44 | | |
45 | | === Thredds and TAP deployment === |
46 | | |
47 | | The last part of this tutorial is manage to start both applications successfully. Move both thredds.war and tap.war to $CATALINA_HOME/webapps. Start the Tomcat instance and the Derby network instance. |
48 | | If Thredds is not able to start due to a directory error, please create a folder called “thredds” in $CATALINA_HOME/content to solve that issue. |
49 | | |
50 | | == Thredds restricted dataset == |
51 | | |
52 | | Thredds allows users to restrict dataset access in two different ways: |
53 | | |
54 | | - URL restriction using Tomcat: difficult to maintain. You need to restrict every dataset by URL and set the role in the web.xml |
55 | | - Dataset restriction using TDS Catalog: most commonly used by adding an attribute on a dataset or datasetScan element in the TDS catalog. Eg, restrictAccess=”roleName” |
56 | | |
57 | | If you set the mentioned attribute in a Dataset, users need two roles to access it: restrictedDatasetUser and roleName. That means, every user who wants to access to a restricted dataset needs the restrictedDatasetUser role by default and also the role of the dataset. Here is where TAP does the job for you. |
| 163 | |
| 164 | == Thredds restricted dataset == |
| 165 | |
| 166 | Thredds allows users to restrict dataset access in two different ways: |
| 167 | |
| 168 | - URL restriction using Tomcat: difficult to maintain. You need to restrict every dataset by URL and set the role in the web.xml |
| 169 | - Dataset restriction using TDS Catalog: most commonly used by adding an attribute on a dataset or datasetScan element in the TDS catalog. Eg, restrictAccess=”roleName” |
| 170 | |
| 171 | If you set the mentioned attribute in a Dataset, users need two roles to access it: restrictedDatasetUser and roleName. That means, every user who wants to access to a restricted dataset needs the restrictedDatasetUser role by default and also the role of the dataset. Here is where TAP does the job for you. |
| 172 | |
| 173 | === Restrict dataset access === |
| 174 | |
| 175 | As we mentioned, TAP manages users, roles, groups, policies and their relationships. It is a common scenario to have a dataset with policies that prevent you of doing an illegal use of the data. In the given example you will find the default Thredds catalog example. The first step is to protect the dataset: |
| 176 | |
| 177 | {{{ |
| 178 | <dataset name="Test Single Dataset" ID="testDataset" |
| 179 | serviceName="dap" urlPath="test/testData.nc" dataType="Grid" restrictAccess="testDataset"/> |
| 180 | }}} |
| 181 | |
| 182 | When a user tries to access this dataset, the Thredds authorizer expects to find the roles "testDataset" and "restrictedDatasetUser" in the user's granted authorities. |
| 183 | |
| 184 | === Allow access to a restricted dataset from TAP === |
| 185 | |
| 186 | To allow access to the previous dataset, create the role in /tap/admin/roles "Add new record": |
| 187 | |
| 188 | {{{#!th |
| 189 | [[Image(image-20150306-105102.png, 50%)]] |
| 190 | }}} |
| 191 | |
| 192 | Fill the form: |
| 193 | |
| 194 | - Name: testDataset |
| 195 | - Description: a description of the dataset |
| 196 | - Restricted: True if you want to moderate its access. Users will wait until a confirmation from an Admin or manager |
| 197 | - Dataset: True in this case. If you want to create an internal role in TAP set to false. |
| 198 | |
| 199 | Create a policy in /tap/admin/policies "Add new record" : |
| 200 | |
| 201 | {{{#!th |
| 202 | [[Image(image-20150306-110334.png, 50%)]] |
| 203 | }}} |
| 204 | |
| 205 | Fill the form |
| 206 | |
| 207 | - Name: TEST_DATASET_POLICY |
| 208 | - Description: Description of the policy |
| 209 | - Disable policy: ignore this in the creation. If you edit the policy and you want users accept again the agreement, set to true. |
| 210 | - Agreement: You can paste html directly by clicking in the source button. |
| 211 | |
| 212 | Create a Group in /tap/admin/groups "Add new record": |
| 213 | |
| 214 | {{{#!th |
| 215 | [[Image(image-20150306-111019.png, 50%)]] |
| 216 | }}} |
| 217 | |
| 218 | After creating the Policy, asociate it with the dataset (role) testDataset: |
| 219 | |
| 220 | {{{#!th |
| 221 | [[Image(image-20150306-112042.png, 50%)]] |
| 222 | }}} |
| 223 | |
| 224 | Fill the form |
| 225 | |
| 226 | - Name: TEST_GROUP |
| 227 | - Description: Description of the group |
| 228 | - Is project: If the group represents a project like EUPORIAS, VALUE, CORDEX... |
| 229 | - Coordinator: If you want to delegate the user acceptance. TAP will send an email to the coordinator containing two links: accept or reject the user group request. |
| 230 | |
| 231 | After creating the group, it is necessary to asociate the dataset(role) testDataset to the group: |
| 232 | |
| 233 | {{{#!th |
| 234 | [[Image(image-20150306-111606.png, 50%)]] |
| 235 | }}} |
| 236 | |