New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ACL creation and linking -- be explicitly silent or specify? #176
Comments
I think it would be nice to at least specify one or more options for creating ACLs that should be supported. Otherwise, any client wishing to create resources with ACLs will have to have special knowledge of the implementation's choices in that regard. |
I like how the LDP spec deals with descriptions for LDP-NRs via I think several (most?) implementations of web acl do that. |
I would suggest it is a requirement that one ACL could be applied to many resources distributed throughout the repository, to address both the scaling concern as well as to reduce duplication of policies. Is there concern about specifying the current approach?
|
As I've said before, I think it would be good to specify one way that clients can declare what ACL should be used for newly-created resources. There was some discussion of this at the last editor's meeting, and it would look something like:
|
@acoburn I don't think we should exclude other implementation patterns, including having a server-managed ACL link like you're describing for Trellis, or the Modeshape impl's pattern of including a triple pointing to the ACL. But all things being equal, I think it would be good to specify one pattern for clients to specify their ACLs, because otherwise implementations that support that will naturally vary. |
Can I just ask a question, I was responding to this thread and I realized that the Solid Spec does not use the acl:accessControl property either. I'm having (pragmatic) concerns/thoughts. Does that mean you check all ACLs to find any all that have an acl:accessTo for the resource you are requesting? |
@acoburn that' s interesting. So the server will place the ACL in an expected location for each resource. Would that not mean that the However there is no way that the resource in tree C would know it was covered by that ACL. I guess you could parse the ACLs (on insert/update) to validate that they are only referring to the expected resources. I'm not particularly tied to Unless (and this is a viable option) I've misread the spec and so missed the substance of the discussion. |
@acoburn ok, I realize that the concerns I have are more of a server-side or implementation concern. The clients should be blissfully unaware, but I was just wondering what the general thoughts around this were. thanks. |
The SOLIDWEBAC specification and the Fedora specification are both currently silent on how or when and ACL may be created and linked to the resource(s) it is designed to control access for. The following cases all seem conforming at present:
acl:accessControl
property on a resource to indicate its ACL (this predicate is in the WAC ontology but is not mentioned in the SOLIDWEWAC spec)acl:accessTo
(has rules determining whether linking happens for one or more resources, what to do if one of these already has an ACL, etc.)IMO, we should either be explicitly silent:
or specify some restrictions.
(I believe that, given the understanding that an ACL is an LDPRS, and the
acl:Control
permission (#170), changes to an ACL can be made with PUT/PATCH as normal under LDP.)The text was updated successfully, but these errors were encountered: