Upcoming SlideShare
License: CC Attribution-NoDerivs License
Access Control for HTTP Operations on Linked Data
- 1. Access Control for HTTPOperations on Linked Data !Luca Costabello Serena Villata Oscar Rodriguez Rocha Fabien Gandon
- 2. Outline!● Introduction"● Shi3ld Authorization Procedure"● Shi3ld for HTTP: Scenarios"● Response Time Evaluation"● Future Work"
- 3. Outline!● Introduction!● Shi3ld Authorization Procedure!● Shi3ld for HTTP: Scenarios"● Response Time Evaluation"● Future Work"
- 4. Accessing Linked Data!● HTTP URIs dereferencing"● SPARQL queries"● RDFa, search engines APIs"
- 5. Accessing Linked Data!● HTTP URIs dereferencing!● SPARQL queries"● RDFa, search engines APIs"GET /data/resource HTTP/1.1!Host: example.org!...!
- 6. Our Problem!6 How to design an authorizationframework for HTTP interaction withLinked Data? "GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!
- 7. Access Control for Triple Stores!7HTTP Interac:on A<ribute-‐Based AC Model Policies in RDF/SPARQL Resource-‐level Granularity Context Awareness Shi3ld-‐SPARQL [2012] WAC [2007] Proteus [2006] Abel et al. [2007] Finin et al. [2008] Flouris et al. [2010] PPO [2011]
- 8. 8 SELECT … !WHERE {…}!Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!
- 9. 9 GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!
- 10. Outline!● Background"● Shi3ld Authorization Procedure"● Adapting Shi3ld-SPARQL to HTTP!● Response Time Evaluation"● Future Work"
- 11. Shi3ld Access Policy!11 AccessConditionSet AccessPolicyhasContextAccessPrivilegehasAccessPrivilegeappliesToUserDeviceEnvironmentContextenvironmentdeviceuserhasAccessConditionSetAccessConditionhasAccessConditionTwo “Styles” for Access Conditions"● SPARQL-based"● SPARQL-less"
- 12. Sample Access Policy (SPARQL-based)!12 :policy1 a s4ac:AccessPolicy; !s4ac:appliesTo :resource; !s4ac:hasAccessPrivilege s4ac:Read;!s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; !s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!! s4ac:hasQueryAsk !!"""ASK !! !{?ctx a prissma:Context; !! ! ! prissma:environment ?env;!! ! prissma:user <http://example.org/john.rdf#me>. !! !?env prissma:currentPOI ?poi. !! !?poi prissma:based_near ?p.!! !?p geo:lat ?lat;geo:lon ?lon.!! !FILTER(((?lat-45.8483) > 0 && (?lat-45.8483) < 0.5!! !|| (?lat-45.8483) < 0 && (?lat-45.8483) > -0.5)!! !&& ((?lon-7.3263) > 0 && (?lon-7.3263) < 0.5 !! !|| (?lon-7.3263) < 0 && (?lon-7.3263) > -0.5 ))}""".!Protected resourceAccess Condition to be verified:«User must be John and request mustcome from a specific location»
- 13. Sample Access Policy (SPARQL-less)!13 :policy1 a s4ac:AccessPolicy; !s4ac:appliesTo :resource; !s4ac:hasAccessPrivilege s4ac:Read;!s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; !s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!! s4ac:hasContext :ctx1.!!:ctx1 a prissma:Context;!!prissma:user <http://example.org/john.rdf#me>;!!prissma:environment :env1.!!:env1 a prissma:Environment;!prissma:nearbyEntity <http://alice.org#me>.!Protected resourceAccess Condition to be verified:«User must be John and Alice must be nearby»
- 14. 14 Authorization Procedure ! 1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction!
- 15. Authorization Procedure !15 GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction"UserDeviceEnvironmentContextenvironmentdeviceuser<http://carl-johnson.org#me>:env_AC1<http://alice.org#me>p:nearbyEntityp:user p:environmentp:nearbyEntity:ctx_AC1foaf:gender"male"
- 16. Authorization Procedure (SPARQL-based) !16 1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"ASK {?context !a prissma:Context; !prissma:user ex:john.} ! = "false" VALUES (?context) {(:client_attributes)}!GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!
- 17. Authorization Procedure (SPARQL-less) !17 1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"!:context a prissma:Context; !! prissma:user ex:john. !"no match" GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!<http://carl-johnson.org#me>:env_AC1<http://alice.org#me>p:nearbyEntityp:user p:environmentp:nearbyEntity:ctx_AC1foaf:gender"male"
- 18. Authorization Procedure !18 1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction!:resource!401 Unauthorized!
- 19. Outline!● Introduction"● Authorization Procedure"● Shi3ld for HTTP: Scenarios!● Response Time Evaluation"● Future Work"
- 20. HTTP Operations on Linked Data: Our Scenarios!20 ● SPARQL 1.1 Graph Store Protocol (GSP)""● W3C Linked Data Platform (LDP) 1.0"Best practices for a read-write HTTP-based Linked Dataarchitecture. ""GET /rdf-graph-store?graph=... HTTP/1.1!Host: example.com!Accept: text/turtle; charset=utf-8!CONSTRUCT { ?s ?p ?o } !WHERE { GRAPH <...> !{ ?s ?p ?o } }!
- 21. HTTP Operations on Linked Data: Our Scenarios!21 ● SPARQL 1.1 Graph Store Protocol (GSP)"!Shi3ld-GSP!"● W3C Linked Data Platform (LDP) 1.0""Shi3ld-LDP!• SPARQL-based!• SPARQL-less!
- 22. HTTP Operations on Linked Data: Our Scenarios!22 ● SPARQL 1.1 Graph Store Protocol (GSP)"!Shi3ld-GSP!"● W3C Linked Data Platform (LDP) 1.0""Shi3ld-LDP!• SPARQL-based!• SPARQL-less!
- 23. Shi3ld- GSP!23 Shi3ld-GSPClientSPARQL 1.1GSPTripleStoreGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)INSERT/DATA(attributes)SELECT(Access Policies)ASK (AC1)ASK (ACn)...GET /data/resource HTTP/1.1Host: example.org200 OKHTTP HTTP/SPARQL1. Adding ClientAttributes2. AC Execution3. HTTP Response Construc:on
- 24. HTTP Operations on Linked Data: Our Scenarios!24 ● SPARQL 1.1 Graph Store Protocol (GSP)"!Shi3ld-GSP!"● W3C Linked Data Platform (LDP) 1.0""Shi3ld-LDP!• SPARQL-based!• SPARQL-less!
- 25. LDP ServerINSERT/DATA(attributes)SELECT(Access Policies)ASK (AC1)ASK (ACn)...Shi3ld-LDP InternalTriple StoreInternalSPARQL EngineShi3ld FrontendClientGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)200 OKFileSystem/TripleStoreHTTPgetData()Shi3ld InternalShi3ld-LDP (SPARQL-based)!25 1. Adding ClientAttributes2. AC Execution3. HTTP Response Construc:on
- 26. 26 Shi3ld-LDP (SPARQL-less)!FileSystem/TripleStoreSave attributesGet Access Policiesattributes.contains(AC1)attributes.contains(ACn)...Shi3ld-LDPSubgraphmatcherShi3ld FrontendClientGET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)LDP ServerHTTP Shi3ld Internal200 OKgetData()1. Adding ClientAttributes2. AC Execution3. HTTP Response Construc:on
- 27. Outline!● Background"● Authorization Procedure"● Shi3ld for HTTP: Scenarios"● Response Time Evaluation!● Future Work"
- 28. Response Time Evaluation!28 ● Response time linear w/ AC #"● SPARQL-less: 25% faster"● Empty RDF Store: only 14%faster"
- 29. Response Time Evaluation!29 ● AC complexity does notaffect response time"● Response time independentfrom HTTP method"
- 30. Outline!● Background"● Authorization Procedure"● Shi3ld for HTTP: Scenarios"● Response Time Evaluation"● Future Work!
- 31. Future Work!bit.ly/shi3ld-httpLuca Costabello @lukostaz! Serena Villata @serena_villata! Oscar Rodriguez-‐Rocha @orocha! Fabien Gandon @fabien_gandon ● Client Attributes Trustworthiness "● Client Attributes Caching"● Admin UI"
Login to see the comments