Secure Replies - AFS

AFS Security

Product
AFS
AFS_Version
7.8
Category
Technical Notes
language
English
audience
public

It is necessary to secure replies, in order to allow user to view only replies he has access to.

Securing replies need actions on both PaF and reply sides:

  • PaF must be operated in secured mode.
  • Replies databases should be queried using afs:user and afs:group parameters.

For more information about managing rights on documents, see our section about Managing Rights On Documents.

Operate the PaF in secured mode

Operate the PaF in secured mode:

/usr/local/afs7/bin/afs_paf -s

In this case:

  • The scheduler stores permissions of all loaded files.
  • The scheduler enable rights management for filters (afs_filesystem_load, used for remote file system indexing such as NFS and afs_search_build which generates secured databases).

afs_paf_top displays specific reporting for secured PaF.

DataFlow Back Office application displays the secured icon for these PaFs.

Query a Secured Database

Focus on Anonymous Queries.

Query Engine can either allow or disallow anonymous queries. In anonymous mode, queries without authentication parameters (afs:user and/or afs:group) will display public documents. In authenticated mode (non-anonymous), a query without authentication parameters will be rejected.

Examples

  • Anonymous mode can be used for a web site with specific contents for registered users.
  • Authenticated mode can ensure a strict rights policy on an intranet portal.

Authenticated mode is the default setting, it can be changed by setting QEng/Agents/enableAnonymousQueries to true.

Focus on Errors in Authentication Parameters

By default, in case of error with either afs:user or afs:group parameter, all authentication parameters are ignored (user, group), a message appears in the output feed and the query is rejected. Set QueryParsing/discardOnError parameter to false to avoid this behavior.

Focus on Authentication Parameters

Role

Sets the user for the query, afs:user=<user_name>.

Status

Optional. user_name must be an identifier (one letter followed by several letters and numbers) or an email address compliant to the RFC 5322 internet standard (see Email Address (Wikipedia) or RFC 5322 for more details).

Can be set to 0 and can be set several times.

Example

afs:service=1811&afs:query=I+want+it+all&afs:user=john

afs:service=1811&afs:query=I+want+it+all&afs:user=bill&afs:group=windows

afs:service=1979&afs:uri=42&afs:user=steeve&afs:group=apple

Role

Sets the group for the query, afs:group=<group_name>.

Status

Optional. group_name must be an identifier (one letter followed by several letters and numbers) or an email address compliant to the RFC 5322 internet standard (see Email Address (Wikipedia) or RFC 5322 for more details).

Can be set to 0 and can be set several times.

Example

afs:service=1811&afs:query=I+want+it+all&afs:group=users

afs:service=1811&afs:query=I+want+it+all&afs:user=bill&afs:group=windows&afs:group=msdos

afs:service=1979&afs:uri=42&afs:user=steeve&afs:group=apple

To set several groups, this alternative syntax can be used:

afs:groups=<group1_name>,<group2_name>...<groupn_name>