This plugin belongs to a set of plugins for the Datenregister – the non-public CKAN instance that is part of Berlin's open data portal daten.berlin.de.
ckanext-berlinauth provides a custom authorization model.
Among other things, access for anonymous users is restricted, file upload is deactivated
The plugin implements the following CKAN interfaces:
This plugin has been tested with CKAN 2.9.11 (which requires Python 3).
"Register-mode" is the implementation for the use case where we have CKAN as a separate "backend" system, only accessible to administrative staff who add and manage datasets. In this scenario, CKAN is called the "Datenregister".
The general authorization model is as follows:
- Anonymous users have no access to the website (https://datenregister.berlin.de), except for the
/aboutand/datenschutzerklaerung. All requests are redirected to the login page. - Anonymous has access to a subset of the CKAN API (most GET-able functions) and the DCAT API.
- Logged-in users have restricted access to site and API.
- no user list/show (except for self)
- no vocabulary list/show
- hide certain groups from
group_list,organization_list - hide users except self from
group_show,organization_show - ...
- File upload has been disabled.
The fact that the home page (/) is no longer available to anonymous users has implications for monitoring services such as liveness and readiness probes in Kubernetes.
If ckanext-berlinauth is installed and activated, such services should not point to the home page, but instead to a page that is available to anonymous users as well.
A good candidate is the info page at /about.
berlin.technical_groups: A space-separated list of group/organizations that are considered 'technical'. A technical organization is one which does not reflect a real-world organization, but has only been introduced to structure permissions. Technical groups are hidden for non-sysadmin users.
berlin.technical_groups = simplesearch harvester-fis-brokerberlin.public_pages: By default, access to the Datenregister is restricted to logged-in users. This setting contains a space-separated list of paths that should be visible to the public, i.e., to anonymous users.
berlin.public_pages = about datenschutzerklaerungThe CKAN API's status_show method includes a list of plugins as configured in the ckan.plugins setting.
ckanext-berlinauth includes an extended version of status_show that also shows the version number of each plugin.
This assumes that the plugin module defines a __version__ attribute that contains the version number.
If there is no __version__ attribute, the version number will be unknown:
{
"help": "http://ckandev.bln/api/3/action/help_show?name=status_show",
"success": true,
"result": {
"site_title": "Datenregister Dev",
"site_description": "",
"site_url": "http://ckandev.bln",
"ckan_version": "2.9.8",
"error_emails_to": null,
"locale_default": "en",
"extensions": {
"stats": {
"version": "unknown"
},
"berlintheme": {
"version": "0.3.6"
},
"berlinauth": {
"version": "0.2.6"
}
}
}
}This material is copyright © BerlinOnline GmbH.
This extension is open and licensed under the GNU Affero General Public License (AGPL) v3.0. Its full text may be found at: