Flexible and Extensible Digital Object and Repository Architecture (FEDORA) Sandra Payette Cornell University CS 502 Computing Methods for Digital Libraries April 18, 2001

Repository Services Component-Ware Digital Libraries Collection Services Index Services Handles Name Service Digital Objects User Gateway Service

FEDORA: Goals Distribution - of digital content and services Interface Stability - for digital objects Interoperability - for digital objects and repositories Extensibility - naturally evolving type system Flexibility - community-driven type development Security - rights management and access control Preservation - longevity of digital objects

FEDORA Digital Object  container for aggregating any digital material  disseminations of complex types  global extensibility mechanisms Repository  Service layer for “contained” DigitalObjects  Object lifecycle management  Secure environment for running mobile code

FEDORA History Digital Object vision (Kahn/Wilensky) Warwick Framework (container model) Distributed Active Relationships (Lagoze) Cornell FEDORA (Payette, Lagoze) CNRI Repository (Arms, Blanchi, Overly) CNRI/FEDORA Interoperability Project UVA/FEDORA (Staples, Weyland) - Complex disseminators, XML/XSL, web integration Project Prism (DLI2) – Security, preservation Lecture Browser (Mukhopadhyay, Newman)

Fedora DigitalObjects can be... Simple, familiar entities Complex, compound, dynamic objects

Fedora Digital Object Model Disseminations Generic interface Data Stream Data Stream Data Stream Extensible Mechanism Encapsulated service request Primitive Disseminator Typed Disseminator Internal stream

Disseminator Type A set of behaviors that formally describes the functionality of any global or community-specific notion of content.

Extensible Behaviors - “Lecture” Content Disseminations Lecture Mechanism Dublin Core GetVideo(quality) GetSlide(seqNum) GetSyncData GetDCRecord GetDCField(name) Lecture Data Archive Video-H Applet slide-2 (gif) slide-1 (gif) metadata (xml)

Digital Object Methods Content Disseminations Lecture Dublin Core Video-H Applet (java) slide-2 (gif) slide-1 (gif) metadata (xml) Lecture, DublinCore GetDissemination (Lecture.GetSlide(1)) GetSlide(n), GetVideo(res),GetApplet() GetMethods(Lecture) The Slide GetDissemTypes()

DigitalObject Extensibility: Adding New Types MechanismStructure Interface Book The same underlying data... can be operated on in novel ways… Photo Collection to create new disseminations not originally conceived of for the particular digital object. Book Photo Album PDF page metadata (xml) page

Registration and Proliferation of Disseminator Types Disseminator Types registered in the Handle System  visible when URN of a Signature is registered  usable when URN of a Servlet is registered Other DigitalObjects can use Disseminator Types by referencing these URNs. Handle System Fedora Repository

Big Picture: Cooperation among non-cooperating sources Lesson 1 module GetDissemination( GetLesson(1)) Library Catalog Museum Image Database Video Archive Course page

Repository Big Picture: Interoperable Repositories Handles Name Service Cornell CS Lectures Client NCSTRL Repository Library Collections

University of Virginia (UVA) Implementation Relational schema for Fedora Fedora as mediation technology Integration and normalization of many “born-digital” resources Multiple disseminations of same content to meet different scholarly needs 500,000+ digital objects High performance

UVA – Digital Objects

UVA Salisbury Cathedral

UVA Fedora Utility Interface

FEDORA: Security Distribution - of digital content and services Interface Stability - for digital objects Interoperability - for digital objects and repositories Extensibility - naturally evolving type system Flexibility - community-driven type development Security - rights management and access control Preservation - longevity of digital objects

Limitations of traditional access control mechanisms Limited expressiveness for policies Fixed set of abstractions  objects are files, directories, etc.  actions are read, write, execute, etc. Not easily extended for complex or fine- grained policies

Digital Libraries: context-specific policies Distance Education (“Lecture object”):  “guests may view course syllabus and slides 1-10 of Lecture 1, but may not view the Lecture 1 video or other slides.”  “students may not view Lecture 2 video unless they submit assignment for Lecture 1.” Library digitization (“Book object”):  “before copyright expiration on 1/1/2002 CU students can access chapters 1-6 and CU alumni can access pages 1-20 of chapter 2; after expiration, all users can access all pages of all chapters.” Business Strategy (“Technology portfolio object”):  “managers may view product specification only after product safety report has been certified by head of R&D.”  “only the executive team may run the market share simulation”

