diff --git a/publiccode.yml b/publiccode.yml new file mode 100644 index 0000000..0efdb62 --- /dev/null +++ b/publiccode.yml @@ -0,0 +1,160 @@ +# This repository adheres to the publiccode.yml standard by including this +# metadata file that makes public software easily discoverable. +# More info at https://github.com/italia/publiccode.yml + +publiccodeYmlVersion: '0.2' +name: ckanext-berlinauth +applicationSuite: CKAN +url: 'https://github.com/berlinonline/ckanext-berlinauth' +releaseDate: '2020-07-28' +softwareVersion: 0.2.8 +developmentStatus: stable +softwareType: addon +platforms: + - web +categories: + - it-development + - knowledge-management +maintenance: + type: internal + contacts: + - name: Dr. Knud Möller + email: knud.moeller@berlinonline.de +legal: + license: AGPL-3.0-only + mainCopyrightOwner: ' BerlinOnline GmbH' + repoOwner: ' BerlinOnline GmbH' +localisation: + localisationReady: false + availableLanguages: + - en +description: + en: + genericName: ckanext-berlinauth + documentation: >- + https://github.com/berlinonline/ckanext-berlinauth?tab=readme-ov-file#ckanext-berlinauth + shortDescription: >- + This plugin belongs to a set of plugins for the Datenregister – the + non-public CKAN instance that is part of Berlin's open data portal + daten.berlin.de + longDescription: > + This plugin belongs to a set of plugins for the _Datenregister_ – the + non-public [CKAN](https://ckan.org/) instance that is part of Berlin's + open data portal [daten.berlin.de](https://daten.berlin.de/). + `ckanext-berlinauth` provides a custom authorization model. Among other + things, access for anonymous users is restricted, file upload is + deactivated + + + The plugin implements the following CKAN interfaces: + + + - + [IAuthFunctions](http://docs.ckan.org/en/latest/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IAuthFunctions) + + - + [IActions](http://docs.ckan.org/en/latest/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IActions) + + - + [IMiddleware](http://docs.ckan.org/en/latest/extensions/plugin-interfaces.html#ckan.plugins.interfaces.IMiddleware) + + + ## Requirements + + + This plugin has been tested with CKAN 2.9.8 (which requires Python 3). + + + ## Register-mode + + + "Register-mode" is the implementation for the use case where we have CKAN + as a separate "backend" system, only accessible to administrative staff + who add and manage datasets. In this scenario, CKAN is called the + "Datenregister". + + + The general authorization model is as follows: + + + - Anonymous users have no access to the website + ([https://datenregister.berlin.de](https://datenregister.berlin.de/)), + except for the `/about` and `/datenschutzerklaerung`. All requests are + redirected to the login page. + + - Anonymous has access to a subset of the CKAN API (most GET-able + functions) and the DCAT API. + + - Logged-in users have restricted access to site and API. + - no user list/show (except for self) + - no vocabulary list/show + - hide certain groups from `group\_list`, `organization\_list` + - hide users except self from `group\_show`, `organization\_show` + - ... + - File upload has been disabled. + + + ## Monitoring, Liveness and Readiness Probes + + + The fact that the home page (`/`) is no longer available to anonymous + users has implications for monitoring services such as liveness and + readiness probes in Kubernetes. If `ckanext-berlinauth` is installed and + activated, such services should not point to the home page, but instead + to a page that is available to anonymous users as well. A good candidate + is the info page at `/about`. + + + ## Additional Configuration Options + + + - `berlin.technical\_groups`: A space-separated list of + group/organizations that are considered 'technical'. A technical + organization is one which does not reflect a real-world organization, but + has only been introduced to structure permissions. Technical groups are + hidden for non-sysadmin users. + + berlin.technical\_groups = simplesearch harvester-fis-broker + + - `berlin.public\_pages`: By default, access to the Datenregister is + restricted to logged-in users. This setting contains a space-separated + list of paths that should be visible to the public, i.e., to anonymous + users. + + berlin.public\_pages = about datenschutzerklaerung + + ## Version Numbers for Plugins + + + The CKAN API's + [status\_show](https://docs.ckan.org/en/2.9/api/#ckan.logic.action.get.status_show) + method includes a list of plugins as configured in the `ckan.plugins` + setting. `ckanext-berlinauth` includes an extended version of + `status\_show` that also shows the version number of each plugin. This + assumes that the plugin module defines a `\_\_version\_\_` attribute that + contains the version number. If there is no `\_\_version\_\_` attribute, + the version number will be `unknown`: + + { + "help": "http://ckandev.bln/api/3/action/help\_show?name=status\_show", + "success": true, + "result": { + "site\_title": "Datenregister Dev", + "site\_description": "", + "site\_url": "http://ckandev.bln", + "ckan\_version": "2.9.8", + "error\_emails\_to": null, + "locale\_default": "en", + "extensions": { + "stats": { + "version": "unknown" + }, + "berlintheme": { + "version": "0.3.6" + }, + "berlinauth": { + "version": "0.2.6" + } + } + } + }