Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Apr 16 12:52
    bblfish commented #255
  • Apr 16 09:08
    bblfish edited #255
  • Apr 16 09:04
    bblfish edited #255
  • Apr 16 09:02
    bblfish opened #255
  • Apr 14 21:57
    kjetilk commented #198
  • Apr 13 17:14
    kjetilk commented #254
  • Apr 13 14:52
    csarven commented #253
  • Apr 13 13:56
    csarven commented #253
  • Apr 13 13:12
    csarven commented #253
  • Apr 13 09:44
    Vinnl commented #254
  • Apr 13 09:24
    kjetilk commented #254
  • Apr 13 09:15
    kjetilk commented #254
  • Apr 13 09:07
    Vinnl commented #254
  • Apr 13 09:06
    Vinnl commented #254
  • Apr 13 08:56
    kjetilk commented #254
  • Apr 13 07:56
    Vinnl commented #254
  • Apr 12 20:31
    kjetilk commented #254
  • Apr 12 14:04
    Vinnl commented #254
  • Apr 12 14:03
    Vinnl commented #254
  • Apr 12 11:32
    kjetilk commented #254
bblfish
@bblfish:matrix.org
[m]
I wrote that up in the first issue on did:solid solid/did-method-solid#1
Justin Bingham
@justinwb
oh i’m just seeing this
did this happen?
Dmitri Zagidulin
@dmitrizagidulin
@justinwb yeah, call just happened
(buuut, you should have the CCG call on your calendar reeeegularly :) (everybody on this channel ;) )
Justin Bingham
@justinwb
didn’t know this was this topic / was happening
Sarven Capadisli
@csarven
The minutes will be up soon I imagine. It was more from the CCG's perspective. I've responded to Qs when asked. CCG wants to know next steps / potential conflicts / how to better coordinate. One of the cool ideas that Heather came up with was a hackathon/barcamp/Q&A type of session both groups can have. Nothing concrete set.. just floating the idea. And it'd be great to collaborate on implementations etc..
Justin Bingham
@justinwb
cool thanks for recap @csarven
Dmitri Zagidulin
@dmitrizagidulin
@justinwb yeah, you didn't miss much actually
Justin Bingham
@justinwb
@dmitrizagidulin right now i’ve got confidential storage weekly - this one is a regular for all ccg business then?
Dmitri Zagidulin
@dmitrizagidulin
@justinwb this is the regular call for general CCG. and yeah, despite what I said, I don't actually expect everybody to attend the ccg calls
the hackathon things sounds good :)
Sarven Capadisli
@csarven
Get your notepads ready.
Justin Bingham
@justinwb
HACK THE PLANET
Diego Araujo
@diegoaraujo
Hello guys, I'm new here, I apologize if my question has already been answered. Have you discussed the adoption of the UMA 2.0 protocol (https://docs.kantarainitiative.org/uma/wg/rec-oauth-uma-grant-2.0.html) for resource sharing?
Dmitri Zagidulin
@dmitrizagidulin
hi @diegoaraujo! we have, yes.
Diego Araujo
@diegoaraujo
Hi @dmitrizagidulin, thanks for your reply. Is there any record of this discussion? I'm new to the gitter and I couldn't find the discussion on this issue.
Dmitri Zagidulin
@dmitrizagidulin
@diegoaraujo i think it’s spread over issues on several repos, and call notes of the authorization pabel. in general, uma support is on the vague eventual roadmap. (tho not immediate one)
authorization panel, rather
Fred Gibson
@gibsonf1
We are starting to turn on PATCH "application/sparql-update" and wondering if there is any guidance on security for using the endpoint. Right now we are thinking a user should have write/control access to the pod account to be able to use it.
