From 51e0a6460b703176ed871fdd7e9f1c53e5fe1788 Mon Sep 17 00:00:00 2001 From: Matthieu Bosquet Date: Tue, 27 Jul 2021 15:47:55 +0100 Subject: [PATCH 01/37] Effective ACR discovery --- proposals/evaluation/uc-0-effective-acr.md | 57 ++++++++++++++++++++++ proposals/evaluation/use-cases.md | 1 + 2 files changed, 58 insertions(+) create mode 100644 proposals/evaluation/uc-0-effective-acr.md diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md new file mode 100644 index 00000000..da4aa54a --- /dev/null +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -0,0 +1,57 @@ +# Effective Access Control Resource Discovery Use Cases + +This is part 0 of the [implementation specific use cases comparison](./use-cases.md). + +The resource mandating access over another resource is called its effective access control resource (ACR). + +## 1. Discovering a resource's effective access control + +A Solid client needs to discover effective ACR in order to understand and or edit access permissions. + +Both WAC and ACP use the same effective ACR discovery mechanism. + +### Setup + +We have the following hierarchy of resources: + +``` + + +``` + +### Universal effective ACR discovery + +An agent making a GET or HEAD HTTP request on `` will receive a `Link: ; rel="acl"` header in the response that points to the above ``. + +The Link header with relationship type `acl` indicates the access control resource of a resource. + +### ACP + +In ACP, every resource has exactly 1 effective access control resource directly associated to it and every access control resource directly mandates access over exactly one resource and itself. + +In ACP, access control statements can be spread over several resources, that is, an access control resource can reference other resources. + +In ACP, the access control system in place, that is, ACP (as opposed to for example WAC), is indicated via a Link header of `rel="type"` ``. + +### WAC + +In WAC, the effective ACR of a resource might be the ACR of a parent container of the resource. + +In WAC ACRs are called ACLs (Access Control Lists). + +WAC's [Effective ACL Resource](https://solid.github.io/web-access-control-spec/#effective-acl-resource) discovery is described in [the WAC spec](https://solid.github.io/web-access-control-spec/) as follows: + +> ### Effective ACL Resource Algorithm +> To determine the effective ACL resource of a resource, perform the following steps. Returns string (the URI of an ACL Resource). +> +> 1. Let resource be the resource. +> 2. Let aclResource be the ACL resource of resource. +> 3. If resource has an associated aclResource with a representation, return aclResource. +> 4. Otherwise, repeat the steps using the container resource of resource. + + + +## See also + +- [Access Control Resource discovery](https://github.com/solid/authorization-panel/issues/228) + diff --git a/proposals/evaluation/use-cases.md b/proposals/evaluation/use-cases.md index fb986087..ed89a6a6 100644 --- a/proposals/evaluation/use-cases.md +++ b/proposals/evaluation/use-cases.md @@ -14,6 +14,7 @@ Within the use cases, the following namespace prefix bindings are used: It is assumed in the example solutions to use cases for both WAC and ACP that the effective access control resource is represented. +0. [Effective Access Control Resource Discovery](./uc-0-effective-acr.md) 1. [Resource Access](./uc-1-resource-access.md) 2. [Collection Access](#) 3. [Access Inheritance Use Cases](./uc-3-inheritance.md) From 98444d9a3b471ea19c8617ae14d395157c7940e3 Mon Sep 17 00:00:00 2001 From: Matthieu Bosquet Date: Tue, 27 Jul 2021 18:17:31 +0100 Subject: [PATCH 02/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index da4aa54a..268411a6 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -31,7 +31,7 @@ In ACP, every resource has exactly 1 effective access control resource directly In ACP, access control statements can be spread over several resources, that is, an access control resource can reference other resources. -In ACP, the access control system in place, that is, ACP (as opposed to for example WAC), is indicated via a Link header of `rel="type"` ``. +In ACP, the access control system in place (that is, ACP, as opposed to WAC, for example) is indicated via a Link header of `rel="type"` ``. ### WAC @@ -54,4 +54,3 @@ WAC's [Effective ACL Resource](https://solid.github.io/web-access-control-spec/# ## See also - [Access Control Resource discovery](https://github.com/solid/authorization-panel/issues/228) - From f234ea81b4ada8a1f3ff0038055c4d9389789499 Mon Sep 17 00:00:00 2001 From: Matthieu Bosquet Date: Tue, 27 Jul 2021 18:17:36 +0100 Subject: [PATCH 03/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 268411a6..062942eb 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -29,7 +29,7 @@ The Link header with relationship type `acl` indicates the access control resour In ACP, every resource has exactly 1 effective access control resource directly associated to it and every access control resource directly mandates access over exactly one resource and itself. -In ACP, access control statements can be spread over several resources, that is, an access control resource can reference other resources. +In ACP, access control statements can be spread over several resources; that is, an access control resource can reference other resources. In ACP, the access control system in place (that is, ACP, as opposed to WAC, for example) is indicated via a Link header of `rel="type"` ``. From b3b02c26f3fd1e08744daf793bb3bd02f609a35d Mon Sep 17 00:00:00 2001 From: Matthieu Bosquet Date: Tue, 27 Jul 2021 18:17:51 +0100 Subject: [PATCH 04/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 062942eb..930d1555 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -27,7 +27,7 @@ The Link header with relationship type `acl` indicates the access control resour ### ACP -In ACP, every resource has exactly 1 effective access control