The HTTP protocol is a network resource access protocol that leaves user authentication and access validation entirely up to the server. There is no guarantee that authentication realms are related to directory or even consistent over time. The World Wide Web Consortium site takes advantage of this flexibility with a dynamic, file-level access control system. This document describes the ACL storage and query mechanisms used by W3C, as well as the availability and use of this data on the semantic web.
This document is a description of the W3C ACL system, but does not consitute an endorsement or recommendation of any sort. The document will likely be subject to editorial and structural changes, though reasonable effort will be made to preserve anchor tags within the document.
The exact revision of document may be identified by the CVS version $Revision: 1.30 $
.
ACLs are designed to express access rules in a logical, unambiguous, machine-accessible format. A client with ACL data should be able to prove access privileges.
An access system may be divided into:
A resonable semantic web algae query for determining an identity's access privileges would be, for a given resource:
(namespace '(a http://localhost/SqlDB# myDb local:/) attach '(\"W3C::Rdf::SqlDB\" (\"properties:/usr/local/perl/modules/Conf/chacl.prop\" \"name:myDb::W3Cacls\")) ask '(myDb::W3Cacls (a::accessTo ?acl http://www.w3.org/Member/Overview.html) (a::access ?acl a::GET) (a::memberOf ?groups \"eric\") (a::accessor ?acl ?groups) ) collect '(?groups ?acl) )
This schema needs to be mapped onto the optimized SQL database schema. This schema has been optimized for query speed and non-redundant data. Following is a list of the tables involved and the statements asserted by the data in those tables:
id | uri | acl |
---|---|---|
97538 | http://www.w3.org/Member/Overview.html | 6 |
Access to http://www.w3.org/Member/Overview.html is governed by acl 6 . |
||
63577 | http://www.w3.org/Member/dummy.html | 6 |
Access to http://www.w3.org/Member/dummy.html is governed by acl 6 . |
acl | id | access |
---|---|---|
6 | 100 | GET |
Acl 6 grants GET privileges to group 100 (W3C members). |
||
6 | 102 | GET |
Acl 6 grants GET privileges to group 102 (W3C team). |
||
6 | 102 | PUT |
Acl 6 grants PUT privileges to group 102 (W3C team). |
sub | super | sponsor | stops |
---|---|---|---|
2112 | 106 | 106 | 0 |
identity 2112 (eric) is a member of group 106 (w3t_passwords). | |||
106 | 102 | 102 | 0 |
identity 106 (w3t_passwords) is a member of group 102 (w3cteamgroup). | |||
102 | 105 | 102 | 0 |
identity 102 (w3cteamgroup) is a member of group 105 (w3cmembergroup). | |||
105 | 100 | NULL | 0 |
identity 105 (w3cmembergroup) is a member of group 100 (W3C members). | |||
2112 | 109 | NULL | 1 |
identity 2112 (eric) is no longer a member of group 109 (W3C webteam). |
id | groupId | g |
---|---|---|
2112 | 106 | 1 |
2112 | 102 | 2 |
2112 | 105 | 3 |
2112 | 100 | 4 |
identity 2112 (eric) is a fourth generation member of group 100 (W3C members). | ||
2112 | 2112 | 0 |
identity 2112 (eric) is a member of himself. This allows the join to work on principals that were granted access directly (not via a group). |
The above query can not compile directly to SQL as it assumes a transitive closure of memberOf group. However, the idInclusions
table maintains the transitive closure of hierarchy
. A set of rewrite rules describe the query transformation to one that translates directly to the tables in the optimized SQL database. These rewrite rules get generated from inspection of the database schema and extra information that moves the query from hierarchy
to idInclusions
:
?acl
identifier is tied to a join between uris
and acls
.?acl
identifier is reused.This query is interpreted by an agent that has knowledge of the structure of the SQL ACLs tables. The transformation produces a query like: )
(namespace '(a http://localhost/SqlDB# myDb local:/) attach '(\"W3C::Rdf::SqlDB\" (\"properties:/usr/local/perl/modules/Conf/chacl.prop\" \"name:myDb::W3Cacls\")) ask '(myDb::W3Cacls (t::uris.uri ?_uri0 http://www.w3.org/Member/Overview.html) (t::uris.acl ?_uri0 ?acl) (t::access ?acl t::GET) (t::ids.value ?_id0 \"eric\") (t::idInclusions.id ?groups ?_id0) (t::acls.id ?acl ?_acl0) (t::idInclusions.groupId ?groups ?_acl0) ) collect '(?groups ?acl) )
Here is the resulting SQL call:
SELECT groups.id,groups.groupId,rule.acl,rule.id,rule.access FROM uris as _uri0,acls as rule,ids as _id0,idInclusions as groups WHERE _uri0.uri='http://www.w3.org/Member/Overview.html' AND rule.acl=_uri0.acl AND rule.access="GET" AND _id0.value="eric" AND groups.id=_id0.id AND groups.groupId=rule.id;
and the results:
+------+---------+-----+-----+--------+ | id | groupId | acl | id | access | +------+---------+-----+-----+--------+ | 2112 | 100 | 6 | 100 | 3122 | | 2112 | 102 | 6 | 102 | 3955 | +------+---------+-----+-----+--------+ 2 rows in set (0.00 sec)
The returned fields correspond to the unique fields of the rule (acls) and groups (idInclusions) tables. These unique fields are used to compose a URI for records in these tables.
(http://localhost/ACLsDB/acls.acl=6&id=100&access=3122 http://localhost/ACLsDB/idInclusions.id=2112&groupId=100) (http://localhost/ACLsDB/acls.acl=6&id=102&access=3955 http://localhost/ACLsDB/idInclusions.id=2112&groupId=102)
The 0.00 sec
shows that the translation to the optimized database is very effective; the query takes less than 1/100th of a second. This shows that the algae query may be used to authorize access queries without a performance penalty.
Access control rules are one of many sets of attributes one would like to express about a resource. RNodes is a collection of many of the attributes. The diversity of these attributes make RDF a logical choice for representing RNode data.
W3C has been using a subset of this schema for 2 years. The access script provides an HTML and an RDF interface to the W3C ACL database. The supporting apache module performs a query on the ACL database before honoring a request. This database is not a generic triple store, but instead a SQL database optimized for querying combinations of combinations of ACL rules and group hierarchy.
The HTML interface is a mondane form for granting one of a set of standard ACLs or specific types of access to specific groups and users. This form uses an RDF serialization of the ACLs data to maintain state between transactions. User actions are POSTed with the RDF. The backend script parses the submitted RDF, checks the user's authority to make such assertions, handles and user actions, and optionally commits the state to the database.
The XML/RDF interface is distinguished from the HTML interface by the mime-type text/xml. This is a simpler interface, passing only the current state to the client, and accepting proposed state changes back. This allows the interface to be offloaded to a client that won't have to rely on multiple transactions as does the traditional browser interface.
Access control lists represent complex social protocols. Traditional unix systems are limited to a single level of group hierarchy. More ambitious network interfaces, for instance, Novel, model more fine grained control over access methods and
chacl,racl,head,get,put,delete
should evolve to a series of repeated properties.