|
|
|
## Definitions
|
|
|
|
The B2SAFE service relies on iRODS to implements data policies. The implementation is based on set of operations, which we call rules. Multiple rules can be combined to form [workflows][1]. Each rule or workflow can be triggered manually, client side, or automatically, server side, setting a trigger condition in the irods configuration files (usually in the file core.re in /etc/irods). In IROD exists an object called workflow (WSO, Workflow Structured Object), but we are not referring to that, just to a generic set of rules. Based on our definition, every set of rules, a workflow, it is a rule, but we tend to call workflows only the set of rules which become quite complex.
|
|
|
|
|
|
|
|
Example of rule:
|
|
|
|
`EUDATCreateAVU("EUDAT/FIO", *newPID, *path);`
|
|
|
|
(it adds the key-value pair ("EUDAT/FIO", *newPID) to the object stored in the input path)
|
|
|
|
|
|
|
|
Example of workflow:
|
|
|
|
`EUDATCreatePID(*parent_pid, *path, *ror, *fio, *fixed, *newPID);` (see the combined set of rules [here][2])
|
|
|
|
|
|
|
|
Example of trigger:
|
|
|
|
```
|
|
|
|
acPostProcForCollCreate {
|
|
|
|
ON($collName like "/MyZone/home/username/*")
|
|
|
|
{
|
|
|
|
*fixed="false";
|
|
|
|
EUDATPidsForColl($collName, *fixed);
|
|
|
|
writeLine("serverLog","PID Created: for collection $collName");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
The above condition: `acPostProcForCollCreate`, is triggered every time a new collection is created.
|
|
|
|
Inside a trigger you can add further filters. The example above uses:
|
|
|
|
`ON($collName like "/MyZone/home/username/*")`
|
|
|
|
to apply the condition only to the collections created inside a specific path.
|
|
|
|
A list of triggered conditions (called static Policy Enforcement Points, PEP) is available in the Appendix A at page 215 and in the Appendix B at page 217 of the [workbook][3]. Another one is in the [iRODS manual][4].
|
|
|
|
|
|
|
|
## Examples
|
|
|
|
Let's now consider an important data policy: the uploaded data is immutable. And the opposite one: the uploaded data is mutable. If the uploaded data is immutable what it is needed to enforce such policy?
|
|
|
|
This kind of policy is usually agreed with the data owners, for example a scientific community. Therefore the B2SAFE administrator can rely on the fact that the scientific community will not break the policy and just set the following trigger in the iRODS core.re to create a PID for each uploaded object:
|
|
|
|
```
|
|
|
|
acPostProcForPut
|
|
|
|
{
|
|
|
|
ON($objPath like "/MyZone/home/community/*")
|
|
|
|
{
|
|
|
|
*fixed = "true";
|
|
|
|
EUDATCreatePID("None", $objPath, "None", "None", *fixed, *PID);
|
|
|
|
writeLine("serverLog","PID Created: *PID for object $objPath");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
The attribute _fixed_ is a way to declare explicitly that the object is not expected to change.
|
|
|
|
However our B2SAFE administrator does not trust the community's users, she wants to enforce, server side, this policy.
|
|
|
|
In order to do so, she has two options:
|
|
|
|
1. to intercept every attempt to modify the uploaded objects:
|
|
|
|
2. to define a staging space where the users can upload the data and, after each upload, move them to another space where the users have only read access.
|
|
|
|
|
|
|
|
1) in this case, she could define a trigger like the following one:
|
|
|
|
```
|
|
|
|
acPreProcForModifyDataObjMeta
|
|
|
|
{
|
|
|
|
ON($objPath like "/MyZone/home/community/*")
|
|
|
|
{
|
|
|
|
writeLine("serverLog","attempt to modify $objPath");
|
|
|
|
msiExit("-1", "user is not allowed to perform the requested action");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
2) in this case it is necessary something more complex:
|
|
|
|
```
|
|
|
|
dataArchiveCopy(*collPath, *archivePath) {
|
|
|
|
foreach ( *res in SELECT DATA_NAME WHERE COLL_NAME = '*collPath' ) {
|
|
|
|
*objName = *res.DATA_NAME;
|
|
|
|
*objPath = *collPath ++ "/" ++ *objName;
|
|
|
|
msiSetACL("default", "admin:own", *adminUser, *objPath);
|
|
|
|
*destination = *archivePath ++ "/" ++ *objName;
|
|
|
|
msiDataObjCopy(*objPath, *destination);
|
|
|
|
msiDataObjUnlink(*objPath, *out);
|
|
|
|
*fixed = "true";
|
|
|
|
EUDATCreatePID("None", *destination, "None", "None", *fixed, *PID);
|
|
|
|
writeLine("serverLog","PID Created: *PID for object *destination");
|
|
|
|
*owners = list();
|
|
|
|
foreach ( *R in SELECT DATA_OWNER_NAME, DATA_NAME WHERE COLL_NAME = '*collPath' AND DATA_NAME = '*objName' ) {
|
|
|
|
*owners = cons(*R.DATA_OWNER_NAME, *owners);
|
|
|
|
}
|
|
|
|
if (size(*owners) > 0) {
|
|
|
|
foreach (*user in *owners) {
|
|
|
|
msiSetACL("default", "read", *user, *destination);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
[1]: https://github.com/EUDAT-B2SAFE/B2SAFE-core/wiki/Workflows "workflows"
|
|
|
|
[2]: https://github.com/EUDAT-B2SAFE/B2SAFE-core/blob/master/rulebase/pid-service.re "pid ruleset"
|
|
|
|
[3]: http://datafed.org/dev/wp-content/uploads/2016/05/DFC-policy-examples.pdf "workbook"
|
|
|
|
[4]: https://docs.irods.org/master/plugins/dynamic_policy_enforcement_points "dynamic PEP" |
|
|
|
\ No newline at end of file |