Universal
Access Control
(UAC)

generic access control for triplestores

& LDApp

JavaScript Linked Data stack

Thomas Bergwinkl / @bergi_bergos

About Me

  • Read Write Web Community Group Member
  • WebID W3C Incubator Group Invited Expert
  • Open source developer (e.g. PHP semantic web framework, C wavlet based video codec, JavaScript DSLR raw developer)

LDApp Release Team


Adrian Gschwend, netlabs.org

Linked Data & Open Source Enthusiast


Pascal Mainini, mainini.ch

Linked Data Engineer

Resource Description Framework (RDF) / Linked Data

Graph based data model for the Web

Node

  • Named Node

    • IRI (International Resource Identifier)
    • URI + non-ASCII characters
  • Blank Node

    • local identifiers
  • Literal

    • basic values
    • associated with a datatype (Named Node)
    • optionally associated with a language tag

Triple

Subject

Named Node or Blank Node


Predicate

Named Node


Object

Named Node, Blank Node or Literal


Graph

  • set of triples
  • IRI identifier

Turtle serialisation

Named Node

wrapped in <>


Blank Node

prefixed with _:


Literal

wrapped in "" or multi-line """"""


Turtle serialisation

Datatype

appended to the literal, separated by ^^


Language

appended to the literal, separated by @


Why Linked Data?

  • self-documenting / self-describing data structures
  • language-independent: W3C Wiki - Semantic Web Tools
  • use the decentralized structure of the Web for your data
  • artificial intelligence

    • build the next Watson with less natural language processing
    • Freebase -> Google Knowledge Graph
  • notes by Tim Berners-Lee: Design Issues

Universal
Access Control
(UAC)

generic access control for triplestores

Blog - Simple Top-Down Example

Role Tree

UAC Role

_:roleReadBlog a uac:Role;
  uac:access [ a uac:TripleAuthorization;
    uac:mode uac:Read;
    uac:filter [ a uac:SimpleFilter;
      uac:predicate rdf:type;
      uac:object s:Blog;
    ], [ a uac:SimpleFilter;
      uac:predicate s:name;
      uac:predicate s:description;
    ];
  ], [ a uac:TripleAuthorization;
    uac:mode uac:Read;
    uac:filter [ a uac:SimpleFilter;
      uac:predicate s:blogPost;
    ];
    uac:children [
      uac:access [ a uac:TripleAuthorization;
        uac:mode uac:Read;
        uac:filter [ a uac:SimpleFilter;
          uac:predicate rdf:type;
          uac:object s:BlogPosting;
        ], [ a uac:SimpleFilter;
          uac:predicate s:datePublished;
          uac:predicate s:author;
          uac:predicate s:headline;
          uac:predicate s:articleBody;
        ];
      ];
    ];
  ].

Tagged Blog Post - Required Triples

Role Tree - Required Triples

UAC Role

    ...
      uac:access [ a uac:TripleAuthorization;
        uac:mode uac:Read;
        uac:filter [ a uac:SimpleFilter;
          uac:predicate rdf:type;
          uac:object s:BlogPosting;
        ], [ a uac:SimpleFilter;
          uac:predicate s:datePublished;
          uac:predicate s:author;
          uac:predicate s:headline;
          uac:predicate s:articleBody;
        ];
      ], [ a uac:TripleAuthorization;
        uac:required "true";
        uac:filter [ a uac:SimpleFilter;
		  uac:predicate s:keyword;
		  uac:object :public;
		];
      ];
    ...

Blog Post Image - Linked Resource

UAC Role

    ...
      uac:access [ a uac:TripleAuthorization;
        uac:mode uac:Read;
        uac:filter [ a uac:SimpleFilter;
          uac:predicate rdf:type;
          uac:object s:BlogPosting;
        ], [ a uac:SimpleFilter;
          uac:predicate s:datePublished;
          uac:predicate s:author;
          uac:predicate s:headline;
          uac:predicate s:articleBody;
        ];
      ], [ a uac:TripleAuthorization;
        uac:mode uac:Read;
        uac:filter [ a uac:SimpleFilter;
          uac:predicate s:image;
        ];
        uac:children [
          uac:access [ a uac:ResourceAuthorization;
            uac:mode uac:Read;
          ...

Blog Post Comment - Write Access

Role Tree - Write Access

UAC Role

_:roleWriteBlogComment a uac:Role;
  uac:access [ a uac:TripleAuthorization;
  uac:filter [ a uac:SimpleFilter; uac:predicate s:blogPost; ];
  uac:children [
    uac:access [ a uac:TripleAuthorization;
      uac:mode uac:Write;
        uac:filter [ a uac:SimpleFilter; uac:predicate s:comment; ];
        uac:children [
          uac:access [ a uac:TripleAuthorization;
            uac:mode uac:Write;
            uac:filter [ a uac:SimpleFilter;
              uac:predicate rdf:type;
              uac:object s:UserComments;
            ], [ a uac:SimpleFilter;
              uac:predicate s:commentTime;
              uac:predicate s:commentText;
            ];
          ], [ a uac:TripleAuthorization;
            uac:mode uac:Write;
            uac:filter [ a uac:SimpleFilter; uac:predicate s:creator; ];
#           uac:filter [ a uac:VariableFilter;
#             uac:predicate [ uac:value s:creator; ];
#             uac:object [ uac:variable "agent"; ];
#           ];
#           uac:required "true";
          ...

Assigning a UAC Role

_:authReadBlog a uac:Authorization;
  uac:agent <https://www.bergnet.org/people/bergi/card#me>;
  uac:hasRole
    _:roleReadBlog,
    _:roleWriteBlogComment.

LDApp

JavaScript Linked Data stack

server side

client side

RDF-Ext

  • extension to RDF-Interfaces
  • Store interface
  • asynchron parser & serializer interface
  • Promise wrappers
  • Store implementations

    • SPARQL
    • LDP
    • InMemory
    • Event
    • Sync (TODO)
  • parser & serializer implementations

    • Turtle
    • NTriples
    • JSON-LD

RDF-JSONify

REST-like interface to access a Store using JSON-LD


Promise API

always asynchron, which may cause needless DOM updates


combined return/callback API

directly returns a value if cached, otherwise the callback is used

Questions?

Thank You!