The following is an outline for a Metcast Channels remote (self-) administration: a facility to create a new channel, delete a channel or all of its products, modify parameters or attributes of a channel, add or remove channel's permissions. All these administrative functions can be done by a remote user, provided he has appropriate permissions (e.g., in a possession of a valid certificate that is registered with the channel taker).
The channel administration facility is implemented by a special
virtual channel:
ADM. An administrative function is
accomplished by publishing specially formatted documents into that
channel. A channel
ADMH contains the historical record of
all updates to Metcast Channels.
The ADM channel contains at most one product. This product, MCADM-XML, is an XML file, in the format of the Channel Table of Contents (CTOC). The document MCADM-XML has the following type:
<!ELEMENT channel ((attr*, access-right*) | ch-item*) >
<!ATTLIST channel
Name NMTOKEN #REQUIRED
Title CDATA #IMPLIED
Comment CDATA #IMPLIED
MaxLen NMTOKEN #IMPLIED
Length NMTOKEN #IMPLIED
TRange %TRange-type; #IMPLIED
%Selected;
MBL-Desc CDATA #FIXED '(Channel ./@Name)'
Publisher CDATA #IMPLIED
>
<!ELEMENT attr (#PCDATA) >
<!ATTLIST attr
Name CDATA #REQUIRED
Use (required|fixed) #IMPLIED
>
<!ELEMENT ch-item (attr*) >
<!ATTLIST ch-item
OID NMTOKEN #REQUIRED
%TStamp;
>
<!ELEMENT access-right (#PCDATA)>
<!ATTLIST access-right
Right (R|W) #REQUIRED
>
That is, the product in the ADM channel is almost the same as the
one you would get by opening the URL [CTOC-CURR], with two
exceptions. First, for virtual channels we specifically indicate the
publishing command. Most importantly, channel elements in MCADM-XML
have
<access-right> elements. Each
<access-right> describes one particular user and his access right,
R or
W. A user is identified by his name or
his distinguished name (DN) from his certificate. Note that DTD above
is intentionally made compatible with the CTOC DTD from [MTOC-DTD]. This makes a CTOC an instance of the generic ADM
product. CTOC however never contains Publisher attributes nor
access-right elements.
A sample MCADM-XML document is given in [MCADM-XML-sample].
Because the ADM channel contains highly sensitive information, only users designated as channel administrators may read this channel.
Channel administration is accomplished by storing special XML documents into the ADM channel. Such a document -- an administration request -- can affect only one channel. If several channels need to be created or modified, each operation must be performed separately. The following subsections describe the format of the administration request documents by example.
<create>
<channel Name='DEMO-IMG' Title='Demo Channel - imagery' MaxLen='1'
Comment='A channel to show off real-time publishing - imagery'>
<attr Name='=mime-type'>image/x-demo</attr>
<attr Name='fname'/>
<attr Name='publisher' Use='fixed'>FNMOC</attr>
<access-right Right='R'>*</access-right>
<access-right Right='W'>*</access-right>
</channel>
</create>
This administration request creates a channel. The channel
should not have existed. The body of the
<create>
element is a single
<channel> element -- of exactly the
same format as found in the ADM product.
<drop channel='DEMO-IMG'/>Publishing of the above document drops (that is, deletes) the existing channel. If the channel had any products, they are deleted, too.
<recreate>
<channel Name='DEMO-IMG' Title='Demo Channel - imagery' MaxLen='1'
Comment='A channel to show off real-time publishing - imagery'>
<attr Name='=mime-type'>image/x-demo</attr>
<attr Name='Fname'/>
<attr Name='publisher' Use='fixed'>FNMOC</attr>
<access-right Right='R'>*</access-right>
<access-right Right='W'>*</access-right>
</channel>
</recreate>
This a combination of
drop and
create
operations. Perhaps it is the most convenient way to
change a channel extensively. For example, you first fetch the product from the
ADM channel. You find
<channel> for the channel in
question, cut and paste it inside a
<recreate>, make necessary adjustments (e.g., add or delete attributes or
modify their spelling), and publish the resulting request. If the
channel had any products, they are obviously deleted.
<adjust>
<channel Name='DEMO-IMG' Title='Demo Channel - imagery' MaxLen='1'
Comment='A channel to show off real-time publishing - imagery'>
<attr Name='=mime-type'>image/x-demo</attr>
<attr Name='Fname'/>
<attr Name='publisher' Use='fixed'>FNMOC</attr>
<access-right Right='R'>*</access-right>
<access-right Right='W'>*</access-right>
</channel>
</adjust>
This operation is similar to
recreate but it preserves the
products in the channel, if any. Consequently, only certain channel
metadata can be modified this way. The only parameters that can be
modified are:
Title,
MaxLen (the maximum
number of products in the channel),
Comment, and
Publisher. We could allow modifying the default value for the
attributes and perhaps the
Use for the attributes -- but
it makes implementation more difficult. Changing the names of
attributes or adding/deleting attributes is never allowed in the
adjust operation. Access rights cannot be modified with the adjust
operation either. Use an
<access-control> operation
below. The adjust operation takes the same
<channel>
element as the
<create> or
<recreate> operations.
