Menü
Registrieren

ckanext-berlinauth

This plugin belongs to a set of plugins for the Datenregister – the non-public CKAN instance that is part of Berlin's open data portal daten.berlin.de

it-developmentknowledge-management

Letzte Aktualisierung

This plugin belongs to a set of plugins for the Datenregister – the non-public CKAN instance that is part of Berlin's open data portal daten.berlin.de. `ckanext-berlinauth` provides a custom authorization model. Among other things, access for anonymous users is restricted, file upload is deactivated

The plugin implements the following CKAN interfaces:

Requirements

This plugin has been tested with CKAN 2.9.8 (which requires Python 3).

Register-mode

"Register-mode" is the implementation for the use case where we have CKAN as a separate "backend" system, only accessible to administrative staff who add and manage datasets. In this scenario, CKAN is called the "Datenregister".

The general authorization model is as follows:

  • Anonymous users have no access to the website (https://datenregister.berlin.de), except for the `/about` and `/datenschutzerklaerung`. All requests are redirected to the login page.
  • Anonymous has access to a subset of the CKAN API (most GET-able functions) and the DCAT API.
  • Logged-in users have restricted access to site and API.
    • no user list/show (except for self)
    • no vocabulary list/show
    • hide certain groups from `group\_list`, `organization\_list`
    • hide users except self from `group\_show`, `organization\_show`
    • ...
  • File upload has been disabled.

Monitoring, Liveness and Readiness Probes

The fact that the home page (`/`) is no longer available to anonymous users has implications for monitoring services such as liveness and readiness probes in Kubernetes. If `ckanext-berlinauth` is installed and activated, such services should not point to the home page, but instead to a page that is available to anonymous users as well. A good candidate is the info page at `/about`.

Additional Configuration Options

  • `berlin.technical\_groups`: A space-separated list of group/organizations that are considered 'technical'. A technical organization is one which does not reflect a real-world organization, but has only been introduced to structure permissions. Technical groups are hidden for non-sysadmin users.

    berlin.technical\_groups = simplesearch harvester-fis-broker

  • `berlin.public\_pages`: By default, access to the Datenregister is restricted to logged-in users. This setting contains a space-separated list of paths that should be visible to the public, i.e., to anonymous users.

    berlin.public\_pages = about datenschutzerklaerung

Version Numbers for Plugins

The CKAN API's status\_show method includes a list of plugins as configured in the `ckan.plugins` setting. `ckanext-berlinauth` includes an extended version of `status\show` that also shows the version number of each plugin. This assumes that the plugin module defines a `\\version\\` attribute that contains the version number. If there is no `\\version\\_` attribute, the version number will be `unknown`:

{

"help": "http://ckandev.bln/api/3/action/help\_show?name=status\_show", "success": true, "result": { "site\_title": "Datenregister Dev", "site\_description": "", "site\_url": "http://ckandev.bln", "ckan\_version": "2.9.8", "error\_emails\_to": null, "locale\_default": "en", "extensions": { "stats": { "version": "unknown" }, "berlintheme": { "version": "0.3.6" }, "berlinauth": { "version": "0.2.6" } } } }