ACLs for the URI Shortener Service

Introduction
Private Graphs used for ACL storage
Enable ACLs for the URI Shortener Service
ACL Rules Used for Compressed URIs

ACL Examples

Grant Everyone the Right to Read Compressed URIs
Grant The Right to Create Compressed URIs to Authenticated Users

Allow Users to Request Access to CURI

Introduction

The URI Shortener Service "curi" can make optional use of VAL for login and ACL support.

If VAL is installed the URI Shortener Service will show a login link along with information about the currently authenticated user. By default ACLs are disabled which means that anyone can create and read compressed URIs.

Private Graphs used for ACL storage

The Rules can be controlled via the VAL ACL RESTful API or the Internal VAL API. Alternatively one can directly add the rules to the private graph matching the realm in which the rules should apply. Given the default realm http://www.openlinksw.com/ontology/acl#DefaultRealm and default hostname "HOST" the graph IRI would be http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm and the groups will be stored in named graph http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm. Be aware that these graphs can be customized for better readability.

Enable ACLs for the URI Shortener Service

VAL controls ACL application through ACL scopes which can be enabled and disabled per application realm. Thus, in order to enable curi ACLs in the default realm the following can be done:

sparql
prefix oplacl: <http://www.openlinksw.com/ontology/acl#>
with <urn:virtuoso:val:config>
delete {
  oplacl:DefaultRealm oplacl:hasDisabledAclScope <urn:virtuoso:val:scopes:curi> .
}
insert {
  oplacl:DefaultRealm oplacl:hasEnabledAclScope <urn:virtuoso:val:scopes:curi> .
};

ACL Rules Used for Compressed URIs

Curi allows to control both the creation and the reading of compressed URIs via ACL. The resource URI is the URL of the Curi page itself, typically something like http://host.com/c. The ACL scope is as could be seen above urn:virtuoso:val:scopes:curi.

ACL Examples

The following examples assume that the default realm oplacl:DefaultRealm is used for creating the ACL resources.The following examples use "HOST" as a placeholder for the default hostname of the system the ACL resource are created on.

Be aware that the ACL graphs can be customized for better readability.

Grant Everyone the Right to Read Compressed URIs

One typically wants to allow everyone to read compressed URIs, i.e. "de-compress" them by resolving the URIs. The following rule does grant this right:

sparql
prefix oplacl: <http://www.openlinksw.com/ontology/acl#>
prefix acl: <http://www.w3.org/ns/auth/acl#>
prefix foaf: <http://xmlns.com/foaf/0.1/>
with <http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm>
insert {
  <#rule> a acl:Authorization ;
    oplacl:hasAccessMode oplacl:Read ;
    acl:accessTo <http://HOST/c> ;
    acl:agentClass foaf:Agent ;
    oplacl:hasScope <urn:virtuoso:val:scopes:curi> ;
    oplacl:hasRealm oplacl:DefaultRealm .
};

Typically this rule should be created using the ACL API (internal API or RESTful API)

(When manually creating ACL rules without the help of the API, then the realm need to be specified via oplacl:hasRealm and the rule needs to be added into the corresponding graph. In the case of the default application realm this would be http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm.)

Grant The Right to Create Compressed URIs to Authenticated Users

A rule and group can be created to allow compression of URIs only if one is authenticated. To that end a conditional group needs to be created:

sparql
prefix oplacl: <http://www.openlinksw.com/ontology/acl#>
prefix foaf: <http://xmlns.com/foaf/0.1/>
with <http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm>
insert {
  <#group> a oplacl:ConditionalGroup ;
    foaf:name "Valid Identifiers" ;
    oplacl:hasCondition [
      a oplacl:GroupCondition, oplacl:GenericCondition ;
      oplacl:hasCriteria oplacl:NetID ;
      oplacl:hasComparator oplacl:IsNotNull ;
      oplacl:hasValue 1
    ] .
};

(When manually creating groups without the help of the API, then the group needs to be added into the corresponding graph. In the case of the default application realm this would be http://HOST/acl/graph/groups/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm.)

This group can then be used in an ACL rule as follows:

sparql
prefix oplacl: <http://www.openlinksw.com/ontology/acl#>
prefix acl: <http://www.w3.org/ns/auth/acl#>
prefix foaf: <http://xmlns.com/foaf/0.1/>
with <http://HOST/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm>
insert {
  <#rule> a acl:Authorization ;
    oplacl:hasAccessMode oplacl:Write ;
    acl:accessTo <http://HOST/c> ;
    acl:agent <#group> ;
    oplacl:hasScope <urn:virtuoso:val:scopes:curi> ;
    oplacl:hasRealm oplacl:DefaultRealm .

Allow Users to Request Access to CURI

Like all applications using VAL's authentication pages curi can make use of VAL's request for access feature which allows to easily send a message to the owner of the resource asking for permission to use it.

All VAL requires to know is who owns the resource. This is easily done by using the VAL API. If, for example, "dba" should be the owner of the curi service, then the following call will save that fact:

VAL.DBA.set_resource_ownership (
   scope=>'urn:virtuoso:val:scopes:curi',
   resource=>'http://HOST/c',
   serviceId=>VAL.DBA.user_personal_uri ('dba')
);

This call will add a triple like the following into a private graph which is then added to a graph group containing all ownership graphs for the given scope:

@prefix foaf: <http://xmlns.com/foaf/0.1/> .

<http://HOST/dataspace/person/dba#this> foaf:made <urn:virtuoso:access:curi> .