However,
<adjust> disregards
<attr> and
<access-right> elements if any present.
<purge channel='DEMO-IMG'/>
This operation removes all the products from a given channel.
<purge channel='DEMO-IMG'>
<ch-item OID='12345' TStamp='1039481259'/>
</purge>
publishing of this request removes a specific product from a channel.
<access-control channel='DEMO-IMG'>
<access-right Right='R'>*</access-right>
<access-right
Right='W'>/C=US/ST=CA/L=Monterey/O=METNET/OU=TEST/CN=Test User/Email=Test@metnet.navy.mil</access-right>
</access-control>
The set of the
<access-right> elements inside
the
<access-control> element
replaces the existing access control rights.
<authorize>
<![CDATA[
may(channel,read) :- this-user(someuser).
]]>
</authorize>
Typically the assertion will be in a CDATA block to avoid escaping characters of significance to XML.
<nop/>
This operation does nothing. Yes, it's useful.
The channel ADMH accumulates auditing records for all successful channel administration requests. The auditing records tell who did what and when. The records also make it possible to reconstruct the state of Metcast Channel meta-data at any point in time since the database was created. Only the Channel meta-data are preserved, that is, the descriptions of the channels and their attributes.
The ADMH channel is an ordinary, read-only channel. Authorized clients can subscribe to the ADMH channel, to receive notification of all updates to the Metcast Channel meta-data.
The ADMH channel stores auditing records. As any other product, the records have attributes: the mime-type, the creation timestamp, and the identity of the publisher. In addition, the records are identified by their type. There are two types of auditing records:
requestpre-imageAdding or deleting channels is a very sensitive
operation. Therefore, only the channel administrator should be allowed
to publish into it, preferably using SSL/TLS. In addition, we will
require that any document published into the ADM channel be signed by
the administrator. To be more precise, the product published into the
ADM channel must be a signed MIME entity of the administration
document in the PKCS-7 format (content-type
application/pkcs7-mime). See Secure Mime S/MIME 3.0 [SMIME] for more
information. The ADM channel taker application will verify the
signature before attempting a channel administration operation.
After the ADM channel taker application verified the administration document's signature, the taker parses and validates that XML document. The taker then attempts to perform the requested administration function. Any error aborts the operation and rolls back any changes to the Metcast database, if any.
ADM or ADMH channels themselves cannot be administered remotely. A remote administrator cannot drop the ADM channel, forbid any access to it or open it up to a particular person or to everybody.
If the publishing operation succeeds, it will generate a MCADM-XML
product and store it into the ADM channel. Originally, the ADM channel
is empty. To populate it, we need to publish a
<nop/> request. The latter operation also stores the current state of the
Channels database (the MCADM-XML document) as a pre-image record in
the ADMH channel. All destructive administration actions add the
corresponding pre-image records to ADMH. These records preserve the
trail of updates and make it possible to back up the changes (although
not actual products) to any point in time.
To make the channel administration possible, the whole MChannels
database must be owned by a dedicated user
mcadm. Alternatively, the database may be created by a root, informix or a
regular user, with the user
mcadm granted special
privileges. On no occasion users
web or
webt or
nobody or other under-privileged user can own anything
in the MChannels database. Therefore, the
MChannels.sh script that creates the database has been modified to check for the
existence of the user
mcadm and to make sure only proper
users attempt to create the MChannels database.
The ADM channel will at last allow designated developers to administer the Metcast channels without bothering me. It will be possible to do so from any computer that has a text editor, a publishing tool and openssl (for signing and establishing SSL connections).
[CTOC-CURR] The current Channel Table of Contents from a live Metcast server
<
http://www.metnet.navy.mil/cgi-bin/oleg/server/channels/>
[MTOC-DTD] Metcast Table of Contents DTD
<
http://www.metnet.navy.mil/Metcast/XML/MTOC.dtd>
[MCADM-XML-sample] A sample MCADM-XML document
<
http://www.metnet.navy.mil/Metcast/XML/Channel-adm.xml>
[SMIME] S/MIME Version 3 Message Specification. RFC 2633. June 1999
<
http://www.ietf.org/rfc/rfc2633.txt>
Converted from SXML by SXML->HTML