Access Control for HTTP Operations on Linked Data

1,273 views

Published on

Shi3ld is an access control module for enforcing authorization on triple stores. Shi3ld protects SPARQL queries and HTTP operations on Linked Data and relies on attribute-based access policies.

http://wimmics.inria.fr/projects/shi3ld-ldp/

Shi3ld comes in two flavours: Shi3ld-SPARQL, designed for SPARQL endpoints, and Shi3ld-HTTP, designed for HTTP operations on triples.

SHI3LD for HTTP offers authorization for read/write HTTP operations on Linked Data. It supports the SPARQL 1.1 Graph Store Protocol, and the Linked Data Platform specifications.

Published in: Technology, Business
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,273
On SlideShare
0
From Embeds
0
Number of Embeds
70
Actions
Shares
0
Downloads
9
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Access Control for HTTP Operations on Linked Data

  1. 1. Access Control for HTTPOperations on Linked Data !Luca  Costabello  Serena  Villata  Oscar  Rodriguez  Rocha  Fabien  Gandon  
  2. 2. Outline!●  Introduction"●  Shi3ld Authorization Procedure"●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation"●  Future Work"
  3. 3. Outline!●  Introduction!●  Shi3ld Authorization Procedure!●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation"●  Future Work"
  4. 4. Accessing Linked Data!●  HTTP URIs dereferencing"●  SPARQL queries"●  RDFa, search engines APIs"
  5. 5. Accessing Linked Data!●  HTTP URIs dereferencing!●  SPARQL queries"●  RDFa, search engines APIs"GET /data/resource HTTP/1.1!Host: example.org!...!
  6. 6. Our Problem!6  How to design an authorizationframework for HTTP interaction withLinked Data? "GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!
  7. 7. Access Control for Triple Stores!7HTTP  Interac:on  A<ribute-­‐Based  AC  Model  Policies  in  RDF/SPARQL  Resource-­‐level  Granularity  Context  Awareness  Shi3ld-­‐SPARQL  [2012]  WAC  [2007]  Proteus [2006]  Abel et al. [2007]  Finin et al. [2008]  Flouris et al. [2010]  PPO  [2011]  
  8. 8. 8  SELECT … !WHERE {…}!Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!
  9. 9. 9  GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!
  10. 10. Outline!●  Background"●  Shi3ld Authorization Procedure"●  Adapting Shi3ld-SPARQL to HTTP!●  Response Time Evaluation"●  Future Work"
  11. 11. Shi3ld Access Policy!11  AccessConditionSet AccessPolicyhasContextAccessPrivilegehasAccessPrivilegeappliesToUserDeviceEnvironmentContextenvironmentdeviceuserhasAccessConditionSetAccessConditionhasAccessConditionTwo “Styles” for Access Conditions"●  SPARQL-based"●  SPARQL-less"
  12. 12. Sample Access Policy (SPARQL-based)!12  :policy1 a s4ac:AccessPolicy; !s4ac:appliesTo :resource; !s4ac:hasAccessPrivilege s4ac:Read;!s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; !s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!! s4ac:hasQueryAsk !!"""ASK !! !{?ctx a prissma:Context; !! ! ! prissma:environment ?env;!! ! prissma:user <http://example.org/john.rdf#me>. !! !?env prissma:currentPOI ?poi. !! !?poi prissma:based_near ?p.!! !?p geo:lat ?lat;geo:lon ?lon.!! !FILTER(((?lat-45.8483) > 0 && (?lat-45.8483) < 0.5!! !|| (?lat-45.8483) < 0 && (?lat-45.8483) > -0.5)!! !&& ((?lon-7.3263) > 0 && (?lon-7.3263) < 0.5 !! !|| (?lon-7.3263) < 0 && (?lon-7.3263) > -0.5 ))}""".!Protected resourceAccess Condition to be verified:«User must be John and request mustcome from a specific location»
  13. 13. Sample Access Policy (SPARQL-less)!13  :policy1 a s4ac:AccessPolicy; !s4ac:appliesTo :resource; !s4ac:hasAccessPrivilege s4ac:Read;!s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; !s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!! s4ac:hasContext :ctx1.!!:ctx1 a prissma:Context;!!prissma:user <http://example.org/john.rdf#me>;!!prissma:environment :env1.!!:env1 a prissma:Environment;!prissma:nearbyEntity <http://alice.org#me>.!Protected resourceAccess Condition to be verified:«User must be John and Alice must be nearby»
  14. 14. 14  Authorization Procedure
