W3C home > Mailing lists > Public > public-rww@w3.org > August 2012

TAC + roles + resource access control = UAC

From: bergi <bergi@axolotlfarm.org>
Date: Wed, 15 Aug 2012 21:42:52 +0200
Message-ID: <502BFBBC.3070008@axolotlfarm.org>
To: Read-Write-Web <public-rww@w3.org>
More and more people on the mailing list are talking about access
control. I'm already working on the ACL topic of the rww scope [1]. Even
if it's not yet feature complete, I wanted to show you my current
version. This work is based on the TripleAccessControl Ontology [2].
Please have a look at the TAC Ontology documentation if you haven't done
this before. The main focus was my use case with a single/default graph,
but named graphs should also be covered in the final version. If you
also have already a concept please share your ideas. I will try to
integrated them. At the end we hopefully have an ontology that works for
must of us. This is important because I would like to use the uac:Role
class also for the Request for Access topic [3].


	Simple Example

Here a simple example for my FOAF profile with nested roles for my WebID
keys and Pingback. The blank nodes _:group_anonymous and _:group_anybody
are used by the ResourceMe login modules for anonymous users and any
logged in user.

# role for WebID keys:
_:RoleReadWebid a uac:Role;
 uac:accessToTriple [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate cert:key;
  ];
  uac:children [
   uac:accessToTriple [ a uac:TripleAuthorization;
    uac:mode uac:Read;
    uac:filter [ a uac:SimpleFilter;
     uac:predicate rdf:type;
     uac:object cert:RSAPublicKey;
    ], [ a uac:SimpleFilter;
     uac:predicate cert:modulus;
    ], [ a uac:SimpleFilter;
     uac:predicate cert:exponent;
    ]]]].

# role for Pingback:
_:RoleReadPingback a uac:Role;
 uac:accessToTriple [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate pingback:to;
  ]].

# role for FOAF profile:
_:RoleReadProfile a uac:Role;
 uac:hasRole
  _:RoleReadWebid,
  _:RoleReadPingback;
 uac:accessToTriple [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate rdf:type;
   uac:object foaf:Person;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:name;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:firstName;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:lastName;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:nick;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:img;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:homepage;
  ], [ a uac:SimpleFilter;
   uac:predicate pingback:to;
  ]].

# assign the roles to agents and subject
_:AuthzAllProfile a uac:Authorization;
 uac:agent _:group_anonymous;
 uac:agent _:group_anybody;
 uac:subject <https://www.bergnet.org/people/bergi/card#me>;
 uac:hasRole _:RoleReadProfile.


	Write Blog Comment

In some cases a filter value should be filled dynamically. For this use
case the uac:VariableFilter can be used. In this example the
uac:VariableFilter is used to avoid user spoofing in blog comments. The
agent variable is automatically filled with the authenticated user URL.

_:RoleWriteBlogComment a uac:Role;
 uac:accessToTriple [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate s:blogPosts;
  ];
  uac:children [
   uac:accessToTriple [ a uac:TripleAuthorization;
    uac:mode uac:Write;
    uac:filter [ a uac:SimpleFilter;
     uac:predicate s:comment;
    ];
    uac:children [
     uac:accessToTriple [ a uac:TripleAuthorization;
      uac:mode uac:Write;
      uac:filter [ a uac:SimpleFilter;
       uac:predicate rdf:type;
       uac:object s:UserComments;
      ], [ a uac:SimpleFilter;
       uac:predicate s:commentTime;
      ], [ a uac:SimpleFilter;
       uac:predicate s:commentText;
      ];
     ], [ a uac:TripleAuthorization;
      uac:mode uac:Write;
      uac:filter [ a uac:VariableFilter;
       uac:predicate [
        uac:value s:creator;
       ];
       uac:object [
        uac:variable "agent";
       ];
      ];
      uac:required "true";
     ]]]]].

_:AuthzAnybodyBlog a uac:Authorization;
 uac:agent _:group_anybody;
 uac:subject <https://www.bergnet.org/people/bergi/blog/#blog>;
 uac:hasRole _:RoleWriteBlogComment.


	Image Gallery

This example shows how to reuse RDF data defined for a gallery. Based on
the s:contentURL property access to the linked pictures is granted.

_:RoleReadGallery a uac:Role;
 uac:accessToTriple [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate rdf:type;
   uac:object s:ImageGallery;
  ];
 ], [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate s:significantLink;
  ];
  uac:children [
   uac:accessToTriple [ a uac:TripleAuthorization;
    uac:mode uac:Read;
    uac:filter [ a uac:SimpleFilter;
     uac:predicate rdf:type;
     uac:object s:ImageObject;
    ], [ a uac:SimpleFilter;
     uac:predicate s:author;
    ], [ a uac:SimpleFilter;
     uac:predicate s:dateCreated;
    ], [ a uac:SimpleFilter;
     uac:predicate s:text;
    ];
   ], [ a uac:TripleAuthorization;
    uac:mode uac:Read;
    uac:filter [ a uac:SimpleFilter;
     uac:predicate s:contentURL;
    ];
    uac:children [
     uac:accessToResource [ a uac:ResourceAuthorization;
      uac:mode uac:Read;
     ]]]]].

_:AuthzFriendsReadGallery a uac:Authorization;
 uac:agent <https://www.bergnet.org/people/bergi/card#friends>;
 uac:subject
  <https://www.bergnet.org/people/bergi/gallery/2012-06-14/>,
  <https://www.bergnet.org/people/bergi/gallery/2012-07-07/>;
 uac:hasRole _:RoleReadGallery.


	Why No Deny?

There is no uac:denyAccessToTriple property because it would just cause
trouble. Think about foaf:group provided by a server which is temporary
not reachable. If you would deny access for this group you have a
problem. A concept of deny just will not work with distributed data.


	Protecting Only Resources

There are different opinions about the concept of filtering the content
of a resource. This concept should also work without triple filtering. I
was already thinking about merging the uac:accesstoTriple and
uac:accessToResource properties to a uac:access property. Beside the
uac:TripleAuthorization and uac:ResourceAuthorization class a
uac:TripleSet class could be defined, just to collect triples for a
uac:ResourceAuthorization child.


	Prefixes

Here are the prefix definitions, if you want to view the examples in
your favorite turtle editor:

@prefix bio: <http://purl.org/vocab/bio/0.1/>.
@prefix cert: <http://www.w3.org/ns/auth/cert#>.
@prefix dct: <http://purl.org/dc/terms/>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.
@prefix like: <http://ontologi.es/like#>.
@prefix pingback: <http://purl.org/net/pingback/>.
@prefix s: <http://schema.org/>.
@prefix time: <http://www.w3.org/2006/time#>.
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>.
@prefix uac: <http://ns.bergnet.org/uac/0.1/universal-access-control#>.


[1] http://www.w3.org/community/rww/wiki/Scope#ACL
[2] http://ns.bergnet.org/tac/0.1/triple-access-control
[3] http://www.w3.org/community/rww/wiki/Scope#Request_for_Access
Received on Wednesday, 15 August 2012 19:43:19 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 15 August 2012 19:43:19 GMT