Successfully reported this slideshow.

Access Control for HTTP Operations on Linked Data

3

Share

Loading in …3
×
1 of 31
1 of 31

Access Control for HTTP Operations on Linked Data

3

Share

Download to read offline

Shi3ld is an access control module for enforcing authorization on triple stores. Shi3ld protects SPARQL queries and HTTP operations on Linked Data and relies on attribute-based access policies.

http://wimmics.inria.fr/projects/shi3ld-ldp/

Shi3ld comes in two flavours: Shi3ld-SPARQL, designed for SPARQL endpoints, and Shi3ld-HTTP, designed for HTTP operations on triples.

SHI3LD for HTTP offers authorization for read/write HTTP operations on Linked Data. It supports the SPARQL 1.1 Graph Store Protocol, and the Linked Data Platform specifications.

Shi3ld is an access control module for enforcing authorization on triple stores. Shi3ld protects SPARQL queries and HTTP operations on Linked Data and relies on attribute-based access policies.

http://wimmics.inria.fr/projects/shi3ld-ldp/

Shi3ld comes in two flavours: Shi3ld-SPARQL, designed for SPARQL endpoints, and Shi3ld-HTTP, designed for HTTP operations on triples.

SHI3LD for HTTP offers authorization for read/write HTTP operations on Linked Data. It supports the SPARQL 1.1 Graph Store Protocol, and the Linked Data Platform specifications.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Access Control for HTTP Operations on Linked Data

  1. 1. Access Control for HTTP Operations on Linked Data ! Luca  Costabello   Serena  Villata   Oscar  Rodriguez  Rocha   Fabien  Gandon  
  2. 2. Outline! ●  Introduction" ●  Shi3ld Authorization Procedure" ●  Shi3ld for HTTP: Scenarios" ●  Response Time Evaluation" ●  Future Work"
  3. 3. Outline! ●  Introduction! ●  Shi3ld Authorization Procedure! ●  Shi3ld for HTTP: Scenarios" ●  Response Time Evaluation" ●  Future Work"
  4. 4. Accessing Linked Data! ●  HTTP URIs dereferencing" ●  SPARQL queries" ●  RDFa, search engines APIs"
  5. 5. Accessing Linked Data! ●  HTTP URIs dereferencing! ●  SPARQL queries" ●  RDFa, search engines APIs" GET /data/resource HTTP/1.1! Host: example.org! ...!
  6. 6. Our Problem! 6   How to design an authorization framework for HTTP interaction with Linked Data? " GET /data/resource HTTP/1.1! Host: example.org! Authorization: ...!
  7. 7. Access Control for Triple Stores! 7 HTTP   Interac:on   A<ribute-­‐ Based  AC   Model   Policies  in   RDF/SPARQL   Resource-­‐level   Granularity   Context   Awareness   Shi3ld-­‐SPARQL  [2012]   WAC  [2007]   Proteus [2006]   Abel et al. [2007]   Finin et al. [2008]   Flouris et al. [2010]   PPO  [2011]  
  8. 8. 8   SELECT … ! WHERE {…}! Our Proposal: ! Adapting Shi3ld-SPARQL to HTTP!
  9. 9. 9   GET /data/resource HTTP/1.1! Host: example.org! Authorization: ...! Our Proposal: ! Adapting Shi3ld-SPARQL to HTTP!
  10. 10. Outline! ●  Background" ●  Shi3ld Authorization Procedure" ●  Adapting Shi3ld-SPARQL to HTTP! ●  Response Time Evaluation" ●  Future Work"
  11. 11. Shi3ld Access Policy! 11   AccessConditionSet AccessPolicy hasContext AccessPrivilege hasAccessPrivilege appliesTo UserDevice Environment Context environmentdevice user hasAccessConditionSet AccessCondition hasAccessCondition Two “Styles” for Access Conditions" ●  SPARQL-based" ●  SPARQL-less"
  12. 12. Sample Access Policy (SPARQL-based)! 12   :policy1 a s4ac:AccessPolicy; ! s4ac:appliesTo :resource; ! s4ac:hasAccessPrivilege s4ac:Read;! s4ac:hasAccessConditionSet :acs1.! ! :acs1 a s4ac:AccessConditionSet; ! s4ac:hasAccessCondition :ac1.! ! :ac1 a s4ac:AccessCondition;! ! s4ac:hasQueryAsk ! !"""ASK ! ! !{?ctx a prissma:Context; ! ! ! ! prissma:environment ?env;! ! ! prissma:user <http://example.org/john.rdf#me>. ! ! !?env prissma:currentPOI ?poi. ! ! !?poi prissma:based_near ?p.! ! !?p geo:lat ?lat;geo:lon ?lon.! ! !FILTER(((?lat-45.8483) > 0 && (?lat-45.8483) < 0.5! ! !|| (?lat-45.8483) < 0 && (?lat-45.8483) > -0.5)! ! !&& ((?lon-7.3263) > 0 && (?lon-7.3263) < 0.5 ! ! !|| (?lon-7.3263) < 0 && (?lon-7.3263) > -0.5 ))}""".! Protected resource Access Condition to be verified: «User must be John and request must come from a specific location»
  13. 13. Sample Access Policy (SPARQL-less)! 13   :policy1 a s4ac:AccessPolicy; ! s4ac:appliesTo :resource; ! s4ac:hasAccessPrivilege s4ac:Read;! s4ac:hasAccessConditionSet :acs1.! ! :acs1 a s4ac:AccessConditionSet; ! s4ac:hasAccessCondition :ac1.! ! :ac1 a s4ac:AccessCondition;! ! s4ac:hasContext :ctx1.! ! :ctx1 a prissma:Context;! !prissma:user <http://example.org/john.rdf#me>;! !prissma:environment :env1.! ! :env1 a prissma:Environment;! prissma:nearbyEntity <http://alice.org#me>.! Protected resource Access Condition to be verified: «User must be John and Alice must be nearby»
  14. 14. 14   Authorization Procedure
 ! 1. Adding Client Attributes to HTTP operation" 2. Access Conditions Execution! 3. HTTP Response Construction!
  15. 15. Authorization Procedure
 ! 15   GET /data/resource HTTP/1.1! Host: example.org! Authorization: Shi3ld <...>! 1. Adding Client Attributes to HTTP operation" 2. Access Conditions Execution" 3. HTTP Response Construction" UserDevice Environment Context environmentdevice user <http://carl-johnson.org#me> :env_AC1 <http://alice.org#me> p:nearbyEntity p:user p:environment p:nearbyEntity :ctx_AC1 foaf:gender "male"
  16. 16. Authorization Procedure (SPARQL-based)
