Access Control for HTTP Operations on Linked Data

Access Control for HTTP Operations on Linked Data !

Luca  Costabello  Serena  Villata  Oscar  Rodriguez  Rocha  Fabien  Gandon  

Outline!

●  Introduction"

●  Shi3ld Authorization Procedure"

●  Shi3ld for HTTP: Scenarios"

●  Response Time Evaluation"

●  Future Work"

Outline!

●  Introduction!

●  Shi3ld Authorization Procedure!

●  Shi3ld for HTTP: Scenarios"

●  Response Time Evaluation"

●  Future Work"

Accessing Linked Data!

4  

●  HTTP URIs dereferencing"

●  SPARQL queries"

●  RDFa, search engines APIs"

Accessing Linked Data!

5  

●  HTTP URIs dereferencing!

●  SPARQL queries"

●  RDFa, search engines APIs"

GET /data/resource HTTP/1.1!Host: example.org!...!

Our Problem!

6  

How to design an authorization framework for HTTP interaction with Linked Data? "

GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!

Access Control for Triple Stores!

7  

HTTP  Interac:on  

A<ribute-­‐Based  AC  Model  

Policies  in  RDF/SPARQL  

Resource-­‐level  Granularity  

Context  Awareness  

Shi3ld-­‐SPARQL  [2012]  

WAC  [2007]  

Proteus [2006]  

Abel et al. [2007]  

Finin et al. [2008]  

Flouris et al. [2010]  

PPO  [2011]  

8  

SELECT … !WHERE {…}!

Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!

9  

GET /data/resource HTTP/1.1!Host: example.org!Authorization: ...!

Our Proposal: !Adapting Shi3ld-SPARQL to HTTP!

Outline!

●  Background"

●  Shi3ld Authorization Procedure"

●  Adapting Shi3ld-SPARQL to HTTP!

●  Response Time Evaluation"

●  Future Work"

Shi3ld Access Policy!

11  

AccessConditionSet AccessPolicy

hasContext

AccessPrivilegehasAccessPrivilege

appliesTo

UserDeviceEnvironment

Context

environmentdeviceuser

hasAccessConditionSet

AccessCondition

hasAccessCondition

Two “Styles” for Access Conditions"●  SPARQL-based"●  SPARQL-less"

Sample Access Policy (SPARQL-based)!

12  

:policy1 a s4ac:AccessPolicy; ! s4ac:appliesTo :resource; ! s4ac:hasAccessPrivilege s4ac:Read;! s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; ! s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!

! s4ac:hasQueryAsk !!"""ASK !! !{?ctx a prissma:Context; !! ! ! prissma:environment ?env;!! ! prissma:user <http://example.org/john.rdf#me>. !! !?env prissma:currentPOI ?poi. !! !?poi prissma:based_near ?p.!! !?p geo:lat ?lat;geo:lon ?lon.!! !FILTER(((?lat-45.8483) > 0 && (?lat-45.8483) < 0.5!! !|| (?lat-45.8483) < 0 && (?lat-45.8483) > -0.5)!! !&& ((?lon-7.3263) > 0 && (?lon-7.3263) < 0.5 !! !|| (?lon-7.3263) < 0 && (?lon-7.3263) > -0.5 ))}""".!

Protected resource

Access Condition to be verified: «User must be John and request must come from a specific location»

Sample Access Policy (SPARQL-less)!

13  

:policy1 a s4ac:AccessPolicy; ! s4ac:appliesTo :resource; ! s4ac:hasAccessPrivilege s4ac:Read;! s4ac:hasAccessConditionSet :acs1.!!:acs1 a s4ac:AccessConditionSet; ! s4ac:hasAccessCondition :ac1.!!:ac1 a s4ac:AccessCondition;!

! s4ac:hasContext :ctx1.!!:ctx1 a prissma:Context;!

!prissma:user <http://example.org/john.rdf#me>;!!prissma:environment :env1.!

!:env1 a prissma:Environment;! prissma:nearbyEntity <http://alice.org#me>.!

Protected resource

Access Condition to be verified: «User must be John and Alice must be nearby»

14  

Authorization Procedure ! 1. Adding Client Attributes to HTTP operation"

2. Access Conditions Execution!3. HTTP Response Construction!

Authorization Procedure !

15  

GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!

1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction"

UserDeviceEnvironment

Context

environmentdeviceuser

<http://carl-johnson.org#me>:env_AC1

<http://alice.org#me>

p:nearbyEntity

p:user p:environment

p:nearbyEntity

:ctx_AC1

foaf:gender"male"

Authorization Procedure (SPARQL-based)!

16  

1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"

ASK {?context ! a prissma:Context; ! prissma:user ex:john.} ! =  "false"  

VALUES (?context) {(:client_attributes)}!

GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!

Authorization Procedure (SPARQL-less)!

17  

1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution!3. HTTP Response Construction"

!:context a prissma:Context; ! ! prissma:user ex:john. !

"no match"  

GET /data/resource HTTP/1.1!Host: example.org!Authorization: Shi3ld <...>!

<http://carl-johnson.org#me>:env_AC1

<http://alice.org#me>

p:nearbyEntity

p:user p:environment

p:nearbyEntity

:ctx_AC1

foaf:gender"male"

Authorization Procedure !

18  

1. Adding Client Attributes to HTTP operation"2. Access Conditions Execution"3. HTTP Response Construction!

:resource!

401 Unauthorized!

Outline!

●  Introduction"

●  Authorization Procedure"

●  Shi3ld for HTTP: Scenarios!

●  Response Time Evaluation"

●  Future Work"

HTTP Operations on Linked Data: Our Scenarios!

20  

●  SPARQL 1.1 Graph Store Protocol (GSP)"

"

●  W3C Linked Data Platform (LDP) 1.0"Best practices for a read-write HTTP-based Linked Data architecture. ""

GET /rdf-graph-store?graph=... HTTP/1.1!Host: example.com!Accept: text/turtle; charset=utf-8!

CONSTRUCT { ?s ?p ?o } !WHERE { GRAPH <...> !{ ?s ?p ?o } }!

HTTP Operations on Linked Data: Our Scenarios!

21  

●  SPARQL 1.1 Graph Store Protocol (GSP)"

!Shi3ld-GSP!"

●  W3C Linked Data Platform (LDP) 1.0"

"Shi3ld-LDP!• SPARQL-based!• SPARQL-less!

HTTP Operations on Linked Data: Our Scenarios!

22  

●  SPARQL 1.1 Graph Store Protocol (GSP)"

!Shi3ld-GSP!"

●  W3C Linked Data Platform (LDP) 1.0"

"Shi3ld-LDP!• SPARQL-based!• SPARQL-less!

Shi3ld- GSP!

23  

Shi3ld-GSPClient SPARQL 1.1 GSP

Triple Store

GET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)

INSERT/DATA(attributes)

SELECT(Access Policies)

ASK (AC1)

ASK (ACn)

.

.

.

GET /data/resource HTTP/1.1Host: example.org

200 OK

HTTP HTTP/SPARQL

1. Adding Client Attributes

2. AC Execution

3.  HTTP  Response  Construc:on  

HTTP Operations on Linked Data: Our Scenarios!

24  

●  SPARQL 1.1 Graph Store Protocol (GSP)"

!Shi3ld-GSP!"

●  W3C Linked Data Platform (LDP) 1.0"

"Shi3ld-LDP!• SPARQL-based!• SPARQL-less!

LDP Server

INSERT/DATA(attributes)

SELECT(Access Policies)

ASK (AC1)

ASK (ACn)

.

.

.

Shi3ld-LDP Internal Triple Store

Internal SPARQL EngineShi3ld Frontend

Client

GET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)

200 OK

File System/

Triple Store

HTTP

getData()

Shi3ld Internal

Shi3ld-LDP (SPARQL-based)!

25  

1. Adding Client Attributes

2. AC Execution

3.  HTTP  Response  Construc:on  

26  

Shi3ld-LDP (SPARQL-less)!File

System/ Triple Store

Save attributes

Get Access Policies

attributes.contains(AC1)

attributes.contains(ACn)

.

.

.

Shi3ld-LDP

Subgraph matcherShi3ld Frontend

Client

GET /data/resource HTTP/1.1Host: example.orgAuthorization: Shi3ld:base64(attributes)

LDP Server

HTTP Shi3ld Internal

200 OK

getData()

1. Adding Client Attributes

2. AC Execution

3.  HTTP  Response  Construc:on  

Outline!

●  Background"

●  Authorization Procedure"

●  Shi3ld for HTTP: Scenarios"

●  Response Time Evaluation!

●  Future Work"

Response Time Evaluation!

28  

●  Response time linear w/ AC #"●  SPARQL-less: 25% faster"

●  Empty RDF Store: only 14% faster"

Response Time Evaluation!

29  

●  AC complexity does not affect response time"

●  Response time independent from HTTP method"

Outline!

●  Background"

●  Authorization Procedure"

●  Shi3ld for HTTP: Scenarios"

●  Response Time Evaluation"

●  Future Work!

Future Work!bit.ly/shi3ld-http

Luca  Costabello  @lukostaz!

 Serena  Villata  

@serena_villata!  

Oscar  Rodriguez-­‐Rocha  @orocha!

 Fabien  Gandon  

@fabien_gandon  

● Client Attributes Trustworthiness "● Client Attributes Caching"● Admin UI"