Universal
Access Control
(UAC)

generic access control for triplestores

& LDApp

JavaScript Linked Data stack

Thomas Bergwinkl / @bergi_bergos

About Me

• Read Write Web Community Group Member
• WebID W3C Incubator Group Invited Expert
• Open source developer (e.g. PHP semantic web framework, C wavlet based video codec, JavaScript DSLR raw developer)

LDApp Release Team

Pascal Mainini, mainini.ch

Linked Data Engineer

Resource Description Framework (RDF) / Linked Data

Graph based data model for the Web

Node

• Named Node

  • IRI (International Resource Identifier)
  • URI + non-ASCII characters

• Blank Node

  • local identifiers

• Literal

  • basic values
  • associated with a datatype (Named Node)
  • optionally associated with a language tag

Triple

Subject

Named Node or Blank Node

Predicate

Named Node

Object

Named Node, Blank Node or Literal

Graph

• set of triples
• IRI identifier

Turtle serialisation

Named Node

wrapped in <>

Blank Node

prefixed with _:

Literal

wrapped in "" or multi-line """"""

Turtle serialisation

Datatype

appended to the literal, separated by ^^

Language

appended to the literal, separated by @

Why Linked Data?

• self-documenting / self-describing data structures
• language-independent: W3C Wiki - Semantic Web Tools
• use the decentralized structure of the Web for your data

• artificial intelligence

  • build the next Watson with less natural language processing
  • Freebase -> Google Knowledge Graph
• notes by Tim Berners-Lee: Design Issues

Universal
Access Control
(UAC)

generic access control for triplestores

Blog - Simple Top-Down Example

Role Tree

UAC Role

_:roleReadBlog a uac:Role;
  uac:access [ a uac:TripleAuthorization;
    uac:mode uac:Read;
    uac:filter [ a uac:SimpleFilter;
      uac:predicate rdf:type;
      uac:object s:Blog;
    ], [ a uac:SimpleFilter;
      uac:predicate s:name;
      uac:predicate s:description;
    ];
  ], [ a uac:TripleAuthorization;
    uac:mode uac:Read;
    uac:filter [ a uac:SimpleFilter;
      uac:predicate s:blogPost;
    ];
    uac:children [
      uac:access [ a uac:TripleAuthorization;
        uac:mode uac:Read;
        uac:filter [ a uac:SimpleFilter;
          uac:predicate rdf:type;
          uac:object s:BlogPosting;
        ], [ a uac:SimpleFilter;
          uac:predicate s:datePublished;
          uac:predicate s:author;
          uac:predicate s:headline;
          uac:predicate s:articleBody;
        ];
      ];
    ];
  ].

Tagged Blog Post - Required Triples

Role Tree - Required Triples

UAC Role

    ...
      uac:access [ a uac:TripleAuthorization;
        uac:mode uac:Read;
        uac:filter [ a uac:SimpleFilter;
          uac:predicate rdf:type;
          uac:object s:BlogPosting;
        ], [ a uac:SimpleFilter;
          uac:predicate s:datePublished;
          uac:predicate s:author;
          uac:predicate s:headline;
          uac:predicate s:articleBody;
        ];
      ], [ a uac:TripleAuthorization;
        uac:required "true";
        uac:filter [ a uac:SimpleFilter;
		  uac:predicate s:keyword;
		  uac:object :public;
		];
      ];
    ...

Blog Post Image - Linked Resource

UAC Role

    ...
      uac:access [ a uac:TripleAuthorization;
        uac:mode uac:Read;
        uac:filter [ a uac:SimpleFilter;
          uac:predicate rdf:type;
          uac:object s:BlogPosting;
        ], [ a uac:SimpleFilter;
          uac:predicate s:datePublished;
          uac:predicate s:author;
          uac:predicate s:headline;
          uac:predicate s:articleBody;
        ];
      ], [ a uac:TripleAuthorization;
        uac:mode uac:Read;
        uac:filter [ a uac:SimpleFilter;
          uac:predicate s:image;
        ];
        uac:children [
          uac:access [ a uac:ResourceAuthorization;
            uac:mode uac:Read;
          ...

Blog Post Comment - Write Access

Role Tree - Write Access

UAC Role

_:roleWriteBlogComment a uac:Role;
  uac:access [ a uac:TripleAuthorization;
  uac:filter [ a uac:SimpleFilter; uac:predicate s:blogPost; ];
  uac:children [
    uac:access [ a uac:TripleAuthorization;
      uac:mode uac:Write;
        uac:filter [ a uac:SimpleFilter; uac:predicate s:comment; ];
        uac:children [
          uac:access [ a uac:TripleAuthorization;
            uac:mode uac:Write;
            uac:filter [ a uac:SimpleFilter;
              uac:predicate rdf:type;
              uac:object s:UserComments;
            ], [ a uac:SimpleFilter;
              uac:predicate s:commentTime;
              uac:predicate s:commentText;
            ];
          ], [ a uac:TripleAuthorization;
            uac:mode uac:Write;
            uac:filter [ a uac:SimpleFilter; uac:predicate s:creator; ];
#           uac:filter [ a uac:VariableFilter;
#             uac:predicate [ uac:value s:creator; ];
#             uac:object [ uac:variable "agent"; ];
#           ];
#           uac:required "true";
          ...

Assigning a UAC Role

_:authReadBlog a uac:Authorization;
  uac:agent <https://www.bergnet.org/people/bergi/card#me>;
  uac:hasRole
    _:roleReadBlog,
    _:roleWriteBlogComment.

LDApp

JavaScript Linked Data stack

• based on standards wherever possible

  • RDF-Interfaces
  • WebID
  • JSON-LD
  • LDP
  • SPARQL

• created missing standards

  • RDF-Ext
  • Universal Access Control

server side

client side

RDF-Ext

• extension to RDF-Interfaces
• Store interface
• asynchron parser & serializer interface
• Promise wrappers

• Store implementations

  • SPARQL
  • LDP
  • InMemory
  • Event
  • Sync (TODO)

• parser & serializer implementations

  • Turtle
  • NTriples
  • JSON-LD

RDF-JSONify

REST-like interface to access a Store using JSON-LD

Promise API

always asynchron, which may cause needless DOM updates

combined return/callback API

directly returns a value if cached, otherwise the callback is used

Questions?

Thank You!