Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create wac-acp-diff-story.md #178

Merged
merged 16 commits into from
Apr 7, 2021
Merged

Create wac-acp-diff-story.md #178

merged 16 commits into from
Apr 7, 2021

Conversation

ericprud
Copy link

A little store to bootstream WAC users to understand ACP

A little store to bootstream WAC users to understand ACP
Copy link
Contributor

@bblfish bblfish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is describing WAC with Shex not over constraining WAC? Will not any WAC extension that is consistent with the semantics not break any of the rules presented here?
Shex it seems to me is good at describing the current very constrained situation, but not one where description logics are deployed.


<AclShape> {
# who
( acl:agentClass @<GroupShape> OR [foaf:Agent] ;
Copy link
Contributor

@bblfish bblfish Feb 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to Shex Value sets this statement says that ACL Shapes are constraining the acl:agentClass range to be a Group with member or the singleton foaf:Agent.
But that is overly restrictive interpretation of WAC:

  1. In Issue 176 I point to the fact that WAC has a subclass of foaf:Agent that is acl:AuthenticatedAgent. This shows that WAC always intended to allow subclasses of foaf:Agent to be allowed in the range of acl:agentClass
  2. Given that one can use subclasses of foaf:Agent as the range of acl:AgentClass one can also build descriptions of agents in many more ways, as show again in issue Limitations: Only Trust Certain issuers of Identity #176. This may not fit current deployments of WAC but those don't fit current deployments of ACP either.
    There is nothing therefore stopping WAC to grow to allow these extensions.

The danger of using Shex here is that its argument works by over constraining WAC and then showing it cannot be extended in the way it clearly can.

Copy link
Contributor

@bblfish bblfish Mar 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is overly restrictive. The acl ontology has

 acl:agentClass     a rdf:Property;
         :comment "A class of persons or social entities to being given the right";
         :domain acl:Authorization;
         :label "agent class";
         :range :Class .

which states that the range of agent can be any Class, eg the class of people over 18, or over 21, or married people, etc. The ShEX states that the only class can only be foaf:Agent.


# to what resource
( acl:accessTo IRI
| acl:accessToClass [foaf:Document] OR @<AclRegexShape>
Copy link
Contributor

@bblfish bblfish Feb 24, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure enough about the Shex shape language. But it seems to be saying that acl:accessToClass is either the class foaf:Document or a RegexShape. But that is not right

  1. foaf:Document is a class but that is the least likely class one would use in an access control rule: It would be stating that some set of agents is allowed access to all documents. What is interesting is to place subclasses in that position.
  2. I used regexes in rww-play, but I don't think the current WAC does this. (I may be mistaken). Still a regex can be used as a way among others define a set resources. Other ways are by describing sets of resources related to a date, to authorship, etc... So if you cut out the subclassing possibilities of RDF then you will come to conclusions about the limitations of WAC that are related to the constraint language used, not to wac as an RDF vocabulary.

@bblfish
Copy link
Contributor

bblfish commented Feb 26, 2021

I have written up issue #184 showing how one can extend WAC with one relation, to get the same results as ACP gets above (without using regexes).

I think that would be even a clearer way to explain the difference between WAC and ACP, or the contribution of ACP to WAC, however one wants to look at this.

# ACP Compared to Web Access Control

Audience: those familiar with WAC or those who learn from comparisons

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indicate that this is for the purpose of discussion/exercise -- as other things are moving in parallel - and not to be taken as authoritative definitions of the mechanisms.

Comment on lines 3 to 6
This document is intended to reflect the following authoritative-ish definitions:
- [W3C wiki](http://www.w3.org/wiki/WebAccessControl)
- [solid/specification](http://github.com/solid/specification)
- [sold/web-access-control](http://github.com/solid/solid-spec)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This document is intended to reflect the following authoritative-ish definitions:
- [W3C wiki](http://www.w3.org/wiki/WebAccessControl)
- [solid/specification](http://github.com/solid/specification)
- [sold/web-access-control](http://github.com/solid/solid-spec)
This document is intended to reflect the following authoritative-ish definitions/clarifications e.g.:
- [W3C wiki](http://www.w3.org/wiki/WebAccessControl)
- [solid/specification](http://github.com/solid/specification)
- [solid/solid-spec](http://github.com/solid/solid-spec)
- [solid/web-access-control-spec](http://github.com/solid/web-access-control-spec)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This document is intended to reflect the following authoritative-ish definitions/clarifications e.g.:

the following fights with e.g. (readable as, for example)

I suggest either --
This document is intended to reflect the following authoritative-ish definitions/clarifications:
-- or --
This document is intended to reflect a number of authoritative-ish definitions/clarifications, including the following:

Copy link
Contributor

@bblfish bblfish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The over restrictive nature of the ShEx is provably false by consulting the ontology.


<AclShape> {
# who
( acl:agentClass @<GroupShape> OR [foaf:Agent] ;
Copy link
Contributor

@bblfish bblfish Mar 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is overly restrictive. The acl ontology has

 acl:agentClass     a rdf:Property;
         :comment "A class of persons or social entities to being given the right";
         :domain acl:Authorization;
         :label "agent class";
         :range :Class .

which states that the range of agent can be any Class, eg the class of people over 18, or over 21, or married people, etc. The ShEX states that the only class can only be foaf:Agent.

)+ ;

# can do what
acl:mode [acl:Read acl:Write acl:Append acl:Control] + ;
Copy link
Member

@csarven csarven Mar 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The value set for acl:mode is overly restrictive as per ACL Ontology:

    acl:mode     a rdf:Property;
         :comment "A mode of access such as read or write.";
         :domain acl:Authorization;
         :label "access mode";
         :range :Class .

The rule may reflect deployments however ACL permits any class eg. :Create, :Delete.

Copy link
Contributor

@bblfish bblfish Mar 4, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: the acl Ontology would be a lot clearer if it restricted the range of acl:mode to the subclasses of acl:Access. See issue #187

@bblfish
Copy link
Contributor

bblfish commented Mar 5, 2021

I like this story, as it helps understand what the differences are with how WAC is currently deployed. But if these documents are not just going to be one way conversations, but a way to help grow our common understanding, it should refer to #184 which shows how WAC could do the same. From there we can move on to the next feature of ACP, to see what it brings to the table.

@bblfish
Copy link
Contributor

bblfish commented Mar 5, 2021

Note: the non-normative ShEx for WAC would actually work with the :authorization proposal in Issue #184 if one applies it to the ACR graph plus authorization linked graphs and the acl:accessControl relation after applying the required simple reasoning, which would add the required acl:accessTo relations.

@ericprud
Copy link
Author

Per the data interop meeting today, i migrated this to a new file and added a couple properties to WAC's ShEx

@elf-pavlik elf-pavlik merged commit 66691b8 into solid:main Apr 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants