Re: Simple WebID, WebID+TLS Protocol, and ACL Dogfood Demo

On 8/9/13 12:55 PM, Hugh Glaser wrote:
> Thanks.
> I've looked at quite a bit of this stuff, but still don't see where the ACL document gets stored and used.

As per my setup [1] the ACLs reside in a document. Of course, they can 
also reside inside a DBMS/store e.g., in a named graph.
>
> I am beginning to get the sense that I may have to write some code, other than the ACL rdf to do this.

Depends. The issue here is that ACL lookups are an additional step in 
the flow when applying WebID+TLS to actual resource access. What 
sometimes gets lost in conflation, is the fact that we have:

1. identity authentication
2. resource access control .

Your identity might be verified (via authentication) but said identity 
isn't necessarily authorized to access a protected resource.

If an ACL delegation mechanism existed, you could negate writing any 
code since a trusted 3rd party service could lookup ACLs (wherever 
you've placed them) and then apply that to the authorization process.
> Surely Apache or something else will do this for me?
Possibly, but you will have to plug-in an ACL module (basically 
something that performs SPARQL ASK, for instance) or write one yourself.
> Can't I "just" put the ACL in a file (as in htpasswd) and point something at it?

Hmm.. I don't use Apache that deeply, but I would expect that to be 
possible,    bearing in mind the existence of WebID+TLS modules [2].

> I certainly don't want to be writing code to make one photo (or simply a static web site) available.
> Or is that the "delegated service" you are talking about?

Yes, another example of the flexibility that WebID+TLS brings to 
Read-Write Linked Data.
>
> I've got my fingers crossed here.

We'll have that implemented when we get an opening. Of course other 
WebID and RWW players can implement the same thing too :-)

Links:

[1] 
http://kingsley.idehen.net/DAV/home/kidehen/Public/Linked%20Data%20Documents/WebID-ACL-Demos/ 
-- all the files are public readable (i.e., +r )
[2] http://packages.debian.org/testing/httpd/libapache2-mod-authn-webid 
-- Debian WebID+TLS module for Apache
[3] 
https://apps.ubuntu.com/cat/applications/raring/libapache2-mod-authn-webid/ 
-- for Ubuntu
[4] http://dig.csail.mit.edu/2009/mod_authn_webid/ -- from CSAIL team at 
MIT (I've copied Joe in as he might be able to help re. extension for ACLs)
[5] http://dig.csail.mit.edu/2009/mod_authz_webid/README -- ** this 
might be what you need re. Apache ** .


Kingsley
>
> On 9 Aug 2013, at 17:35, Kingsley Idehen <kidehen@openlinksw.com>
>   wrote:
>
>> On 8/9/13 12:22 PM, Hugh Glaser wrote:
>>> <Hugh comes back to play />
>>> Thanks Kingsley, and Melvin and Henry and Norman.
>>> So, trying to cut it down to the minimum.
>>> (Sorry, I find some/many of the pages about it really hard going.)
>>> If I have a photo on a server, http://example.org/photos/me.jpg, and a WebID at http://example.org/id/you
>>> What files do I need on the server so that http://example.org/id/you#me (and no-one else) can access http://example.org/photos/me.jpg?
>>> I think that is a sensible question (hopefully!)
>> You can need a Turtle document (other RDF document types will do too) comprised of content that describes your ACL based on <http://www.w3.org/ns/auth/acl> vocabulary terms.
>>
>> You might find <http://www.w3.org/wiki/WebAccessControl#this> wiki document useful too.
>>
>> My ACL demos leverage the fact that our ODS and Virtuoso platforms have this in-built re. Web Server functionality.
>>
>> I need to check if we built a delegated service for WebID+TLS based ACLs, if not, then (note to self re., new feature zilla) we'll make one :-)
>>
>>
>
>
>


-- 

Regards,

Kingsley Idehen	
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog: http://www.openlinksw.com/blog/~kidehen
Twitter/Identi.ca handle: @kidehen
Google+ Profile: https://plus.google.com/112399767740508618350/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen