- From: bergi <bergi@axolotlfarm.org>
- Date: Fri, 07 Sep 2012 00:32:29 +0200
- To: Niclas Hoyer <niclas@verbugt.de>
- CC: public-rww@w3.org, Danny Ayers <danny.ayers@gmail.com>, Kingsley Idehen <kidehen@openlinksw.com>
> I know that managing SPARQL queries with tools is nearly impossible (at > least if we are trying to do it in a user friendly way like "allow > access to all my friends" or "allow access to all my family members"). We must be careful. A Graph Rule Language [1] should be used for the definition of "all my friends" and "all my family members". At the end we will have a big and monolithic ontology, if we try to integrated topics like these. > I think I did not understand the protocol for triple based access > control with UAC correctly. How is access evaluated for a user? The TAC documentation [2] is currently much better. UAC is based on the TAC concept, so the example [3] would be nearly the same in UAC. > Is it possible to offer an "shielded" SPARQL endpoint with the graph > based access control and UAC? I'm thinking of extending remoteStorage > enabled servers by an SPARQL endpoint, so that in addition to resource > based storage one could also store RDF data and query the linked data > with SPARQL. I have implemented or planed to implement some modules for ResourceMe to cover the triple scenario. That's the current status: RemoteStorage via SPARQL There is a working demo, but the ResourceMe framework integration is missing. UAC Triplestore Wrapper Works. My local version of my profile [4] uses already UAC. SPARQL endpoint Basic SPARQL SELECTs are working. But it's implemented 100% in PHP, so the performance isn't the best. I will try to release it soon on GitHub. There are different opinions about the right position for the access control. Danny Ayers also likes the idea of a SPARQL endpoint wrapper. I expect to much performance loss. I had already a look at the Jena code. The DatasetGraphWrapper class looks like a good base to code an AccessControlDatasetGraphWrapper class. What's your opinion? With Plate, you have already experience adding access control to Jena. @Kingsley Does Virtuoso offer an API to code access control beside SPARQL ASK? > The s4ac ontology used by shi3ld is not limited to graph based access > control, the s4ac:appliesTo property [1] refers to the protected > resource, thus this could be a resource in my remoteStorage or an graph > in my SPARQL endpoint. Thanks for the hint. I haven't noticed that before. > Anyway, thank you for your explanation. I think I just did not wrap my > head around UAC yet. > > Access is only granted based on foaf:agent's, isn't it? What I am > missing here are some other dimensions like "access is granted only from > 8:00 to 16:00 on working days" or "access is granted only for people 500 > metres around my local position". Assigning roles based on time ranges is on the todo list. "people 500 meters around my local position" is again something that should be covered by a dynamic group based on a Graph Rule Language. > Basically I just want to build a remoteStorage+SPARQL implementation > that could serve as a new way of storing your digital life combined with > a flexible (but user friendly) access control management. That's also the intention of ResourceMe [5]. It's coded in PHP, because that's the language nearly any web space supports. But also it's very modular. So it can connect to any SPARQL endpoint and the UAC wrapper can be used for access control or, if the SPARQL endpoints supports already access control, use the SPARQL endpoint without the wrapper. For the second scenario I expect a performance boost. One more reason to integrate UAC also into Jena and/or Virtuoso. [1] http://www.w3.org/community/rww/wiki/Scope#Graph_Rule_Language [2] http://ns.bergnet.org/tac/0.1/triple-access-control.html [3] http://ns.bergnet.org/tac/0.1/triple-access-control.html#sec-example [4] https://www.bergnet.org/people/bergi/card#me [5] http://resourceme.bergnet.org/
Received on Thursday, 6 September 2012 22:32:59 UTC