resource directly associated to it and every access control resource directly mandates access over exactly one resource and itself. +In ACP, every resource has exactly 1 effective access control resource directly associated with it, and every access control resource directly governs access over itself and exactly one other resource. In ACP, access control statements can be spread over several resources; that is, an access control resource can reference other resources. From 5b7b0a0263de7e2603a5577f3ddfd4bb361074b1 Mon Sep 17 00:00:00 2001 From: Matthieu Bosquet Date: Tue, 27 Jul 2021 18:17:57 +0100 Subject: [PATCH 05/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 930d1555..29cc0d83 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -2,7 +2,7 @@ This is part 0 of the [implementation specific use cases comparison](./use-cases.md). -The resource mandating access over another resource is called its effective access control resource (ACR). +The resource governing access over another resource is called its effective access control resource (ACR). ## 1. Discovering a resource's effective access control From 9fcbb06fb485291691fda738a277681c90ed5e26 Mon Sep 17 00:00:00 2001 From: Matthieu Bosquet Date: Tue, 27 Jul 2021 18:18:04 +0100 Subject: [PATCH 06/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 29cc0d83..12ac1eee 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -37,7 +37,7 @@ In ACP, the access control system in place (that is, ACP, as opposed to WAC, for In WAC, the effective ACR of a resource might be the ACR of a parent container of the resource. -In WAC ACRs are called ACLs (Access Control Lists). +In WAC, ACRs are called ACLs (Access Control Lists). WAC's [Effective ACL Resource](https://solid.github.io/web-access-control-spec/#effective-acl-resource) discovery is described in [the WAC spec](https://solid.github.io/web-access-control-spec/) as follows: From 561d052a84cd476ccb6bdff41a63cf4887828129 Mon Sep 17 00:00:00 2001 From: Matthieu Bosquet Date: Thu, 29 Jul 2021 18:10:32 +0100 Subject: [PATCH 07/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: elf Pavlik --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 12ac1eee..0568800a 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -31,7 +31,7 @@ In ACP, every resource has exactly 1 effective access control resource directly In ACP, access control statements can be spread over several resources; that is, an access control resource can reference other resources. -In ACP, the access control system in place (that is, ACP, as opposed to WAC, for example) is indicated via a Link header of `rel="type"` ``. +In ACP, the access control system in place (that is, ACP, as opposed to WAC, for example) is indicated via a Link header of `rel="type"` `` in HTTP response when requesting an ACR. ### WAC From 64b2efad1d8dfd8131705424ce027480117e1998 Mon Sep 17 00:00:00 2001 From: Matthieu Bosquet Date: Thu, 29 Jul 2021 19:47:03 +0100 Subject: [PATCH 08/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 0568800a..b13ba613 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -31,7 +31,7 @@ In ACP, every resource has exactly 1 effective access control resource directly In ACP, access control statements can be spread over several resources; that is, an access control resource can reference other resources. -In ACP, the access control system in place (that is, ACP, as opposed to WAC, for example) is indicated via a Link header of `rel="type"` `` in HTTP response when requesting an ACR. +In ACP, the access control system in place (that is, ACP, as opposed to WAC, for example) is indicated via a Link header of `rel="type"` `` in HTTP response to a request for an ACR. ### WAC From 893dc36ff73f74e6b2eb87a03fba1910710a37c7 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Wed, 11 Aug 2021 15:37:12 +0200 Subject: [PATCH 09/37] illustrate in full a WAC search for the ACL --- proposals/evaluation/uc-0-effective-acr.md | 131 +++++++++++++++++++-- 1 file changed, 120 insertions(+), 11 deletions(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index b13ba613..e06251f8 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -2,28 +2,49 @@ This is part 0 of the [implementation specific use cases comparison](./use-cases.md). -The resource governing access over another resource is called its effective access control resource (ACR). +The "effective access control resource" (ACR) of a resource R, is the resource that contains the rules that will be used by the server to determine access to R. -## 1. Discovering a resource's effective access control -A Solid client needs to discover effective ACR in order to understand and or edit access permissions. +## 1. Discovering a resource's effective access control -Both WAC and ACP use the same effective ACR discovery mechanism. +A Solid client that wants to decide which credentials to present to access a resource or determine if it can edit the ACR, needs to discover the effective ACR of the resource in question. ### Setup We have the following hierarchy of resources: -``` - - +```turtle + + + ``` ### Universal effective ACR discovery -An agent making a GET or HEAD HTTP request on `` will receive a `Link: ; rel="acl"` header in the response that points to the above ``. +Both WAC and ACP follow an `acl` link header in the response to a resource `R` in order find the Access Control Rules. +(The name "acl" for the type of such a link [is being discussed](https://github.com/solid/authorization-panel/issues/228).) + + +We can start both our examples with the client making a `GET` request on `/foo/bar/baz/x` which returns either of the following responses: + + A. The response is successful but the client wants to then edit the access control rules +```HTTP +200 Ok +Link: ; rel="acl" +Link: <.>; rev="http://www.w3.org/ns/ldp#contains" +Content-Length: 2042 +Content-Type: ... + +... +``` + B. The response is unsuccessful and the client wants to find out how to authenticate to gain access: +```HTTP +401 Unauthorized +Link: ; rel="acl" +Link: <.>; rev="http://www.w3.org/ns/ldp#contains" +``` -The Link header with relationship type `acl` indicates the access control resource of a resource. +The second `Link`, with relation type `ldp:contains`, is needed for WAC. ### ACP @@ -31,7 +52,11 @@ In ACP, every resource has exactly 1 effective access control resource directly In ACP, access control statements can be spread over several resources; that is, an access control resource can reference other resources. -In ACP, the access control system in place (that is, ACP, as opposed to WAC, for example) is indicated via a Link header of `rel="type"` `` in HTTP response to a request for an ACR. +In ACP, the access control system in place (that is, ACP, as opposed to WAC, for example) is indicated via a `Link` header of `rel="type"` `` in HTTP response to a request for an ACR. + +On receiving the `404` with the `Link` header given in our example, the client can make a request on `/foo/bar/baz/x.acr` if it wants to look at the Access Control Rules. +As in ACP all resources have an associated ACR, the resource <`/foo/bar/baz/x.acr>` should return a description of the sets of agents that can have access to the resource. +This may include links to rules published elsewhere. ### WAC @@ -41,7 +66,7 @@ In WAC, ACRs are called ACLs (Access Control Lists). WAC's [Effective ACL Resource](https://solid.github.io/web-access-control-spec/#effective-acl-resource) discovery is described in [the WAC spec](https://solid.github.io/web-access-control-spec/) as follows: -> ### Effective ACL Resource Algorithm +> ##### Effective ACL Resource Algorithm > To determine the effective ACL resource of a resource, perform the following steps. Returns string (the URI of an ACL Resource). > > 1. Let resource be the resource. @@ -49,7 +74,91 @@ WAC's [Effective ACL Resource](https://solid.github.io/web-access-control-spec/# > 3. If resource has an associated aclResource with a representation, return aclResource. > 4. Otherwise, repeat the steps using the container resource of resource. +Just as with ACP, the client can follow the `Link: <...acr>; rel="acl"` relation to find out the rules of access. +But then we have to cases with WAC: + +1. the ACR exists and returns the rules +2. the ACR returns a `404 Not Found` + +In (1) everything follows like with ACP above. +In (2) the client then needs to start the recursive process of looking for the effective ACR. +We will detail (2) next. +1. First the client is lucky enough to be shown the reverse `ldp:contains` relation, so it can do a HEAD on that to find its `ACL`. +```HTTP +HEAD /foo/bar/baz/ HTTP/1.1 +``` +and with luck the server will respond +```HTTP +200 Ok +Link: ; rel="acl" +Link: ; rev="http://www.w3.org/ns/ldp#contains" +``` +The client can then continue with +```HTTP +GET /foo/bar/baz/.acr HTTP/1.1 +``` +to which the server will also return +```HTTP +404 Not Found +``` +as the resource does not yet exist. + +2. As a result the client will need to look up one level in the hierarchy to search for the effective ACR +```HTTP +HEAD /foo/bar/ HTTP/1.1 +``` +and with luck the server will respond +```HTTP +200 Ok +Link: ; rel="acl" +Link: ; rev="http://www.w3.org/ns/ldp#contains" +``` +The client can then continue with +```HTTP +GET /foo/bar/baz/.acr HTTP/1.1 +``` +to which the server will also return +```HTTP +404 Not Found +``` +as the resource does not yet exist. + +3. As a result the client will need to look up one level in the hierarchy to search for the effective ACR +```HTTP +HEAD /foo/ HTTP/1.1 +``` +and with luck the server will respond +```HTTP +200 Ok +Link: ; rel="acl" +Link: ; rev="http://www.w3.org/ns/ldp#contains" +``` +The client can then continue with +```HTTP +GET /foo/.acr HTTP/1.1 +``` +to which the server will also return +```HTTP +404 Not Found +``` +as the resource does not yet exist. + +4As a result the client will need to look up one level in the hierarchy to search for the effective ACR +```HTTP +HEAD / HTTP/1.1 +``` +and with luck the server will respond + +```HTTP +200 Ok +Link: ; rel="acl" +``` +The client can then continue with +```HTTP +GET /foo/.acr HTTP/1.1 +``` +to which the server will finally return the content. ## See also From 54114f0b10c318f286eabdd81f4dc23781b6960b Mon Sep 17 00:00:00 2001 From: Henry Story Date: Wed, 11 Aug 2021 15:43:10 +0200 Subject: [PATCH 10/37] formatting --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index e06251f8..136987a7 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -144,7 +144,7 @@ to which the server will also return ``` as the resource does not yet exist. -4As a result the client will need to look up one level in the hierarchy to search for the effective ACR +4. As a result the client will need to look up one level in the hierarchy to search for the effective ACR ```HTTP HEAD / HTTP/1.1 ``` From fc42c5495917fd37867fa69db9059e9297929f15 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Wed, 11 Aug 2021 19:25:48 +0200 Subject: [PATCH 11/37] WAC+Trig --- proposals/evaluation/uc-0-effective-acr.md | 33 ++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 136987a7..13c8adb6 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -159,7 +159,40 @@ The client can then continue with GET /foo/.acr HTTP/1.1 ``` to which the server will finally return the content. + +### WAC+NTrig + +A resource can let a client know that it supports dataset serialisation its ACR by returning the following header in either the 200 or 401: + +```HTTP +Link: ; rel="acl"; type="application/trig" +``` + +A client could then follow up with a request to `` with `Accept: application/trig`, which could respond: + +```HTTP +200 Ok +Content-Type: application/trig +Content-Length: ... + +GRAPH <> {} +GRAPH { + <#authorization> a acl:Authorization ; + acl:agentGroup ; + acl:default ; + acl:mode acl:Control . +} +``` + +This should be read as giving the triples in the `` graph, and specifying that no triples exist in the ``. +With a slight adjustment to the WAC spec, this could still count as there being nothing other than the default, which would therefore still be active. + +Note: NTrig has already been proposed in [issue 210: add :imports relation](https://github.com/solid/authorization-panel/issues/210). + + + ## See also - [Access Control Resource discovery](https://github.com/solid/authorization-panel/issues/228) + From 58f5882f65d7fd978229c7eaf5bc0813cf738cd9 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 08:25:52 +0200 Subject: [PATCH 12/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 13c8adb6..f8c71202 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -55,7 +55,7 @@ In ACP, access control statements can be spread over several resources; that is, In ACP, the access control system in place (that is, ACP, as opposed to WAC, for example) is indicated via a `Link` header of `rel="type"` `` in HTTP response to a request for an ACR. On receiving the `404` with the `Link` header given in our example, the client can make a request on `/foo/bar/baz/x.acr` if it wants to look at the Access Control Rules. -As in ACP all resources have an associated ACR, the resource <`/foo/bar/baz/x.acr>` should return a description of the sets of agents that can have access to the resource. +Since all resources in ACP have an associated ACR, the resource <`/foo/bar/baz/x.acr>` should return a description of the sets of agents that can have access to the resource. This may include links to rules published elsewhere. ### WAC @@ -195,4 +195,3 @@ Note: NTrig has already been proposed in [issue 210: add :imports relation](http ## See also - [Access Control Resource discovery](https://github.com/solid/authorization-panel/issues/228) - From c976ac5dfead5dbe8959b380a0244b9ef510dbff Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 08:26:09 +0200 Subject: [PATCH 13/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index f8c71202..9ac1c8a4 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -54,7 +54,7 @@ In ACP, access control statements can be spread over several resources; that is, In ACP, the access control system in place (that is, ACP, as opposed to WAC, for example) is indicated via a `Link` header of `rel="type"` `` in HTTP response to a request for an ACR. -On receiving the `404` with the `Link` header given in our example, the client can make a request on `/foo/bar/baz/x.acr` if it wants to look at the Access Control Rules. +On receiving the `404` with the `Link` header given in our example, the client can make a request on `/foo/bar/baz/x.acr`, if it wants to look at the Access Control Rules. Since all resources in ACP have an associated ACR, the resource <`/foo/bar/baz/x.acr>` should return a description of the sets of agents that can have access to the resource. This may include links to rules published elsewhere. From aff3e231fea6d73e90ba3e7b876a3f042834301c Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 08:26:54 +0200 Subject: [PATCH 14/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 9ac1c8a4..fc595e4a 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -48,7 +48,7 @@ The second `Link`, with relation type `ldp:contains`, is needed for WAC. ### ACP -In ACP, every resource has exactly 1 effective access control resource directly associated with it, and every access control resource directly governs access over itself and exactly one other resource. +In ACP, every resource has exactly one effective access control resource directly associated with it, and every access control resource directly governs access over itself and exactly one other resource. In ACP, access control statements can be spread over several resources; that is, an access control resource can reference other resources. From 458feefec1caa98e5d2bff6c98235838c07a4809 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 08:27:19 +0200 Subject: [PATCH 15/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index fc595e4a..71d1e564 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -27,7 +27,7 @@ Both WAC and ACP follow an `acl` link header in the response to a resource `R` i We can start both our examples with the client making a `GET` request on `/foo/bar/baz/x` which returns either of the following responses: - A. The response is successful but the client wants to then edit the access control rules + A. The response is successful, but the client then wants to edit the access control rules: ```HTTP 200 Ok Link: ; rel="acl" From 59b6ee03bacc40ef44cc8bef2c3cf77423a0920e Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 08:27:44 +0200 Subject: [PATCH 16/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 71d1e564..ed759117 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -21,7 +21,7 @@ We have the following hierarchy of resources: ### Universal effective ACR discovery -Both WAC and ACP follow an `acl` link header in the response to a resource `R` in order find the Access Control Rules. +Both WAC and ACP follow an `acl` link header in the response to a resource `R`, in order to find the Access Control Rules. (The name "acl" for the type of such a link [is being discussed](https://github.com/solid/authorization-panel/issues/228).) From b0af854075511b0560374bd9b08e97f1aa486db1 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 08:27:59 +0200 Subject: [PATCH 17/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index ed759117..c47bd561 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -75,7 +75,7 @@ WAC's [Effective ACL Resource](https://solid.github.io/web-access-control-spec/# > 4. Otherwise, repeat the steps using the container resource of resource. Just as with ACP, the client can follow the `Link: <...acr>; rel="acl"` relation to find out the rules of access. -But then we