 ! 16   1. Adding Client Attributes to HTTP operation" 2. Access Conditions Execution! 3. HTTP Response Construction" ASK {?context ! a prissma:Context; ! prissma:user ex:john.} ! =  "false"   VALUES (?context) {(:client_attributes)}! GET /data/resource HTTP/1.1! Host: example.org! Authorization: Shi3ld <...>!
  17. 17. Authorization Procedure (SPARQL-less)
 ! 17   1. Adding Client Attributes to HTTP operation" 2. Access Conditions Execution! 3. HTTP Response Construction" !:context a prissma:Context; ! ! prissma:user ex:john. ! "no match"   GET /data/resource HTTP/1.1! Host: example.org! Authorization: Shi3ld <...>! <http://carl-johnson.org#me> :env_AC1 <http://alice.org#me> p:nearbyEntity p:user p:environment p:nearbyEntity :ctx_AC1 foaf:gender "male"
  18. 18. Authorization Procedure
 ! 18   1. Adding Client Attributes to HTTP operation" 2. Access Conditions Execution" 3. HTTP Response Construction! :resource! 401 Unauthorized!
  19. 19. Outline! ●  Introduction" ●  Authorization Procedure" ●  Shi3ld for HTTP: Scenarios! ●  Response Time Evaluation" ●  Future Work"
  20. 20. HTTP Operations on Linked Data: 
 Our Scenarios! 20   ●  SPARQL 1.1 Graph Store Protocol (GSP)" " ●  W3C Linked Data Platform (LDP) 1.0" Best practices for a read-write HTTP-based Linked Data architecture. "" GET /rdf-graph-store?graph=... HTTP/1.1! Host: example.com! Accept: text/turtle; charset=utf-8! CONSTRUCT { ?s ?p ?o } ! WHERE { GRAPH <...> ! { ?s ?p ?o } }!
  21. 21. HTTP Operations on Linked Data: 
 Our Scenarios! 21   ●  SPARQL 1.1 Graph Store Protocol (GSP)" !Shi3ld-GSP! " ●  W3C Linked Data Platform (LDP) 1.0" "Shi3ld-LDP! •  SPARQL-based! •  SPARQL-less!
  22. 22. HTTP Operations on Linked Data: 
 Our Scenarios! 22   ●  SPARQL 1.1 Graph Store Protocol (GSP)" !Shi3ld-GSP! " ●  W3C Linked Data Platform (LDP) 1.0" "Shi3ld-LDP! •  SPARQL-based! •  SPARQL-less!
  23. 23. Shi3ld- GSP! 23   Shi3ld-GSPClient SPARQL 1.1 GSP Triple Store GET /data/resource HTTP/1.1 Host: example.org Authorization: Shi3ld:base64(attributes) INSERT/DATA(attributes) SELECT(Access Policies) ASK (AC1) ASK (ACn) . . . GET /data/resource HTTP/1.1 Host: example.org 200 OK HTTP HTTP/SPARQL 1. Adding Client Attributes 2. AC Execution 3.  HTTP  Response  Construc:on  
  24. 24. HTTP Operations on Linked Data: 
 Our Scenarios! 24   ●  SPARQL 1.1 Graph Store Protocol (GSP)" !Shi3ld-GSP! " ●  W3C Linked Data Platform (LDP) 1.0" "Shi3ld-LDP! •  SPARQL-based! •  SPARQL-less!
  25. 25. LDP Server INSERT/DATA(attributes) SELECT(Access Policies) ASK (AC1) ASK (ACn) . . . Shi3ld-LDP Internal Triple Store Internal SPARQL Engine Shi3ld Frontend Client GET /data/resource HTTP/1.1 Host: example.org Authorization: Shi3ld:base64(attributes) 200 OK File System/ Triple Store HTTP getData() Shi3ld Internal Shi3ld-LDP (SPARQL-based)! 25   1. Adding Client Attributes 2. AC Execution 3.  HTTP  Response  Construc:on  
  26. 26. 26   Shi3ld-LDP (SPARQL-less)! File System/ Triple Store Save attributes Get Access Policies attributes.contains(AC1) attributes.contains(ACn) . . . Shi3ld-LDP Subgraph matcher Shi3ld Frontend Client GET /data/resource HTTP/1.1 Host: example.org Authorization: Shi3ld:base64(attributes) LDP Server HTTP Shi3ld Internal 200 OK getData() 1. Adding Client Attributes 2. AC Execution 3.  HTTP  Response  Construc:on  
  27. 27. Outline! ●  Background" ●  Authorization Procedure" ●  Shi3ld for HTTP: Scenarios" ●  Response Time Evaluation! ●  Future Work"
  28. 28. Response Time Evaluation! 28   ●  Response time linear w/ AC #" ●  SPARQL-less: 25% faster" ●  Empty RDF Store: only 14% faster"
  29. 29. Response Time Evaluation! 29   ●  AC complexity does not affect response time" ●  Response time independent from HTTP method"
  30. 30. Outline! ●  Background" ●  Authorization Procedure" ●  Shi3ld for HTTP: Scenarios" ●  Response Time Evaluation" ●  Future Work!
  31. 31. Future Work! bit.ly/shi3ld-http Luca  Costabello   @lukostaz!   Serena  Villata   @serena_villata!   Oscar  Rodriguez-­‐Rocha   @orocha!   Fabien  Gandon   @fabien_gandon   ●  Client Attributes Trustworthiness " ●  Client Attributes Caching" ●  Admin UI"

×