Security for DocDB is determined by three sets of permissions:
File permissions must be set correctly for the webserver to download documents into $file_root. See customizing DocDB for more.
groupswhich actually correspond to users in the HTTP authorization scheme. Access to the DocDB scripts is granted to each group with a unique password. DocDB controls which meta-info is shown to users based on the permissions of the group. Access to files within documents is controlled by requiring the username and password for a valid group. You should have at least two groups, one for those uploading and viewing documents and one for administering the database. If you are using an apache webserver, web permissions are controlled with the .htaccess file. The .htaccess file is placed in the DocDB cgi-bin diretory. See customizing DocDB for more.
The htpassword command may be found at: /afs/fnal.gov/files/expwww/computing/home/docdb/auth/htpasswd/bin/htpasswd. To create a password file, cd to the directory in which the AuthUserFile resides (which is specified in the .htaccess file). Run the following command:
To add a user to an existing password file, use this command:
mastergroup of both sub-groups.
read-only,but in practice you'd want to set up the HTTP authorization as read-only. This allows you to require users uploading documents or changing meta-info to be authorized by a secure certificate, but allows users without a certificate (e.g. travelers using an Internet Cafe) to have read-only access to the data.
Within DocDB groups may be subordinate to other groups. A dominant group assumes all the privileges of a subordinate group. Thus, all groups must be made subordinate to docdbadm and all local groups are made subordinate to cdweb. This is done through the administrative functions of DocDB.
Never create documents as docdbadm or choose that group when creating documents. Only use docdbadm for administrative functions that cannot be done as cdweb or the instance user.
Finally, we come to MySQL permissions.
MySQL maintains its own permissions independent of DocDB, web and file system permissions. There are three important accounts for DocDB purposes, as well as the MySQL root account:
In MySQL there is a default database named "mysql" which contains the security information for th edatabase server and each database on that server. To use root, you must access the database from localhost only, meaning using a secure SSH or Telnet connection (Kerberos) to connect to the machine hosting MySQL (flxd01.fnal.gov).
DO NOT ATTEMPT TO CHANGE THE MYSQL SECURITY SETTINGS UNLESS YOU ARE SURE ABOUT WHAT YOU ARE DOING!
docdbadm may connect to MySQL using a MySQL client from any machine in the fnal.gov domain. Nothing outside of this domain is permitted access. If you need to use docdbadm from a remote location, you must connect using the Fermilab VPN.
docdbrw and docdbro may access the database from any domain.
The docdbrw and dodbro usernames and passwords are explicitly contained in the CGI Perl script ProjectGlobals.pm. This is how the scripts are able to access the database.
Docdbadm and its password are NOT in the scripts. This is why you must type the administrator password every time you make an administrative change.
For convenience, the username docdbadm is the same for both the web interface for DocDB and the MySQL database. They DO NOT HAVE TO BE THE SAME. However, more typing would be required when using the administrator account.