-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathpubliccode.yml
160 lines (124 loc) · 5.51 KB
/
publiccode.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
# This repository adheres to the publiccode.yml standard by including this
# metadata file that makes public software easily discoverable.
# More info at https://github.com/italia/publiccode.yml
publiccodeYmlVersion: '0.2'
name: ckanext-berlinauth
applicationSuite: CKAN
url: 'https://github.com/berlinonline/ckanext-berlinauth'
releaseDate: '2020-07-28'
softwareVersion: 0.2.8
developmentStatus: stable
softwareType: addon
platforms:
- web
categories:
- it-development
- knowledge-management
maintenance:
type: internal
contacts:
- name: Dr. Knud Möller
email: [email protected]
legal:
license: AGPL-3.0-only
mainCopyrightOwner: ' BerlinOnline GmbH'
repoOwner: ' BerlinOnline GmbH'
localisation:
localisationReady: false
availableLanguages:
- en
description:
en:
genericName: ckanext-berlinauth
documentation: >-
https://github.com/berlinonline/ckanext-berlinauth?tab=readme-ov-file#ckanext-berlinauth
shortDescription: >-
This plugin belongs to a set of plugins for the Datenregister – the
non-public CKAN instance that is part of Berlin's open data portal
daten.berlin.de
longDescription: >
This plugin belongs to a set of plugins for the _Datenregister_ – the
non-public [CKAN](https://ckan.org/) instance that is part of Berlin's
open data portal [daten.berlin.de](https://daten.berlin.de/).
`ckanext-berlinauth` provides a custom authorization model. Among other
things, access for anonymous users is restricted, file upload is
deactivated
The plugin implements the following CKAN interfaces:
-
[IAuthFunctions](http://docs.ckan.org/en/latest/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions)
-
[IActions](http://docs.ckan.org/en/latest/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IActions)
-
[IMiddleware](http://docs.ckan.org/en/latest/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IMiddleware)
## Requirements
This plugin has been tested with CKAN 2.9.8 (which requires Python 3).
## Register-mode
"Register-mode" is the implementation for the use case where we have CKAN
as a separate "backend" system, only accessible to administrative staff
who add and manage datasets. In this scenario, CKAN is called the
"Datenregister".
The general authorization model is as follows:
- Anonymous users have no access to the website
([https://datenregister.berlin.de](https://datenregister.berlin.de/)),
except for the `/about` and `/datenschutzerklaerung`. All requests are
redirected to the login page.
- Anonymous has access to a subset of the CKAN API (most GET-able
functions) and the DCAT API.
- Logged-in users have restricted access to site and API.
- no user list/show (except for self)
- no vocabulary list/show
- hide certain groups from `group\_list`, `organization\_list`
- hide users except self from `group\_show`, `organization\_show`
- ...
- File upload has been disabled.
## Monitoring, Liveness and Readiness Probes
The fact that the home page (`/`) is no longer available to anonymous
users has implications for monitoring services such as liveness and
readiness probes in Kubernetes. If `ckanext-berlinauth` is installed and
activated, such services should not point to the home page, but instead
to a page that is available to anonymous users as well. A good candidate
is the info page at `/about`.
## Additional Configuration Options
- `berlin.technical\_groups`: A space-separated list of
group/organizations that are considered 'technical'. A technical
organization is one which does not reflect a real-world organization, but
has only been introduced to structure permissions. Technical groups are
hidden for non-sysadmin users.
berlin.technical\_groups = simplesearch harvester-fis-broker
- `berlin.public\_pages`: By default, access to the Datenregister is
restricted to logged-in users. This setting contains a space-separated
list of paths that should be visible to the public, i.e., to anonymous
users.
berlin.public\_pages = about datenschutzerklaerung
## Version Numbers for Plugins
The CKAN API's
[status\_show](https://docs.ckan.org/en/2.9/api/#ckan.logic.action.get.status_show)
method includes a list of plugins as configured in the `ckan.plugins`
setting. `ckanext-berlinauth` includes an extended version of
`status\_show` that also shows the version number of each plugin. This
assumes that the plugin module defines a `\_\_version\_\_` attribute that
contains the version number. If there is no `\_\_version\_\_` attribute,
the version number will be `unknown`:
{
"help": "http://ckandev.bln/api/3/action/help\_show?name=status\_show",
"success": true,
"result": {
"site\_title": "Datenregister Dev",
"site\_description": "",
"site\_url": "http://ckandev.bln",
"ckan\_version": "2.9.8",
"error\_emails\_to": null,
"locale\_default": "en",
"extensions": {
"stats": {
"version": "unknown"
},
"berlintheme": {
"version": "0.3.6"
},
"berlinauth": {
"version": "0.2.6"
}
}
}
}