! 1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction!
  15. 15. Authorization Procedure
!15  GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction"UserDeviceEnvironmentContextenvironmentdeviceuser<http://carl-johnson.org#me>:env_AC1<http://alice.org#me>p:nearbyEntityp:user p:environmentp:nearbyEntity:ctx_AC1foaf:gender"male"
  16. 16. Authorization Procedure (SPARQL-based)
!16  1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"ASK {?context !a prissma:Context; !prissma:user ex:john.} ! =  "false"  VALUES (?context) {(:client_attributes)}!GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!
  17. 17. Authorization Procedure (SPARQL-less)
!17  1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"!:context a prissma:Context; !! prissma:user ex:john. !"no match"  GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!<http://carl-johnson.org#me>:env_AC1<http://alice.org#me>p:nearbyEntityp:user p:environmentp:nearbyEntity:ctx_AC1foaf:gender"male"
  18. 18. Authorization Procedure
!18  1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction!:resource!401 Unauthorized!
  19. 19. Outline!●  Introduction"●  Authorization Procedure"●  Shi3ld for HTTP: Scenarios!●  Response Time Evaluation"●  Future Work"
  20. 20. HTTP Operations on Linked Data: 
Our Scenarios!20  ●  SPARQL 1.1 Graph Store Protocol (GSP)""●  W3C Linked Data Platform (LDP) 1.0"Best practices for a read-write HTTP-based Linked Dataarchitecture. ""GET /rdf-graph-store?graph=... HTTP/1.1!Host: example.com!Accept: text/turtle; charset=utf-8!CONSTRUCT { ?s ?p ?o } !WHERE { GRAPH <...> !{ ?s ?p ?o } }!
  21. 21. HTTP Operations on Linked Data: 
Our Scenarios!21  ●  SPARQL 1.1 Graph Store Protocol (GSP)"!Shi3ld-GSP!"●  W3C Linked Data Platform (LDP) 1.0""Shi3ld-LDP!•  SPARQL-based!•  SPARQL-less!
  22. 22. HTTP Operations on Linked Data: 
Our Scenarios!22  ●  SPARQL 1.1 Graph Store Protocol (GSP)"!Shi3ld-GSP!"●  W3C Linked Data Platform (LDP) 1.0""Shi3ld-LDP!•  SPARQL-based!•  SPARQL-less!
  23. 23. Shi3ld- GSP!23  Shi3ld-GSPClientSPARQL 1.1GSPTripleStoreGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)INSERT/DATA(attributes)SELECT(Access Policies)ASK (AC1)ASK (ACn)...GET /data/resource HTTP/1.1Host: example.org200 OKHTTP HTTP/SPARQL1. Adding ClientAttributes2. AC Execution3.  HTTP  Response  Construc:on  
  24. 24. HTTP Operations on Linked Data: 
Our Scenarios!24  ●  SPARQL 1.1 Graph Store Protocol (GSP)"!Shi3ld-GSP!"●  W3C Linked Data Platform (LDP) 1.0""Shi3ld-LDP!•  SPARQL-based!•  SPARQL-less!
  25. 25. LDP ServerINSERT/DATA(attributes)SELECT(Access Policies)ASK (AC1)ASK (ACn)...Shi3ld-LDP InternalTriple StoreInternalSPARQL EngineShi3ld FrontendClientGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)200 OKFileSystem/TripleStoreHTTPgetData()Shi3ld InternalShi3ld-LDP (SPARQL-based)!25  1. Adding ClientAttributes2. AC Execution3.  HTTP  Response  Construc:on  
  26. 26. 26  Shi3ld-LDP (SPARQL-less)!FileSystem/TripleStoreSave attributesGet Access Policiesattributes.contains(AC1)attributes.contains(ACn)...Shi3ld-LDPSubgraphmatcherShi3ld FrontendClientGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)LDP ServerHTTP Shi3ld Internal200 OKgetData()1. Adding ClientAttributes2. AC Execution3.  HTTP  Response  Construc:on  
  27. 27. Outline!●  Background"●  Authorization Procedure"●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation!●  Future Work"
  28. 28. Response Time Evaluation!28  ●  Response time linear w/ AC #"●  SPARQL-less: 25% faster"●  Empty RDF Store: only 14%faster"
  29. 29. Response Time Evaluation!29  ●  AC complexity does notaffect response time"●  Response time independentfrom HTTP method"
  30. 30. Outline!●  Background"●  Authorization Procedure"●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation"●  Future Work!
  31. 31. Future Work!bit.ly/shi3ld-httpLuca  Costabello  @lukostaz!  Serena  Villata  @serena_villata!  Oscar  Rodriguez-­‐Rocha  @orocha!  Fabien  Gandon  @fabien_gandon  ●  Client Attributes Trustworthiness "●  Client Attributes Caching"●  Admin UI"

×