have to cases with WAC: +But then we have two cases with WAC: 1. the ACR exists and returns the rules 2. the ACR returns a `404 Not Found` From eb03196bcd12580d84fd4f6f20d9e41e57a3ee31 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 08:28:15 +0200 Subject: [PATCH 18/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index c47bd561..007ae68a 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -37,7 +37,7 @@ Content-Type: ... ... ``` - B. The response is unsuccessful and the client wants to find out how to authenticate to gain access: + B. The response is unsuccessful, and the client wants to find out how to authenticate to gain access: ```HTTP 401 Unauthorized Link: ; rel="acl" From b964c53bade61d31d44e5adc3db003404fff404f Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 08:28:46 +0200 Subject: [PATCH 19/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 007ae68a..9c12f697 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -128,7 +128,7 @@ as the resource does not yet exist. ```HTTP HEAD /foo/ HTTP/1.1 ``` -and with luck the server will respond +— and with luck the server will respond — ```HTTP 200 Ok Link: ; rel="acl" From d491ea0f4399684e56bb4713b468d04079ba53ec Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 08:29:10 +0200 Subject: [PATCH 20/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 9c12f697..44de0c0c 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -94,7 +94,7 @@ and with luck the server will respond Link: ; rel="acl" Link: ; rev="http://www.w3.org/ns/ldp#contains" ``` -The client can then continue with +The client can then continue with — ```HTTP GET /foo/bar/baz/.acr HTTP/1.1 ``` From 1265368137a6e0073beb13ca450737bac8ced819 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 08:33:11 +0200 Subject: [PATCH 21/37] Apply suggestions from code review Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 32 +++++++++++----------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 44de0c0c..aacc061e 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -88,7 +88,7 @@ We will detail (2) next. ```HTTP HEAD /foo/bar/baz/ HTTP/1.1 ``` -and with luck the server will respond +— and with luck the server will respond — ```HTTP 200 Ok Link: ; rel="acl" @@ -102,29 +102,29 @@ to which the server will also return ```HTTP 404 Not Found ``` -as the resource does not yet exist. +— as the resource does not yet exist. -2. As a result the client will need to look up one level in the hierarchy to search for the effective ACR +2. As a result, the client will need to look up one level in the hierarchy to search for the effective ACR: ```HTTP HEAD /foo/bar/ HTTP/1.1 ``` -and with luck the server will respond +— and with luck the server will respond — ```HTTP 200 Ok Link: ; rel="acl" Link: ; rev="http://www.w3.org/ns/ldp#contains" ``` -The client can then continue with +The client can then continue with — ```HTTP GET /foo/bar/baz/.acr HTTP/1.1 ``` -to which the server will also return +— to which the server will also return — ```HTTP 404 Not Found ``` -as the resource does not yet exist. +— as the resource does not yet exist. -3. As a result the client will need to look up one level in the hierarchy to search for the effective ACR +3. As a result, the client will need to look up one level in the hierarchy to search for the effective ACR: ```HTTP HEAD /foo/ HTTP/1.1 ``` @@ -134,35 +134,35 @@ HEAD /foo/ HTTP/1.1 Link: ; rel="acl" Link: ; rev="http://www.w3.org/ns/ldp#contains" ``` -The client can then continue with +The client can then continue with — ```HTTP GET /foo/.acr HTTP/1.1 ``` -to which the server will also return +— to which the server will also return — ```HTTP 404 Not Found ``` -as the resource does not yet exist. +— as the resource does not yet exist. -4. As a result the client will need to look up one level in the hierarchy to search for the effective ACR +4. As a result, the client will need to look up one level in the hierarchy to search for the effective ACR: ```HTTP HEAD / HTTP/1.1 ``` -and with luck the server will respond +— and with luck the server will respond — ```HTTP 200 Ok Link: ; rel="acl" ``` -The client can then continue with +The client can then continue with — ```HTTP GET /foo/.acr HTTP/1.1 ``` -to which the server will finally return the content. +— to which the server will finally return the content. ### WAC+NTrig -A resource can let a client know that it supports dataset serialisation its ACR by returning the following header in either the 200 or 401: +A resource can let a client know that it supports dataset serialisation of its ACR by returning the following header with either a 200 or 401 HTTP result code: ```HTTP Link: ; rel="acl"; type="application/trig" From 12d5ef918f2eb03bc487c117ecf0d58d2d810dd8 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 08:33:28 +0200 Subject: [PATCH 22/37] Apply suggestions from code review Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index aacc061e..b93913fb 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -80,8 +80,8 @@ But then we have two cases with WAC: 1. the ACR exists and returns the rules 2. the ACR returns a `404 Not Found` -In (1) everything follows like with ACP above. -In (2) the client then needs to start the recursive process of looking for the effective ACR. +In (1), everything follows like with ACP above. +In (2), the client then needs to start the recursive process of looking for the effective ACR. We will detail (2) next. 1. First the client is lucky enough to be shown the reverse `ldp:contains` relation, so it can do a HEAD on that to find its `ACL`. From 542ee6227e13225b78ce8bf31a98325be46c37c4 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 12:35:53 +0200 Subject: [PATCH 23/37] WAC+:imports --- proposals/evaluation/uc-0-effective-acr.md | 47 +++++++++++++++++----- 1 file changed, 38 insertions(+), 9 deletions(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index b93913fb..79701262 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -54,8 +54,8 @@ In ACP, access control statements can be spread over several resources; that is, In ACP, the access control system in place (that is, ACP, as opposed to WAC, for example) is indicated via a `Link` header of `rel="type"` `` in HTTP response to a request for an ACR. -On receiving the `404` with the `Link` header given in our example, the client can make a request on `/foo/bar/baz/x.acr`, if it wants to look at the Access Control Rules. -Since all resources in ACP have an associated ACR, the resource <`/foo/bar/baz/x.acr>` should return a description of the sets of agents that can have access to the resource. +On receiving the `404` with the `Link` header given in our example, the client can make a request on ``, if it wants to look at the Access Control Rules. +Since all resources in ACP have an associated ACR, the resource `` should return a description of the sets of agents that can have access to the resource. This may include links to rules published elsewhere. ### WAC @@ -159,16 +159,23 @@ The client can then continue with — GET /foo/.acr HTTP/1.1 ``` — to which the server will finally return the content. - -### WAC+NTrig -A resource can let a client know that it supports dataset serialisation of its ACR by returning the following header with either a 200 or 401 HTTP result code: +### WAC+ + +The WAC effective resource discovery algorithm, needed when default ACLs exist, is as shown above, an expensive process for the client to follow, requiring a large number of failed requests. +We have two ways to fix this: + * WAC+NTrig, allows the server to return datasets and so return the result in one request + * WAC+:imports, shows how one can, as with ACP, have every resource come with its own ACR, but still have allow defaults to work. + +#### WAC+NTrig + +A resource can let a client know that it supports dataset serialisation of its ACR by returning the following header with either a 200 or 401 HTTP result code as proposed in [issue 247](https://github.com/solid/authorization-panel/issues/247): ```HTTP Link: ; rel="acl"; type="application/trig" ``` -A client could then follow up with a request to `` with `Accept: application/trig`, which could respond: +A client could then follow up with a request to `` with `Accept: application/trig` header. The server could respond with, for example: ```HTTP 200 Ok @@ -184,13 +191,35 @@ GRAPH { } ``` -This should be read as giving the triples in the `` graph, and specifying that no triples exist in the ``. -With a slight adjustment to the WAC spec, this could still count as there being nothing other than the default, which would therefore still be active. +This should be read as + * specifying that no triples exist in`` + * giving the triples in the `` graph + +With a slight adjustment to the WAC spec, this could still count as there being nothing other than the default, which would therefore still be active as default for the given resource. + +#### WAC+:imports + +Another way to allow default reasoning is to use `:imports` as proposed in [issue 210: add :imports relation](https://github.com/solid/authorization-panel/issues/210). + +[Reactive Solid](https://github.com/co-operating-systems/Reactive-SoLiD) has every resource come with an ACR with content. But the server has ACRs for newly created resources explictly `:import` the parent, so that `` returns + +```Turtle +<> :imports <.acr> . +``` +and `` returns + +``` +<> :imports <../.acr> . +``` -Note: NTrig has already been proposed in [issue 210: add :imports relation](https://github.com/solid/authorization-panel/issues/210). +And so on, up to the root ``. +Clients with control access to a resource, can change the ACR to point straight to the root one. +#### WAC+TriG+:imports +Both of those answers can be combined of course. +This was proposed in the May 11th comment to [issue 210: add :imports relation](https://github.com/solid/authorization-panel/issues/210#issuecomment-838747077). ## See also From ed0436375cc47ca5bf598dbb046c06660197893f Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 14:46:47 +0200 Subject: [PATCH 24/37] wac + acl=control --- proposals/evaluation/uc-0-effective-acr.md | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 79701262..5d17f9fb 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -163,9 +163,10 @@ GET /foo/.acr HTTP/1.1 ### WAC+ The WAC effective resource discovery algorithm, needed when default ACLs exist, is as shown above, an expensive process for the client to follow, requiring a large number of failed requests. -We have two ways to fix this: +We have three ways to fix this: * WAC+NTrig, allows the server to return datasets and so return the result in one request * WAC+:imports, shows how one can, as with ACP, have every resource come with its own ACR, but still have allow defaults to work. + * WAC+rel=control allows the server to publish two `Link` relations: one to the ACR and the other to the effective ACR. #### WAC+NTrig @@ -216,10 +217,21 @@ And so on, up to the root ``. Clients with control access to a resource, can change the ACR to point straight to the root one. -#### WAC+TriG+:imports +#### WAC + TriG + :imports Both of those answers can be combined of course. This was proposed in the May 11th comment to [issue 210: add :imports relation](https://github.com/solid/authorization-panel/issues/210#issuecomment-838747077). + +#### WAC + acl=control + +This is perhaps the simplest solution. By specifying another link relation type, to non created ACR resource we can help the client find its way very quickly to the effective resource, without loosing the ability to edit the most specific one. +This is explained in [issue 248](https://github.com/solid/authorization-panel/issues/248). + +```HTTP +Link: ; rel="acl" +Link: ; rel="acl" +``` + ## See also From 4610f801a78455350fc4b2dc269f4d81698c6335 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 15:16:42 +0200 Subject: [PATCH 25/37] fix important typo in rel=control exmaple --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 5d17f9fb..b285f539 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -229,7 +229,7 @@ This is explained in [issue 248](https://github.com/solid/authorization-panel/is ```HTTP Link: ; rel="acl" -Link: ; rel="acl" +Link: ; rel="control" ``` From 42e999dcfd9a5ebeac9bb53e23d0fb0925435a73 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 15:21:23 +0200 Subject: [PATCH 26/37] minor fixes --- proposals/evaluation/uc-0-effective-acr.