W3C home > Mailing lists > Public > public-rww@w3.org > August 2012

RE: TAC + roles + resource access control = UAC

From: Emmanuel Dreux <edreux@cloudiway.com>
Date: Fri, 17 Aug 2012 10:16:41 +0000
To: bergi <bergi@axolotlfarm.org>, Read-Write-Web <public-rww@w3.org>
Message-ID: <DF63ACC82673DB40A7AAC08FFA71DFBD27419084@AMXPRD0610MB353.eurprd06.prod.outlook.com>
You wrote:
"Why No Deny?
There is no uac:denyAccessToTriple property because it would just cause trouble. Think about foaf:group provided by a server which is temporary not reachable. If you would deny access for this group you have a problem. A concept of deny just will not work with distributed data."

I'm discovering your technologies that look promising and my first comment after reading your mail is that I will have a lot of pain to adopt a model where the acls are not defined/stored at the same location than the data.
Typically for the reason you are exposing. Indeed security is too important to let network issues and latencies impact the result of the evaluation of the authorizations.

(Note that I might be very old fashion and intellectually sticked in a Unix / Windows model where acls are placed "on" the object protected).

--
Regards,
Emmanuel Dreux
http://www.cloudiway.com
Tel: +33 4 26 78 17 58
Mobile: +33 6 47 81 26 70
skype: Emmanuel.Dreux


-----Message d'origine-----
De : bergi [mailto:bergi@axolotlfarm.org] 
Envoyé : mercredi 15 août 2012 21:43
À : Read-Write-Web
Objet : TAC + roles + resource access control = UAC

More and more people on the mailing list are talking about access control. I'm already working on the ACL topic of the rww scope [1]. Even if it's not yet feature complete, I wanted to show you my current version. This work is based on the TripleAccessControl Ontology [2].
Please have a look at the TAC Ontology documentation if you haven't done this before. The main focus was my use case with a single/default graph, but named graphs should also be covered in the final version. If you also have already a concept please share your ideas. I will try to integrated them. At the end we hopefully have an ontology that works for must of us. This is important because I would like to use the uac:Role class also for the Request for Access topic [3].


	Simple Example

Here a simple example for my FOAF profile with nested roles for my WebID keys and Pingback. The blank nodes _:group_anonymous and _:group_anybody are used by the ResourceMe login modules for anonymous users and any logged in user.

# role for WebID keys:
_:RoleReadWebid a uac:Role;
 uac:accessToTriple [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate cert:key;
  ];
  uac:children [
   uac:accessToTriple [ a uac:TripleAuthorization;
    uac:mode uac:Read;
    uac:filter [ a uac:SimpleFilter;
     uac:predicate rdf:type;
     uac:object cert:RSAPublicKey;
    ], [ a uac:SimpleFilter;
     uac:predicate cert:modulus;
    ], [ a uac:SimpleFilter;
     uac:predicate cert:exponent;
    ]]]].

# role for Pingback:
_:RoleReadPingback a uac:Role;
 uac:accessToTriple [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate pingback:to;
  ]].

# role for FOAF profile:
_:RoleReadProfile a uac:Role;
 uac:hasRole
  _:RoleReadWebid,
  _:RoleReadPingback;
 uac:accessToTriple [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate rdf:type;
   uac:object foaf:Person;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:name;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:firstName;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:lastName;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:nick;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:img;
  ], [ a uac:SimpleFilter;
   uac:predicate foaf:homepage;
  ], [ a uac:SimpleFilter;
   uac:predicate pingback:to;
  ]].

# assign the roles to agents and subject _:AuthzAllProfile a uac:Authorization;  uac:agent _:group_anonymous;  uac:agent _:group_anybody;  uac:subject <https://www.bergnet.org/people/bergi/card#me>;
 uac:hasRole _:RoleReadProfile.


	Write Blog Comment

In some cases a filter value should be filled dynamically. For this use case the uac:VariableFilter can be used. In this example the uac:VariableFilter is used to avoid user spoofing in blog comments. The agent variable is automatically filled with the authenticated user URL.

