Menu
▾
▴
Re: [Fez-users] [Fedora-commons-users] Front-End/Back-End Access Policies
|
From: Christiaan K. <c.k...@li...> - 2007-11-28 21:14:43
|
Hi Roman and Zbigniew I'll reply inline below: On 29/11/07 12:57 AM, "Roman Chyla" <rom...@gm...> wrote: > Hi Zbigniew, > I "persuaded" it to work in the meantime (the 2.0rc) - either you put > Fez inside fedora db (for 1.3), or input password/login for Fez2.0 to > access Fedora db. Fez is tightly connected with Fedora, it wants to > access the Fedora database - this is something not so obvious > considering troubles other people experience - i also assumed it can > get the data through api, but not, they query the Fedora database > (there are probably reasons for this, such as speed and ease for > developers, but it lacks flexibility in this way) > Thus I have got another thing to consider. Fez 2 has something in it's config options called "Fedora Direct Access". This can be turned on or off and can be kept off entirely if desired. When on it bypasses the fedora api and goes direct to the fedora sql database and xml files for API-A calls (read only). It still uses the Fedora API-M for management. We really only recommend turning it on when you need to do major performance hungry work like when you need to reindex your whole site. Eg with 150,000 objects reindexing time drops from 4 days to less than 1 day. This is a necessary evil for us sometimes - we just can't wait 4 days. We are working on getting it down to 30mins or less (we are getting there). This isn't really a problem for smaller repositories. So really turn if off and Fez will go through the fedora APIs like it should. > > I am getting output errors now as some xsd elements are missing > (either from object or from the template) - do you experience the > same? I should probably reinstall fez Fez 2 won't just run on the Fez 1.3 sql backend. You either need to run an upgrade (http://yourfez/upgrade/) or reinstall fez from scratch with fez 2 (not the old fez 1.3 settings). > > Fez has great features, but also some pitfalls. my personal list is as > follows: > FezACML When we started FezACML it was because XACML in Fedora was not ready yet. Since it is out now we have decided not to use it for many (we think) good reasons. In a nutshell having the authz rules available in a sql table to inner join with a search means Fez can do its sorting, ordering, limiting and auth all in the one search/browse/list Fez query and really improve performance. Imagine this. You have 10 million objects in your Fedora. Only 1000 objects the user is allowed to see. If they do a search that Lucene returns 9million objects (for example) it means the post search XACML engine filter needs to filter through 9million returned lucene objects. I haven't yet seen any tests on this but this doesn't seem indicative of usable performance (although I could be wrong). Also paging is much more difficult doing a post search xacml filter than an all in one sql query with a 'limit/offset'. I have discussed this with Chi and Peter Sefton (and anyone who has asked). This can be gotten around if you 'index' the xacml rules in lucene so the restriction can be done in the lucene query. Most people I have talked to write this off as a really bad idea as it will kill lucene performance and keeping the lucene index up to date with the authz info would be a nightmare. Even so Moodle is looking at doing exactly this with their Global Search module which uses the PHP implementation of lucene (Zend Search Lucene): http://docs.moodle.org/en/Student_projects/Global_search#Permissions http://docs.moodle.org/en/Student_projects/Global_search http://moodle.org/mod/forum/discuss.php?d=48715 Until this problem is solved (hopefully a lot by the Moodle project or by us if we get time on this) we are happy to stick with FezACML. > Fulltext searching in php instead of using Fedora (lucene) We'd love to use Lucene or Apache Solr or Xapian or Sphinx (better than Lucene in many ways) any number of external high speed indexes. Currently for Fez 2 back we use MySQL's inbuilt fulltext indexing which isn't that bad. We are working on supporting Postgresql in a 2.1 release including support for TSearch2 (pgs fulltext engine) which has features and performance like Lucene, but still lets us do the authz inner join during the main search query like with MySQL. Postgresqls bitmapping query indexes optimisation engine look really good and worth adding and recommending PG as a Fez backend. > Looking into the fedora db instead of using apis (imo, if programmers > feel smart and go around standard interfaces, it means troubles for > the future) Mentioned above this can be turned off (I think it is off by default). > > But do we have a better choice? Is there a better front-end for Fedora? Perhaps look at the AANRO blog here for recent evaluations of Fez 2, Muradora and VTLS