Re: LDP with Access Control, or future LDPS(ecure)? from Henry Story on 2012-11-14 (public-ldp-wg@w3.org from November 2012)

From: Henry Story <henry.story@bblfish.net>
Date: Wed, 14 Nov 2012 17:38:57 +0100
To: Andy Seaborne <andy.seaborne@epimorphics.com>
Cc: public-ldp-wg@w3.org
Message-Id: <E77390FB-8DD3-45C6-87F4-87F6D590BC8C@bblfish.net>
On 14 Nov 2012, at 17:17, Andy Seaborne <andy.seaborne@epimorphics.com> wrote:

> 
> 
> On 14/11/12 13:41, Henry Story wrote:
>> 
>> On 14 Nov 2012, at 14:18, Ashok Malhotra <ashok.malhotra@oracle.com> wrote:
>> 
>>> Hi Andy:
>>> There are a bunch of cases like this.  For example, take personnel records.
>>> These are typically restricted to HR folks but you can always see your own records.
>>> Need to think some more about where to draw the line between access control
>>> and LDP functionality
> 
> Yes.  We can make this too complicated and ambitious for v1.
> 
>> Why is this problematic? Can you not just use the following rule to do what
>> you want?
>> 
>> @prefix wac: <http://www.w3.org/ns/auth/acl#> .
>> 
>> [] wac:accessToClass [ wac:regex "https://oracle.com/u/.*" ];
>>    wac:mode wac:Read, wac:Write, wac:Control;
>>    wac:agentClass <https://oracle.com/g/team/admin#it> .
>> 
>> [] wac:accessToClass [ wac:regex "https://oracle.com/u/123123/.*" ];
>>    wac:mode wac:Read;
>>    wac:agent <https://oracle.com/u/123123#i> .
> 
> To make it interesting:
> 
> Support all bugs are "/bugs/NNNN" and it is the data that decalres it to be a security issue.
> 
> ## Somewhere ...
> :SecurityProblem rdfs:subClassOf :Bug .
> 
> 
> PUT/POST--
> </bug/155> a :SecurityProblem ;
>   ....
> --
> 
> i.e. access control depends on the data, not only the access name.


If you do it this way, then you have just moved the access control decision making to the
application server side, which it is perfectly reasonable to do. The server app can decide 
for each resource what the access control restrictions for that resource is ( given other
information at its disposal such as bug severity) I don't think one can work  out in advance 
which relations should have what effects on data security policies.

All a client needs to know is for a given resource how to find the ACL for that resource
http://www.w3.org/2012/ldp/wiki/AccessControl#Finding_out_access_control_policies_for_a_resource

The way it is done on data.fm is that every resource has a header pointing to the acl for that
resource.


> 
> This may result in a different URI allocated so later access control works by regex,
> but at least its on creation.

the regex does require indeed a way to override it. A regex in an ACL with a URI is just
a statement. What makes the association between a resource and an ACL should be a link 
in the header of a resource. This allows one to override a general regex.

> 
> And what happens if you PUT to a LDPR that changes it's designation?

don't understand that question, sorry.

> 
> 	Andy
> 
>> 
>> the wac:regex relation does not exist. One should probably use powder, but I wanted
>> to implement something really simple to test this out. It just took a couple of
>> days to write and test:
>> 
>>  https://github.com/read-write-web/rww-play/blob/master/app/test/WebACLTestSuite.scala#L147
>> 
>> How to specify regular expressions in WAC would be nice, and would be a topic for
>> discussion for the Access Control Teleconf
>> 
>>  http://lists.w3.org/Archives/Public/public-ldp-wg/2012Nov/0156.html
>> 
>> It would be useful to work out what the problem is so I can add it to ACTION-28
> 
> Access control may depend on data (from create/change time).
> 
> 	Andy
> 
>> 
>>> All the best, Ashok
>>> 
>>> On 11/14/2012 3:04 AM, Andy Seaborne wrote:
>>>> 
>>>> 
>>>> On 12/11/12 20:48, Henry Story wrote:
>>>>> Luckily Access Control is orthogonal to LDP
>>>> 
>>>> I hope that's true but I don't see why it must be so.
>>>> 
>>>> The LDP spec covers operations on resources and containers and does not mention access control.
>>>> 
>>>> Use case: I create bugReportSecurity57 about a security issue.  I want it restricted because the information contained allows an attacker to exploit the security hole.  Bug reports are normally publicly readable.
>>>> 
>>>> What is the operation flow to create a secure bug report if normally bug reports are publicly readable?  (if they are not by default publicly readable, what operation on them makes them so?)
>>>> 
>>>> Or concretely: what triples are PUT where?
>>>> 
>>>>    Andy
>>>> 
>>>> 
>>> 
>> 
>> Social Web Architect
>> http://bblfish.net/
>> 
> 

Social Web Architect
http://bblfish.net/
Attachments

application/pkcs7-signature attachment: smime.p7s
Received on Wednesday, 14 November 2012 16:39:33 UTC