_:RoleWriteBlogComment a uac:Role;
 uac:accessToTriple [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate s:blogPosts;
  ];
  uac:children [
   uac:accessToTriple [ a uac:TripleAuthorization;
    uac:mode uac:Write;
    uac:filter [ a uac:SimpleFilter;
     uac:predicate s:comment;
    ];
    uac:children [
     uac:accessToTriple [ a uac:TripleAuthorization;
      uac:mode uac:Write;
      uac:filter [ a uac:SimpleFilter;
       uac:predicate rdf:type;
       uac:object s:UserComments;
      ], [ a uac:SimpleFilter;
       uac:predicate s:commentTime;
      ], [ a uac:SimpleFilter;
       uac:predicate s:commentText;
      ];
     ], [ a uac:TripleAuthorization;
      uac:mode uac:Write;
      uac:filter [ a uac:VariableFilter;
       uac:predicate [
        uac:value s:creator;
       ];
       uac:object [
        uac:variable "agent";
       ];
      ];
      uac:required "true";
     ]]]]].

_:AuthzAnybodyBlog a uac:Authorization;
 uac:agent _:group_anybody;
 uac:subject <https://www.bergnet.org/people/bergi/blog/#blog>;
 uac:hasRole _:RoleWriteBlogComment.


	Image Gallery

This example shows how to reuse RDF data defined for a gallery. Based on the s:contentURL property access to the linked pictures is granted.

_:RoleReadGallery a uac:Role;
 uac:accessToTriple [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate rdf:type;
   uac:object s:ImageGallery;
  ];
 ], [ a uac:TripleAuthorization;
  uac:mode uac:Read;
  uac:filter [ a uac:SimpleFilter;
   uac:predicate s:significantLink;
  ];
  uac:children [
   uac:accessToTriple [ a uac:TripleAuthorization;
    uac:mode uac:Read;
    uac:filter [ a uac:SimpleFilter;
     uac:predicate rdf:type;
     uac:object s:ImageObject;
    ], [ a uac:SimpleFilter;
     uac:predicate s:author;
    ], [ a uac:SimpleFilter;
     uac:predicate s:dateCreated;
    ], [ a uac:SimpleFilter;
     uac:predicate s:text;
    ];
   ], [ a uac:TripleAuthorization;
    uac:mode uac:Read;
    uac:filter [ a uac:SimpleFilter;
     uac:predicate s:contentURL;
    ];
    uac:children [
     uac:accessToResource [ a uac:ResourceAuthorization;
      uac:mode uac:Read;
     ]]]]].

_:AuthzFriendsReadGallery a uac:Authorization;  uac:agent <https://www.bergnet.org/people/bergi/card#friends>;
 uac:subject
  <https://www.bergnet.org/people/bergi/gallery/2012-06-14/>,
  <https://www.bergnet.org/people/bergi/gallery/2012-07-07/>;
 uac:hasRole _:RoleReadGallery.


	Why No Deny?

There is no uac:denyAccessToTriple property because it would just cause trouble. Think about foaf:group provided by a server which is temporary not reachable. If you would deny access for this group you have a problem. A concept of deny just will not work with distributed data.


	Protecting Only Resources

There are different opinions about the concept of filtering the content of a resource. This concept should also work without triple filtering. I was already thinking about merging the uac:accesstoTriple and uac:accessToResource properties to a uac:access property. Beside the uac:TripleAuthorization and uac:ResourceAuthorization class a uac:TripleSet class could be defined, just to collect triples for a uac:ResourceAuthorization child.


	Prefixes

Here are the prefix definitions, if you want to view the examples in your favorite turtle editor:

@prefix bio: <http://purl.org/vocab/bio/0.1/>.
@prefix cert: <http://www.w3.org/ns/auth/cert#>.
@prefix dct: <http://purl.org/dc/terms/>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.
@prefix like: <http://ontologi.es/like#>.
@prefix pingback: <http://purl.org/net/pingback/>.
@prefix s: <http://schema.org/>.
@prefix time: <http://www.w3.org/2006/time#>.
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>.
@prefix uac: <http://ns.bergnet.org/uac/0.1/universal-access-control#>.


[1] http://www.w3.org/community/rww/wiki/Scope#ACL
[2] http://ns.bergnet.org/tac/0.1/triple-access-control
[3] http://www.w3.org/community/rww/wiki/Scope#Request_for_Access
Received on Friday, 17 August 2012 10:17:45 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Friday, 17 August 2012 10:17:45 GMT