- From: bergi <bergi@axolotlfarm.org>
- Date: Wed, 15 Aug 2012 21:42:52 +0200
- To: Read-Write-Web <public-rww@w3.org>
More and more people on the mailing list are talking about access
control. I'm already working on the ACL topic of the rww scope [1]. Even
if it's not yet feature complete, I wanted to show you my current
version. This work is based on the TripleAccessControl Ontology [2].
Please have a look at the TAC Ontology documentation if you haven't done
this before. The main focus was my use case with a single/default graph,
but named graphs should also be covered in the final version. If you
also have already a concept please share your ideas. I will try to
integrated them. At the end we hopefully have an ontology that works for
must of us. This is important because I would like to use the uac:Role
class also for the Request for Access topic [3].
Simple Example
Here a simple example for my FOAF profile with nested roles for my WebID
keys and Pingback. The blank nodes _:group_anonymous and _:group_anybody
are used by the ResourceMe login modules for anonymous users and any
logged in user.
# role for WebID keys:
_:RoleReadWebid a uac:Role;
uac:accessToTriple [ a uac:TripleAuthorization;
uac:mode uac:Read;
uac:filter [ a uac:SimpleFilter;
uac:predicate cert:key;
];
uac:children [
uac:accessToTriple [ a uac:TripleAuthorization;
uac:mode uac:Read;
uac:filter [ a uac:SimpleFilter;
uac:predicate rdf:type;
uac:object cert:RSAPublicKey;
], [ a uac:SimpleFilter;
uac:predicate cert:modulus;
], [ a uac:SimpleFilter;
uac:predicate cert:exponent;
]]]].
# role for Pingback:
_:RoleReadPingback a uac:Role;
uac:accessToTriple [ a uac:TripleAuthorization;
uac:mode uac:Read;
uac:filter [ a uac:SimpleFilter;
uac:predicate pingback:to;
]].
# role for FOAF profile:
_:RoleReadProfile a uac:Role;
uac:hasRole
_:RoleReadWebid,
_:RoleReadPingback;
uac:accessToTriple [ a uac:TripleAuthorization;
uac:mode uac:Read;
uac:filter [ a uac:SimpleFilter;
uac:predicate rdf:type;
uac:object foaf:Person;
], [ a uac:SimpleFilter;
uac:predicate foaf:name;
], [ a uac:SimpleFilter;
uac:predicate foaf:firstName;
], [ a uac:SimpleFilter;
uac:predicate foaf:lastName;
], [ a uac:SimpleFilter;
uac:predicate foaf:nick;
], [ a uac:SimpleFilter;
uac:predicate foaf:img;
], [ a uac:SimpleFilter;
uac:predicate foaf:homepage;
], [ a uac:SimpleFilter;
uac:predicate pingback:to;
]].
# assign the roles to agents and subject
_:AuthzAllProfile a uac:Authorization;
uac:agent _:group_anonymous;
uac:agent _:group_anybody;
uac:subject <https://www.bergnet.org/people/bergi/card#me>;
uac:hasRole _:RoleReadProfile.
Write Blog Comment
In some cases a filter value should be filled dynamically. For this use
case the uac:VariableFilter can be used. In this example the
uac:VariableFilter is used to avoid user spoofing in blog comments. The
agent variable is automatically filled with the authenticated user URL.
_:RoleWriteBlogComment a uac:Role;
uac:accessToTriple [ a uac:TripleAuthorization;
uac:mode uac:Read;
uac:filter [ a uac:SimpleFilter;
uac:predicate s:blogPosts;
];
uac:children [
uac:accessToTriple [ a uac:TripleAuthorization;
uac:mode uac:Write;
uac:filter [ a uac:SimpleFilter;
uac:predicate s:comment;
];
uac:children [
uac:accessToTriple [ a uac:TripleAuthorization;
uac:mode uac:Write;
uac:filter [ a uac:SimpleFilter;
uac:predicate rdf:type;
uac:object s:UserComments;
], [ a uac:SimpleFilter;
uac:predicate s:commentTime;
], [ a uac:SimpleFilter;
uac:predicate s:commentText;
];
], [ a uac:TripleAuthorization;
uac:mode uac:Write;
uac:filter [ a uac:VariableFilter;
uac:predicate [
uac:value s:creator;
];
uac:object [
uac:variable "agent";
];
];
uac:required "true";
]]]]].