Building on existing work Fedora - digital object and repository architecture (Payette and Lagoze, 1998, 2000) Security Automata (Schneider, 1999) PoET - Policy Enforcement Toolkit (Erlingsson and Schneider, 1999, 2000)

Extensible Behaviors - “Lecture” Content Disseminations Lecture Mechanism Dublin Core GetVideo(quality) GetSlide(seqNum) GetSyncData GetDCRecord GetDCField(name) Lecture Data Archive Video-H Policy-L (PSlang) Video-L Policy-D (PSlang) slide-2 (gif) slide-1 (gif) metadata (xml)

Security Automata Theoretical basis for specifying policies that are enforceable, flexible, and fine-grained Policies are modeled as state transitions Execution Monitoring (EM)  Class of enforcement mechanisms that enforce policies by simulating a security automaton  Monitors executions upon a target (system, application, object) and prevents executions that violate policy  “Reference Monitors” are EM Source: Schneider, 1999

In-Line Reference Monitoring (IRM) Security automata simulations are merged into program object code (checks inserted before each execution) The application program, itself, becomes the reference monitor, ensuring that policy is not violated when it runs. Source: Erlingsson and Schneider, 1999, 2000 Traditional (kernel as Reference Monitor) kernel program executable OS RM Language-based security (IRM) In-lined program

Policy Enforcement Toolkit (PoET) Trusted program rewriter - modifies Java bytecode Secure class loader Event-oriented policy language (PSLang) Source: Erlingsson and Schneider, 1999, 2000 Policy in PSlang Policy in PSlang Program rewriter Secure Class loader Modified Bytecode (target with policy embedded) JVM Java Bytecode (class file) Program runs (obeys policy) PoET

FEDORA and PoET IRM Policy Enforcement Content Disseminations Video-H Lecture Mechanism Video-L Dublin Core Java bytecode in-lined with policies at runtime slide-2 (gif) slide-1 (gif) metadata (xml) access request Policy-L (PSlang) Policy-D (PSlang)

Object structure view via client Digital Object Policy

End-User View … policies enforced transparently

Future Work Policy enforcement of more complex policies, more object types. Dynamic policy binding based on object characteristics. UVA Production Fedora Open Archives Initiative compliance Preservation: dissemination of metadata to facilitate preservation Mobile computing - trust schemes to support policy enforcement as objects move

References: Fedora Payette, Sandra and Carl Lagoze, “Flexible and Extensible Digital Object and Repository Architecture,” ECDL98, Heraklion, Crete, September 21-23, 1998, Springer, 1998, (Lecture notes in computer science; Vol. 1513). Payette, Sandra, Christophe Blanchi, Carl Lagoze, and Edward Overly, “Interoperability for Digital Objects and Repositories: The Cornell/CNRI Experiments,” D-Lib Magazine, May Payette, Sandra and Carl Lagoze, Policy-Carrying, Policy-Enforcing Digital Objects, accepted by Fourth European Conference on Research andAdvanced Technology for Digital Libraries, Portugal, Springer, 2000, (Lecture notes in computer science), draft available at Payette, Sandra and Carl Lagoze, Value Added Surrogates for Distributed Content: Establishing a Virtual Control Zone, D-Lib Magazine, June 2000,

Contributors: Staples, Thornton, and Ross Wayland, "Virginia Dons Fedora: A prototype for a digital object repository," D-LIb Magazine, July 2000, Schneider, Fred B., “Enforceable Security Policies,” Computer Science Technical Report #TR , Department of Computer Science, Cornell University, July 24, 1999, Erlingsson, Ulfar and Fred B. Schneider, “SASI Enforcement of Security Policies: A Retrospective,” Computer Science Technical Report #TR , Department of Computer Science, Cornell University, July 19, 1999, Erlingsson, Ulfar and Fred B. Schneider, “IRM Enforcement of Java Stack Inspection,” Computer Science Technical Report #TR , Department of Computer Science, Cornell University, February 19, 2000,