access control for http operations on linked data
DESCRIPTION
Shi3ld is an access control module for enforcing authorization on triple stores. Shi3ld protects SPARQL queries and HTTP operations on Linked Data and relies on attribute-based access policies. http://wimmics.inria.fr/projects/shi3ld-ldp/ Shi3ld comes in two flavours: Shi3ld-SPARQL, designed for SPARQL endpoints, and Shi3ld-HTTP, designed for HTTP operations on triples. SHI3LD for HTTP offers authorization for read/write HTTP operations on Linked Data. It supports the SPARQL 1.1 Graph Store Protocol, and the Linked Data Platform specifications.TRANSCRIPT
Access Control for HTTP Operations on Linked Data !
Luca Costabello Serena Villata Oscar Rodriguez Rocha Fabien Gandon
Outline!
● Introduction"
● Shi3ld Authorization Procedure"
● Shi3ld for HTTP: Scenarios"
● Response Time Evaluation"
● Future Work"
Outline!
● Introduction!
● Shi3ld Authorization Procedure!
● Shi3ld for HTTP: Scenarios"
● Response Time Evaluation"
● Future Work"
Accessing Linked Data!
4
● HTTP URIs dereferencing"
● SPARQL queries"
● RDFa, search engines APIs"
Accessing Linked Data!
5
● HTTP URIs dereferencing!
● SPARQL queries"
● RDFa, search engines APIs"
GET /data/resource HTTP/1.1!Host: example.org!...!
Our Problem!
6
How to design an authorization framework for HTTP interaction with Linked Data? "
GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!
Access Control for Triple Stores!
7
HTTP Interac:on
A<ribute-‐Based AC Model
Policies in RDF/SPARQL
Resource-‐level Granularity
Context Awareness
Shi3ld-‐SPARQL [2012]
WAC [2007]
Proteus [2006]
Abel et al. [2007]
Finin et al. [2008]
Flouris et al. [2010]
PPO [2011]
8
SELECT … !WHERE {…}!
Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!
9
GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!
Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!
Outline!
● Background"
● Shi3ld Authorization Procedure"
● Adapting Shi3ld-SPARQL to HTTP!
● Response Time Evaluation"
● Future Work"
Shi3ld Access Policy!
11
AccessConditionSet AccessPolicy
hasContext
AccessPrivilegehasAccessPrivilege
appliesTo
UserDeviceEnvironment
Context
environmentdeviceuser
hasAccessConditionSet
AccessCondition
hasAccessCondition
Two “Styles” for Access Conditions"● SPARQL-based"● SPARQL-less"
Sample Access Policy (SPARQL-based)!
12
:policy1 a s4ac:AccessPolicy; ! s4ac:appliesTo :resource; ! s4ac:hasAccessPrivilege s4ac:Read;! s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; ! s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!
! s4ac:hasQueryAsk !!"""ASK !! !{?ctx a prissma:Context; !! ! ! prissma:environment ?env;!! ! prissma:user <http://example.org/john.rdf#me>. !! !?env prissma:currentPOI ?poi. !! !?poi prissma:based_near ?p.!! !?p geo:lat ?lat;geo:lon ?lon.!! !FILTER(((?lat-45.8483) > 0 && (?lat-45.8483) < 0.5!! !|| (?lat-45.8483) < 0 && (?lat-45.8483) > -0.5)!! !&& ((?lon-7.3263) > 0 && (?lon-7.3263) < 0.5 !! !|| (?lon-7.3263) < 0 && (?lon-7.3263) > -0.5 ))}""".!
Protected resource
Access Condition to be verified: «User must be John and request must come from a specific location»
Sample Access Policy (SPARQL-less)!
13
:policy1 a s4ac:AccessPolicy; ! s4ac:appliesTo :resource; ! s4ac:hasAccessPrivilege s4ac:Read;! s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; ! s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!
! s4ac:hasContext :ctx1.!!:ctx1 a prissma:Context;!
!prissma:user <http://example.org/john.rdf#me>;!!prissma:environment :env1.!
!:env1 a prissma:Environment;! prissma:nearbyEntity <http://alice.org#me>.!
Protected resource
Access Condition to be verified: «User must be John and Alice must be nearby»
14
Authorization Procedure ! 1. Adding Client Attributes to HTTP operation"
2. Access Conditions Execution!3. HTTP Response Construction!
Authorization Procedure !
15
GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!
1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction"
UserDeviceEnvironment
Context
environmentdeviceuser
<http://carl-johnson.org#me>:env_AC1
<http://alice.org#me>
p:nearbyEntity
p:user p:environment
p:nearbyEntity
:ctx_AC1
foaf:gender"male"
Authorization Procedure (SPARQL-based)!
