin/groups "Add new record":
     213
     214{{{#!th
     215[[Image(image-20150306-111019.png, 50%)]]
     216}}}
     217
     218After creating the Policy, asociate it with the dataset (role) testDataset:
     219
     220{{{#!th
     221[[Image(image-20150306-112042.png, 50%)]]
     222}}}
     223
     224Fill the form
     225
     226- Name: TEST_GROUP
     227- Description: Description of the group
     228- Is project: If the group represents a project like EUPORIAS, VALUE, CORDEX...
     229- Coordinator: If you want to delegate the user acceptance. TAP will send an email to the coordinator containing two links: accept or reject the user group request.
     230
     231After creating the group, it is necessary to asociate the dataset(role) testDataset to the group:
     232
     233{{{#!th
     234[[Image(image-20150306-111606.png, 50%)]]
     235}}}
     236