Kjetil Kjernsmo
@kjetilk
@gibsonf1 ah, my favorite topic :-)
I think it is very important that you don't have to assign more privileges than you'd actually need to use it. A pure INSERT query is an Append operation. If people have to assign Write, then they are likely to do that, and so, give the user more privileges than they would really need, which is bad. So, we should be careful to design the system to only require minimal privileges
@csarven has a table with this with the current thinking, but I don't remember where it is
Kjetil Kjernsmo
@kjetilk
that being said, there are a bunch of open problems around this, solid/query-panel#2 solid/specification#139
Fred Gibson
@gibsonf1
I guess each triple can be checked in the turtle that the user has write access to the subject uri or, if a new node, the user has write access to the request uri
Kjetil Kjernsmo
@kjetilk
@gibsonf1 I think it is more down to the mapping from Solid to SPARQL Quad Semantics. The request URI is in Solid generally mapped to the graph in the quad, so permissions are checked on the graph
Fred Gibson
@gibsonf1
Yes, but then if you check the subject of each quad as it's processed for write permissions, that problem seems solved.
Kjetil Kjernsmo
@kjetilk
we seem to be talking passed each other. I think you actually only need to check the graph, which is simpler than to check the subject for each :-)
Martynas Jusevicius
@namedgraph_twitter
@gibsonf1 how will you make a triplestore check WAC on a triple level?
Kjetil Kjernsmo
@kjetilk
The only thing I would need to change to check the subject is to call the $plan->subject method instead of $plan->graph but to me, it is the wrong thing to do :-)
Kjetil Kjernsmo
@kjetilk
Well, BTW; that's only for reads though
but for writes, it would be similar, this was just an experiment written in an hour on a plane
Fred Gibson
@gibsonf1
Interesting, I wasn't thinking you could use PATCH "application/sparql" for reads for some reason. It would be nice if there were some repository of all latest thinking on how this should work
Fred Gibson
@gibsonf1
@namedgraph_twitter We store each triple as a state which is effectively an attribute connected to an entity - so we can have an acl for a specific triple, but for this I was just thinking of looking at the acl for the subject of the triple
It's one of the crucial problems with linked data for the enterprise - you have no idea what caused a particular triple, who created it, who changed it etc. We solved this problem by saving the triple in the form of A State "hypernode" which links an attribute "hypernode" to an entitiy, where the attribute can be specifically associated with many different entities, and thus there is a way to understand how enties are related by the predicate/object pair of the attriburte. So you would know all things linked to color/red by clicking on that attribute and seeing the states that attribute it to a particular entity. Both state hypernodes and attribute hypernodes are a specific node, which enables attaching an acl to both.
Fred Gibson
@gibsonf1
@kjetilk If you just check the graph, you could create all sorts of triples on subjects you might not have permission to. WIth turtle, you can have any triples you like, so you could have permission to write to the request uri, but then create triples completely unrelated to that - that's what I was trying to prevent.
For our alpha version now, you have to have full account write/control to use it - but that obviously is pretty heavy handed.
Kjetil Kjernsmo
@kjetilk
Ah, yes, but that's a different topic than AuthZ, IMHO. That's more a question of whether you accept any triples where the subject doesn't match the request URI, and to that the answer should always be no :-)
Fred Gibson
@gibsonf1
Ahh, that would also solve the issue.
elf Pavlik
@elf-pavlik
I don't think one can put such requirement on the subject in all the statements. Even just to use properties in reverse direction results in moving the thing being described to the object position in a statement.
Fred Gibson
@gibsonf1
@elf-pavlik In the case where the system is actively checking each triple subject for permissions as it goes would support adding triples where the request uri is the object if the user has write permission to the subject of that triple
elf Pavlik
@elf-pavlik
If object is the one which matches request uri (possibly with additional fragment), subject could be literally anything, including IRIs outside of server's authority
Kjetil Kjernsmo
@kjetilk
right. I suppose it is a question that should be clarified
there's always shape validation and stuff
Fred Gibson
@gibsonf1
@elf-pavlik I'm thinking the request-uri is only helpful in identifying which pod to write to, and then from there you have to look at each triple in the sparql to check permissions. For new subjects, the request-uri could be used to resolve whether writing is allowed and where to locate them
Sarven Capadisli
@csarven
Fred Gibson
@gibsonf1
@csarven Thats great, thanks!