16
1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"
ASK {?context ! a prissma:Context; ! prissma:user ex:john.} ! = "false"
VALUES (?context) {(:client_attributes)}!
GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!
Authorization Procedure (SPARQL-less)!
17
1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"
!:context a prissma:Context; ! ! prissma:user ex:john. !
"no match"
GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!
<http://carl-johnson.org#me>:env_AC1
<http://alice.org#me>
p:nearbyEntity
p:user p:environment
p:nearbyEntity
:ctx_AC1
foaf:gender"male"
Authorization Procedure !
18
1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction!
:resource!
401 Unauthorized!
Outline!
● Introduction"
● Authorization Procedure"
● Shi3ld for HTTP: Scenarios!
● Response Time Evaluation"
● Future Work"
HTTP Operations on Linked Data: Our Scenarios!
20
● SPARQL 1.1 Graph Store Protocol (GSP)"
"
● W3C Linked Data Platform (LDP) 1.0"Best practices for a read-write HTTP-based Linked Data architecture. ""
GET /rdf-graph-store?graph=... HTTP/1.1!Host: example.com!Accept: text/turtle; charset=utf-8!
CONSTRUCT { ?s ?p ?o } !WHERE { GRAPH <...> !{ ?s ?p ?o } }!
HTTP Operations on Linked Data: Our Scenarios!
21
● SPARQL 1.1 Graph Store Protocol (GSP)"
!Shi3ld-GSP!"
● W3C Linked Data Platform (LDP) 1.0"
"Shi3ld-LDP!• SPARQL-based!• SPARQL-less!
HTTP Operations on Linked Data: Our Scenarios!
22
● SPARQL 1.1 Graph Store Protocol (GSP)"
!Shi3ld-GSP!"
● W3C Linked Data Platform (LDP) 1.0"
"Shi3ld-LDP!• SPARQL-based!• SPARQL-less!
Shi3ld- GSP!
23
Shi3ld-GSPClient SPARQL 1.1 GSP
Triple Store
GET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)
INSERT/DATA(attributes)
SELECT(Access Policies)
ASK (AC1)
ASK (ACn)
.
.
.
GET /data/resource HTTP/1.1Host: example.org
200 OK
HTTP HTTP/SPARQL
1. Adding Client Attributes
2. AC Execution
3. HTTP Response Construc:on
HTTP Operations on Linked Data: Our Scenarios!
24
● SPARQL 1.1 Graph Store Protocol (GSP)"
!Shi3ld-GSP!"
● W3C Linked Data Platform (LDP) 1.0"
"Shi3ld-LDP!• SPARQL-based!• SPARQL-less!
LDP Server
INSERT/DATA(attributes)
SELECT(Access Policies)
ASK (AC1)
ASK (ACn)
.
.
.
Shi3ld-LDP Internal Triple Store
Internal SPARQL EngineShi3ld Frontend
Client
GET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)
200 OK
File System/
Triple Store
HTTP
getData()
Shi3ld Internal
Shi3ld-LDP (SPARQL-based)!
25
1. Adding Client Attributes
2. AC Execution
3. HTTP Response Construc:on
26
Shi3ld-LDP (SPARQL-less)!File
System/ Triple Store
Save attributes
Get Access Policies
attributes.contains(AC1)
attributes.contains(ACn)
.
.
.
Shi3ld-LDP
Subgraph matcherShi3ld Frontend
Client
GET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)
LDP Server
HTTP Shi3ld Internal
200 OK
getData()
1. Adding Client Attributes
2. AC Execution
3. HTTP Response Construc:on
Outline!
● Background"
● Authorization Procedure"
● Shi3ld for HTTP: Scenarios"
● Response Time Evaluation!
● Future Work"
Response Time Evaluation!
28
● Response time linear w/ AC #"● SPARQL-less: 25% faster"
● Empty RDF Store: only 14% faster"
Response Time Evaluation!
29
● AC complexity does not affect response time"
● Response time independent from HTTP method"
Outline!
● Background"
● Authorization Procedure"
● Shi3ld for HTTP: Scenarios"
● Response Time Evaluation"
● Future Work!
Future Work!bit.ly/shi3ld-http
Luca Costabello @lukostaz!
Serena Villata
@serena_villata!
Oscar Rodriguez-‐Rocha @orocha!
Fabien Gandon
@fabien_gandon
● Client Attributes Trustworthiness "● Client Attributes Caching"● Admin UI"