Vital here: http://aanro-repo.blogspot.com/ Also have a look at my (very quick) presentation and the recent SUN PASIG conference about Fez 2 (and 2.1): http://espace.library.uq.edu.au/view.php?pid=UQ:119976 We are very happy with Fez 2 right now at UQ for our 'institutional repository': http://espace.library.uq.edu.au/ Of course we have a large number of internal (and external) feature requests for development (many of which described in the Fez 2.1 feature list in the above presentation). The good news is our team has grown from 2, to 3 and now 4 developers. For Fez specific enquires it might be better to use the fez-users email list (off our Fez sourceforge site) rather than putting this sort of discussion in the fedora mailing list. Cheers, Christiaan > > roman > > > On Nov 28, 2007 3:35 PM, Zbigniew Zdziarski > <zbi...@en...> wrote: >> >> Hi Roman, >> >> I also got the same error messages as you until I realised that Fez was not >> compatible with the latest release of Fedora. After installing fedora v 2.1, >> everything worked fine. >> >> And from further research it does appear as though FezACML-based security >> resides on the Fez level of a system so anyone trying to access the >> repository through a different client will bypass everything. Muradora does >> solve this problem but is not as feature-full as Fez - though it does also >> support versioning and is compatible with the latest Fedora meaning that it >> can do things like checksumming on ingest. >> >> Zbigniew >> >> >> >> Roman Chyla wrote: >> Hi, >> >> >> >> I'm thinking of using the Fez front-end on top of a Fedora repository >> but there's one worrying issue that needs clarification. Fez does not >> >> Have you managed to install Fez and have it working? Both of my >> installations, 1.3 and also 2.0, are not - >> http://sourceforge.net/forum/message.php?msg_id=4630765 - in 2.0rc, >> some tables are probably missing (i mailed one of the developers with >> details) >> >> >> >> use Fedora's XACML technology. Instead it uses its own FezACML access >> policies which are stored with every digital object. What worries me is >> that FezACML is only compatible with Fez and hence will only restrict >> access to objects if the user is connecting to Fedora through Fez. If >> >> as far as I understand from some bits, you does not need to switch off >> fedora's xacml - then fez will use fezacml, and it will be checked >> also against xacml. there are troubles with performance and also with >> management of two cml though >> >> >> >> another front-end is used with the correct Fedora admin username and >> password, then FezACML can basically be thrown out the window. >> >> Could someone tell me please whether my thinking is correct? Is ignoring >> XACML a potential security issue? Are there any front-ends available >> that don't have this problem? >> >> please take a loot at muradora.org, they use native fedora's XACML. If >> possible, share your views, this matter might be interesting for more >> people (anybody in the forum, please give us your opinions) >> >> Thank you >> >> roman >> >> >> >> thank you, >> Zbigniew Zdziarski >> >> ------------------------------------------------------------------------- >> SF.Net email is sponsored by: The Future of Linux Business White Paper >> from Novell. From the desktop to the data center, Linux is going >> mainstream. Let it simplify your IT future. >> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 >> _______________________________________________ >> Fedora-commons-users mailing list >> Fed...@li... >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> >> >> >> >> ------------------------------------------------------------------------- >> SF.Net email is sponsored by: The Future of Linux Business White Paper >> from Novell. From the desktop to the data center, Linux is going >> mainstream. Let it simplify your IT future. >> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 >> _______________________________________________ >> Fedora-commons-users mailing list >> Fed...@li... >> https://lists.sourceforge.net/lists/listinfo/fedora-commons-users >> >> > > ------------------------------------------------------------------------- > SF.Net email is sponsored by: The Future of Linux Business White Paper > from Novell. From the desktop to the data center, Linux is going > mainstream. Let it simplify your IT future. > http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4 > _______________________________________________ > Fedora-commons-users mailing list > Fed...@li... > https://lists.sourceforge.net/lists/listinfo/fedora-commons-users -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Christiaan Kortekaas Senior Library Open Sorcerer Library Technology Service The University of Queensland, Australia QLD 4072 Telephone : (+61) (7) 3346 4337 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |