Re: LDP with Access Control, or future LDPS(ecure)? from Ashok Malhotra on 2012-11-14 (public-ldp-wg@w3.org from November 2012)

From: Ashok Malhotra <ashok.malhotra@oracle.com>
Date: Wed, 14 Nov 2012 06:06:27 -0800
To: public-ldp-wg@w3.org
Message-ID: <50A3A563.3080403@oracle.com>

Henry:
The access control rules have to be processed by the underlying storage engine
and tend to be rather simple.  For example the SQL statement to grant access has the form

GRANT privilege ON object TO entity

The underlying store may not have the capability to process RDF statements like your example.

All the best, Ashok

On 11/14/2012 5:41 AM, Henry Story wrote:
> On 14 Nov 2012, at 14:18, Ashok Malhotra<ashok.malhotra@oracle.com>  wrote:
>
>> Hi Andy:
>> There are a bunch of cases like this.  For example, take personnel records.
>> These are typically restricted to HR folks but you can always see your own records.
>> Need to think some more about where to draw the line between access control
>> and LDP functionality
> Why is this problematic? Can you not just use the following rule to do what
> you want?
>
> @prefix wac:<http://www.w3.org/ns/auth/acl#>  .
>
> [] wac:accessToClass [ wac:regex "https://oracle.com/u/.*" ];
>     wac:mode wac:Read, wac:Write, wac:Control;
>     wac:agentClass<https://oracle.com/g/team/admin#it>  .
>
> [] wac:accessToClass [ wac:regex "https://oracle.com/u/123123/.*" ];
>     wac:mode wac:Read;
>     wac:agent<https://oracle.com/u/123123#i>  .
>
> the wac:regex relation does not exist. One should probably use powder, but I wanted
> to implement something really simple to test this out. It just took a couple of
> days to write and test:
>
>   https://github.com/read-write-web/rww-play/blob/master/app/test/WebACLTestSuite.scala#L147
>
> How to specify regular expressions in WAC would be nice, and would be a topic for
> discussion for the Access Control Teleconf
>
>   http://lists.w3.org/Archives/Public/public-ldp-wg/2012Nov/0156.html
>
> It would be useful to work out what the problem is so I can add it to ACTION-28
>
>> All the best, Ashok
>>
>> On 11/14/2012 3:04 AM, Andy Seaborne wrote:
>>>
>>> On 12/11/12 20:48, Henry Story wrote:
>>>> Luckily Access Control is orthogonal to LDP
>>> I hope that's true but I don't see why it must be so.
>>>
>>> The LDP spec covers operations on resources and containers and does not mention access control.
>>>
>>> Use case: I create bugReportSecurity57 about a security issue.  I want it restricted because the information contained allows an attacker to exploit the security hole.  Bug reports are normally publicly readable.
>>>
>>> What is the operation flow to create a secure bug report if normally bug reports are publicly readable?  (if they are not by default publicly readable, what operation on them makes them so?)
>>>
>>> Or concretely: what triples are PUT where?
>>>
>>>     Andy
>>>
>>>
> Social Web Architect
> http://bblfish.net/
>

Received on Wednesday, 14 November 2012 14:07:01 UTC