_:AuthzAnybodyBlog a uac:Authorization;
uac:agent _:group_anybody;
uac:subject <https://www.bergnet.org/people/bergi/blog/#blog>;
uac:hasRole _:RoleWriteBlogComment.
Image Gallery
This example shows how to reuse RDF data defined for a gallery. Based on
the s:contentURL property access to the linked pictures is granted.
_:RoleReadGallery a uac:Role;
uac:accessToTriple [ a uac:TripleAuthorization;
uac:mode uac:Read;
uac:filter [ a uac:SimpleFilter;
uac:predicate rdf:type;
uac:object s:ImageGallery;
];
], [ a uac:TripleAuthorization;
uac:mode uac:Read;
uac:filter [ a uac:SimpleFilter;
uac:predicate s:significantLink;
];
uac:children [
uac:accessToTriple [ a uac:TripleAuthorization;
uac:mode uac:Read;
uac:filter [ a uac:SimpleFilter;
uac:predicate rdf:type;
uac:object s:ImageObject;
], [ a uac:SimpleFilter;
uac:predicate s:author;
], [ a uac:SimpleFilter;
uac:predicate s:dateCreated;
], [ a uac:SimpleFilter;
uac:predicate s:text;
];
], [ a uac:TripleAuthorization;
uac:mode uac:Read;
uac:filter [ a uac:SimpleFilter;
uac:predicate s:contentURL;
];
uac:children [
uac:accessToResource [ a uac:ResourceAuthorization;
uac:mode uac:Read;
]]]]].
_:AuthzFriendsReadGallery a uac:Authorization;
uac:agent <https://www.bergnet.org/people/bergi/card#friends>;
uac:subject
<https://www.bergnet.org/people/bergi/gallery/2012-06-14/>,
<https://www.bergnet.org/people/bergi/gallery/2012-07-07/>;
uac:hasRole _:RoleReadGallery.
Why No Deny?
There is no uac:denyAccessToTriple property because it would just cause
trouble. Think about foaf:group provided by a server which is temporary
not reachable. If you would deny access for this group you have a
problem. A concept of deny just will not work with distributed data.
Protecting Only Resources
There are different opinions about the concept of filtering the content
of a resource. This concept should also work without triple filtering. I
was already thinking about merging the uac:accesstoTriple and
uac:accessToResource properties to a uac:access property. Beside the
uac:TripleAuthorization and uac:ResourceAuthorization class a
uac:TripleSet class could be defined, just to collect triples for a
uac:ResourceAuthorization child.
Prefixes
Here are the prefix definitions, if you want to view the examples in
your favorite turtle editor:
@prefix bio: <http://purl.org/vocab/bio/0.1/>.
@prefix cert: <http://www.w3.org/ns/auth/cert#>.
@prefix dct: <http://purl.org/dc/terms/>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.
@prefix like: <http://ontologi.es/like#>.
@prefix pingback: <http://purl.org/net/pingback/>.
@prefix s: <http://schema.org/>.
@prefix time: <http://www.w3.org/2006/time#>.
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>.
@prefix uac: <http://ns.bergnet.org/uac/0.1/universal-access-control#>.
[1] http://www.w3.org/community/rww/wiki/Scope#ACL
[2] http://ns.bergnet.org/tac/0.1/triple-access-control
[3] http://www.w3.org/community/rww/wiki/Scope#Request_for_Access
Received on Wednesday, 15 August 2012 19:43:19 UTC