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index b285f539..48f8eb83 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -44,7 +44,7 @@ Link: ; rel="acl" Link: <.>; rev="http://www.w3.org/ns/ldp#contains" ``` -The second `Link`, with relation type `ldp:contains`, is needed for WAC. +The second `Link`, with relation type `ldp:contains`, is helpful to help WAC clients determine the effective acl. ### ACP @@ -164,7 +164,7 @@ GET /foo/.acr HTTP/1.1 The WAC effective resource discovery algorithm, needed when default ACLs exist, is as shown above, an expensive process for the client to follow, requiring a large number of failed requests. We have three ways to fix this: - * WAC+NTrig, allows the server to return datasets and so return the result in one request + * WAC+Trig, allows the server to return datasets and so return the result in one request * WAC+:imports, shows how one can, as with ACP, have every resource come with its own ACR, but still have allow defaults to work. * WAC+rel=control allows the server to publish two `Link` relations: one to the ACR and the other to the effective ACR. From e2b4f81570255818a682dd6701d4481dddb5cc07 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 15:25:53 +0200 Subject: [PATCH 27/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 48f8eb83..8a7ac6cb 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -98,7 +98,7 @@ The client can then continue with — ```HTTP GET /foo/bar/baz/.acr HTTP/1.1 ``` -to which the server will also return +— to which the server will also return — ```HTTP 404 Not Found ``` From 6799dd9c25e102068ba6ddd7ef8c7d1d5bba19d5 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 15:26:27 +0200 Subject: [PATCH 28/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 8a7ac6cb..af48e57c 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -44,7 +44,7 @@ Link: ; rel="acl" Link: <.>; rev="http://www.w3.org/ns/ldp#contains" ``` -The second `Link`, with relation type `ldp:contains`, is helpful to help WAC clients determine the effective acl. +The second `Link`, with relation type `ldp:contains`, helps WAC clients determine the effective ACL. ### ACP From 0ebddb3fe4e1da207f60a0d8194507610a0fd8b6 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 15:27:48 +0200 Subject: [PATCH 29/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index af48e57c..dabc8201 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -164,9 +164,9 @@ GET /foo/.acr HTTP/1.1 The WAC effective resource discovery algorithm, needed when default ACLs exist, is as shown above, an expensive process for the client to follow, requiring a large number of failed requests. We have three ways to fix this: - * WAC+Trig, allows the server to return datasets and so return the result in one request - * WAC+:imports, shows how one can, as with ACP, have every resource come with its own ACR, but still have allow defaults to work. - * WAC+rel=control allows the server to publish two `Link` relations: one to the ACR and the other to the effective ACR. + * WAC+Trig — allows the server to return datasets, and so return the result in one request + * WAC+:imports — shows how one can, as with ACP, have every resource come with its own ACR, but still allow defaults to work + * WAC+rel=control — allows the server to publish two `Link` relations: one to the ACR, and the other to the effective ACR. #### WAC+NTrig From 7bd0597b3083e6d8f224b0bb2b98b70d72007319 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 15:28:07 +0200 Subject: [PATCH 30/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index dabc8201..98f9598a 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -162,7 +162,7 @@ GET /foo/.acr HTTP/1.1 ### WAC+ -The WAC effective resource discovery algorithm, needed when default ACLs exist, is as shown above, an expensive process for the client to follow, requiring a large number of failed requests. +The WAC effective resource discovery algorithm, needed when default ACLs exist, is, as shown above, an expensive process for the client to follow, requiring a large number of failed requests. We have three ways to fix this: * WAC+Trig — allows the server to return datasets, and so return the result in one request * WAC+:imports — shows how one can, as with ACP, have every resource come with its own ACR, but still allow defaults to work From d3d5c7f7ab3d46d055e3cce36913efd3adccf44c Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 15:28:32 +0200 Subject: [PATCH 31/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 98f9598a..351548cb 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -170,7 +170,7 @@ We have three ways to fix this: #### WAC+NTrig -A resource can let a client know that it supports dataset serialisation of its ACR by returning the following header with either a 200 or 401 HTTP result code as proposed in [issue 247](https://github.com/solid/authorization-panel/issues/247): +A resource can let a client know that it supports dataset serialisation of its ACR by returning the following header with either a `200` or `401` HTTP result code as proposed in [issue 247](https://github.com/solid/authorization-panel/issues/247): ```HTTP Link: ; rel="acl"; type="application/trig" From 05bd3fc44aa1fd8d468f122b343b1557ec361c1d Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 15:30:44 +0200 Subject: [PATCH 32/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 351548cb..292b3429 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -202,7 +202,7 @@ With a slight adjustment to the WAC spec, this could still count as there being Another way to allow default reasoning is to use `:imports` as proposed in [issue 210: add :imports relation](https://github.com/solid/authorization-panel/issues/210). -[Reactive Solid](https://github.com/co-operating-systems/Reactive-SoLiD) has every resource come with an ACR with content. But the server has ACRs for newly created resources explictly `:import` the parent, so that `` returns +[Reactive Solid](https://github.com/co-operating-systems/Reactive-SoLiD) has every resource come with an ACR with content. But the server has ACRs for newly created resources explictly `:import` the parent, so that `` returns — ```Turtle <> :imports <.acr> . From 8050dbadb665a512dbf300525c0ea725c4d72843 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 15:31:05 +0200 Subject: [PATCH 33/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 292b3429..f035d23a 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -207,7 +207,7 @@ Another way to allow default reasoning is to use `:imports` as proposed in [issu ```Turtle <> :imports <.acr> . ``` -and `` returns +— and `` returns — ``` <> :imports <../.acr> . From d744e618984bee2b871bceb3e9396b162d60e9de Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 15:31:16 +0200 Subject: [PATCH 34/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index f035d23a..949f4779 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -215,7 +215,7 @@ Another way to allow default reasoning is to use `:imports` as proposed in [issu And so on, up to the root ``. -Clients with control access to a resource, can change the ACR to point straight to the root one. +Clients with control access to a resource can change the ACR to point straight to the root ACR. #### WAC + TriG + :imports From 6f97adf3754a3724723789db286331ffa907a445 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 15:35:32 +0200 Subject: [PATCH 35/37] Update proposals/evaluation/uc-0-effective-acr.md Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 949f4779..b48e31bd 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -224,7 +224,7 @@ This was proposed in the May 11th comment to [issue 210: add :imports relation]( #### WAC + acl=control -This is perhaps the simplest solution. By specifying another link relation type, to non created ACR resource we can help the client find its way very quickly to the effective resource, without loosing the ability to edit the most specific one. +This is perhaps the simplest solution. By specifying another link relation type to non-created ACR resource, we can help the client find its way very quickly to the effective resource, without losing the ability to edit the most specific one. This is explained in [issue 248](https://github.com/solid/authorization-panel/issues/248). ```HTTP From 94d0547afaf2eb2439306db3028d8900d7eda6f4 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Thu, 12 Aug 2021 23:37:07 +0200 Subject: [PATCH 36/37] Formula for nbr of req to find WAC effective ACR --- proposals/evaluation/uc-0-effective-acr.md | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index b48e31bd..191f17ee 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -74,7 +74,7 @@ WAC's [Effective ACL Resource](https://solid.github.io/web-access-control-spec/# > 3. If resource has an associated aclResource with a representation, return aclResource. > 4. Otherwise, repeat the steps using the container resource of resource. -Just as with ACP, the client can follow the `Link: <...acr>; rel="acl"` relation to find out the rules of access. +Just as with ACP, the client can follow the `Link: <...acr>; rel="acl"` relation to find the rules of access. But then we have two cases with WAC: 1. the ACR exists and returns the rules @@ -160,6 +160,16 @@ GET /foo/.acr HTTP/1.1 ``` — to which the server will finally return the content. +The number of requests needed to find the default can be calculated by the forumla: +``` +reqN = 2 * slashes + extraFile +``` +where - +* `slashes` is the number of slashes between the original resource and the effective ACR, +* `extraFile` is 0 if the resource is an ldp:Container and 1 if it is a plain resource. + +So in our example above we have `reqN = 2 * 4 + 1 = 9`. + ### WAC+ The WAC effective resource discovery algorithm, needed when default ACLs exist, is, as shown above, an expensive process for the client to follow, requiring a large number of failed requests. From 627ace9579bb05a462371273d13c23c5cc834c24 Mon Sep 17 00:00:00 2001 From: Henry Story Date: Fri, 13 Aug 2021 06:35:01 +0200 Subject: [PATCH 37/37] Apply suggestions from code review Co-authored-by: Ted Thibodeau Jr --- proposals/evaluation/uc-0-effective-acr.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/proposals/evaluation/uc-0-effective-acr.md b/proposals/evaluation/uc-0-effective-acr.md index 191f17ee..854e3f19 100644 --- a/proposals/evaluation/uc-0-effective-acr.md +++ b/proposals/evaluation/uc-0-effective-acr.md @@ -160,13 +160,13 @@ GET /foo/.acr HTTP/1.1 ``` — to which the server will finally return the content. -The number of requests needed to find the default can be calculated by the forumla: +The number of requests needed to find the default can be calculated by the formula — ``` reqN = 2 * slashes + extraFile ``` -where - -* `slashes` is the number of slashes between the original resource and the effective ACR, -* `extraFile` is 0 if the resource is an ldp:Container and 1 if it is a plain resource. +— where — +* `slashes` is the number of slashes between the original resource and the effective ACR +* `extraFile` is `0` if the resource is an `ldp:Container` and `1` if it is a plain resource So in our example above we have `reqN = 2 * 4 + 1 = 9`.