feature: support configuring authorisation policies in ODRL #9
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Define simplified models for ODRL and SHACL using classes. These models only cover the parts of the respective specifications that we need to express authorisation policies in ODRL(+SHACL). These models facilitate an internal representation of an ODRL policy that can serve as an intermediary between the raw input (e.g. ODRL policy in ttl file) and the ACL used internally by this service.
- Parse the contents of a n-triples files using `cl-ntriples`
- Convert each relevant resource to its corresponding ODRL/SHACL object. The
`make-rule-set` function is used as the entrypoint for this conversion.
- Triples in the input that are not relevant for model instances are simply
ignored.
- Add `./odrl/config.{nt,ttl}` as example for testing purposes.
An ODRL Set is loaded as ACL by iterating over its contained rules: 1. Each Party (Asset) Collection referenced in a rule is converted into a corresponding allowed-group (graph-specification). Consequently, collections that are not used in any rule are ignored. 2. The set of rules in the policy are "reduced" by merging rules that have the same assignee and target. Any merged rule has as actions the union of its original rules. Note, this step is necessary because ODRL only allows 1 action per rule, whereas grants can specify multiple actions. 3. Convert the reduced rules into grants.
- Split the actual assertions to a separate function so they can be reused in multiple scenarios. - Added specific functions to run the assertion tests with either ACL or ODRL config to allow testing these flows independently. - Let `run-assertion-tests` execute the scenario twice, first with an ACL config and second with the same config in ODRL. - Removed previous example configs in favour of config used in test scenarios
- Ensure any n-triples configuration is copied from the mounted config volume. - Conditionally load policy from n-triples file if `odrl-config::*use-odrl-config-p*` is set to a non-nil value. - The original lisp config confi is still evaluated as before to allow using to configure the service by setting parameters/variables. But loading an ODRL config first clears the ACL variables to remove any policy elements that would be defined in the lisp config.
mirdono
changed the title
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add initial functionality to support specifying authorisation policies using ODRL (with some SHACL), as an option next to the existing lisp ACL.
Approach
Specifying authorisation policies using ODRL and SHACL
The following table contains an overview of how the different elements in sparql-parser's ACL are expressed using ODRL and SHACL. A more detailed description can be found on gitbook.
An ODRL Party collection can be linked to a query (and parameters) in which case it would correspond to an
access-by-query, otherwise it corresponds toalways-accessible. It is currently not supported to influence this mapping using constraints.In this context an ODRL Asset collection describes a set of triples in a graph. Therefore, we opted to use SHACL shapes instead of ODRL constraints to capture
type-specifications, as the former is specifically intended to express that kind of information. ODRL constraints on the other hand are not suitable here.A SHACL node shape (ODRL Asset) specifies a resource type as
sh:targetClassand can contain property shapes to further refine for specific predicates. For example, a type-specification such as(typeOne -> predOne <- predTwo)could correspond to the following node shape:
someShape a odrl:Asset , sh:NodeShape ; odrl:partOf someCollection ; sh:targetClass typeOne ; sh:property [ sh:path predOne ] , [ sh:path [ sh:inversePath predTwo ] ] .ODRL model implementation
The ODRL/SHACL model explained above is implemented as a set of classes in odrl.lisp and shacl.lisp. This allows to internally instantiate ODRL policies read from a configuration file as well as convert ODRL model instances to the ACL sparql-parser uses. Having this intermediate representation should allow that the functionality to convert it to the internal ACL can evolve independently from the functionality parsing the input configuration file. For example, supporting another file format only requires to implement functionality to instantiate an ODRL model from its contents.
The model implementations only cover the parts of the ODRL and SHACL specifications that are necessary to express authorisation policies. For example, no support for ODRL offers or constraints is implemented. Furthermore,
the implemented ODRL model deviates from the specification in two ways. First, in our implementation rules can have multiple actions. This allows to "merge" rules that should be converted to a single grant simplifying the actual conversion. Second, asset collections reference their contained assets, whereas in the ODRL specification it is assets that link to the collections they are part of via the
odrl:partOfpredicate. This inversion allows to pass over all elements in a policy in a top-down fashion, instead of having to keep track of all available assets separately.Conversion to ACL
Converting an ODRL model instance to the internal ACL is implemented using generic functions,
odrl-to-aclandshacl-to-acl, and their method implementations. In summary this conversion starts from an ODRLrule-setand passes over each contained element to convert them to their corresponding ACL element.Note, as the conversion starts from the rules in a policy, only party (asset) collections that are used in at least 1 rule are converted. This is different from configurations in lisp, where each specified
accessandgraphis evaluated irrelevant of whether there is agrantusing it.Input file parsing
As input an n-triples file is expected, this file is read and parsed by the functionality in parse-ntriples. The
load-policy-filefunction reads input file and parses the content using cl-ntriples. The result is a list of lists, with each inner list representing a triple. Themake-rule-setfunction converts the triples to their corresponding ODRL or SHACL objects.Open issues
ODRL policies do not yet support all features available through the lisp ACL:
(list 'acl:_)is always used as value for:scopesargument for theacl:grant*function, similar to what theacl:grantmacro does when no scope is specified.acl:supply-allowed-groupmacro. Consequently, the type ofacl:accessthat will be created for each party collection is determined by the presence or absence of a query. It is thus not possible to specify aNEVERconstraint, or force the creation of anacl:always-accessibleinstance despite the presence of a query.acl::graph-specificationwithgenerate-delta-pandgenerate-sparql-pset tot.Notes
Related tickets