Access Control for HTTP Operations on Linked Data

1. Access Control for HTTPOperations on Linked Data !Luca Costabello Serena Villata Oscar Rodriguez Rocha Fabien Gandon

2. Outline!●  Introduction"●  Shi3ld Authorization Procedure"●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation"●  Future Work"

3. Outline!●  Introduction!●  Shi3ld Authorization Procedure!●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation"●  Future Work"

4. Accessing Linked Data!●  HTTP URIs dereferencing"●  SPARQL queries"●  RDFa, search engines APIs"

5. Accessing Linked Data!●  HTTP URIs dereferencing!●  SPARQL queries"●  RDFa, search engines APIs"GET /data/resource HTTP/1.1!Host: example.org!...!

6. Our Problem!6 How to design an authorizationframework for HTTP interaction withLinked Data? "GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!

7. Access Control for Triple Stores!7HTTP Interac:on A<ribute-‐Based AC Model Policies in RDF/SPARQL Resource-‐level Granularity Context Awareness Shi3ld-‐SPARQL [2012] WAC [2007] Proteus [2006] Abel et al. [2007] Finin et al. [2008] Flouris et al. [2010] PPO [2011]

8. 8 SELECT … !WHERE {…}!Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!

9. 9 GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!

10. Outline!●  Background"●  Shi3ld Authorization Procedure"●  Adapting Shi3ld-SPARQL to HTTP!●  Response Time Evaluation"●  Future Work"

11. Shi3ld Access Policy!11 AccessConditionSet AccessPolicyhasContextAccessPrivilegehasAccessPrivilegeappliesToUserDeviceEnvironmentContextenvironmentdeviceuserhasAccessConditionSetAccessConditionhasAccessConditionTwo “Styles” for Access Conditions"●  SPARQL-based"●  SPARQL-less"

12. Sample Access Policy (SPARQL-based)!12 :policy1 a s4ac:AccessPolicy; !s4ac:appliesTo :resource; !s4ac:hasAccessPrivilege s4ac:Read;!s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; !s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!! s4ac:hasQueryAsk !!"""ASK !! !{?ctx a prissma:Context; !! ! ! prissma:environment ?env;!! ! prissma:user <http://example.org/john.rdf#me>. !! !?env prissma:currentPOI ?poi. !! !?poi prissma:based_near ?p.!! !?p geo:lat ?lat;geo:lon ?lon.!! !FILTER(((?lat-45.8483) > 0 && (?lat-45.8483) < 0.5!! !|| (?lat-45.8483) < 0 && (?lat-45.8483) > -0.5)!! !&& ((?lon-7.3263) > 0 && (?lon-7.3263) < 0.5 !! !|| (?lon-7.3263) < 0 && (?lon-7.3263) > -0.5 ))}""".!Protected resourceAccess Condition to be verified:«User must be John and request mustcome from a specific location»

13. Sample Access Policy (SPARQL-less)!13 :policy1 a s4ac:AccessPolicy; !s4ac:appliesTo :resource; !s4ac:hasAccessPrivilege s4ac:Read;!s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; !s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!! s4ac:hasContext :ctx1.!!:ctx1 a prissma:Context;!!prissma:user <http://example.org/john.rdf#me>;!!prissma:environment :env1.!!:env1 a prissma:Environment;!prissma:nearbyEntity <http://alice.org#me>.!Protected resourceAccess Condition to be verified:«User must be John and Alice must be nearby»

14. 14 Authorization Procedure ! 1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction!

15. Authorization Procedure !15 GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction"UserDeviceEnvironmentContextenvironmentdeviceuser<http://carl-johnson.org#me>:env_AC1<http://alice.org#me>p:nearbyEntityp:user p:environmentp:nearbyEntity:ctx_AC1foaf:gender"male"

16. Authorization Procedure (SPARQL-based) !16 1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"ASK {?context !a prissma:Context; !prissma:user ex:john.} ! = "false" VALUES (?context) {(:client_attributes)}!GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!

17. Authorization Procedure (SPARQL-less) !17 1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"!:context a prissma:Context; !! prissma:user ex:john. !"no match" GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!<http://carl-johnson.org#me>:env_AC1<http://alice.org#me>p:nearbyEntityp:user p:environmentp:nearbyEntity:ctx_AC1foaf:gender"male"

18. Authorization Procedure !18 1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction!:resource!401 Unauthorized!

19. Outline!●  Introduction"●  Authorization Procedure"●  Shi3ld for HTTP: Scenarios!●  Response Time Evaluation"●  Future Work"

20. HTTP Operations on Linked Data:  Our Scenarios!20 ●  SPARQL 1.1 Graph Store Protocol (GSP)""●  W3C Linked Data Platform (LDP) 1.0"Best practices for a read-write HTTP-based Linked Dataarchitecture. ""GET /rdf-graph-store?graph=... HTTP/1.1!Host: example.com!Accept: text/turtle; charset=utf-8!CONSTRUCT { ?s ?p ?o } !WHERE { GRAPH <...> !{ ?s ?p ?o } }!

21. HTTP Operations on Linked Data:  Our Scenarios!21 ●  SPARQL 1.1 Graph Store Protocol (GSP)"!Shi3ld-GSP!"●  W3C Linked Data Platform (LDP) 1.0""Shi3ld-LDP!•  SPARQL-based!•  SPARQL-less!

23. Shi3ld- GSP!23 Shi3ld-GSPClientSPARQL 1.1GSPTripleStoreGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)INSERT/DATA(attributes)SELECT(Access Policies)ASK (AC1)ASK (ACn)...GET /data/resource HTTP/1.1Host: example.org200 OKHTTP HTTP/SPARQL1. Adding ClientAttributes2. AC Execution3. HTTP Response Construc:on

25. LDP ServerINSERT/DATA(attributes)SELECT(Access Policies)ASK (AC1)ASK (ACn)...Shi3ld-LDP InternalTriple StoreInternalSPARQL EngineShi3ld FrontendClientGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)200 OKFileSystem/TripleStoreHTTPgetData()Shi3ld InternalShi3ld-LDP (SPARQL-based)!25 1. Adding ClientAttributes2. AC Execution3. HTTP Response Construc:on

26. 26 Shi3ld-LDP (SPARQL-less)!FileSystem/TripleStoreSave attributesGet Access Policiesattributes.contains(AC1)attributes.contains(ACn)...Shi3ld-LDPSubgraphmatcherShi3ld FrontendClientGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)LDP ServerHTTP Shi3ld Internal200 OKgetData()1. Adding ClientAttributes2. AC Execution3. HTTP Response Construc:on

27. Outline!●  Background"●  Authorization Procedure"●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation!●  Future Work"

28. Response Time Evaluation!28 ●  Response time linear w/ AC #"●  SPARQL-less: 25% faster"●  Empty RDF Store: only 14%faster"

29. Response Time Evaluation!29 ●  AC complexity does notaffect response time"●  Response time independentfrom HTTP method"

30. Outline!●  Background"●  Authorization Procedure"●  Shi3ld for HTTP: Scenarios"●  Response Time Evaluation"●  Future Work!

31. Future Work!bit.ly/shi3ld-httpLuca Costabello @lukostaz! Serena Villata @serena_villata! Oscar Rodriguez-‐Rocha @orocha! Fabien Gandon @fabien_gandon ●  Client Attributes Trustworthiness "●  Client Attributes Caching"●  Admin UI"