Shi3ld

Shi3ld for HTTP operations

Attribute-Based Authorization for RDF Stores

Shi3ld is an access control module for enforcing authorization on triple stores. Shi3ld protects SPARQL queries and HTTP operations on Linked Data and relies on attribute-based access policies.

Shi3ld comes in two flavours: Shi3ld-SPARQL, designed for SPARQL endpoints, and Shi3ld-HTTP, designed for HTTP operations on triples.

Looking for Shi3ld for SPARQL instead?

SHI3LD for HTTP offers authorization for read/write HTTP operations on Linked Data. It supports the SPARQL 1.1 Graph Store Protocol, and the Linked Data Platform specifications.

Download Shi3ld for HTTP

Background

Linked Data providers expose content publicly, knowing that it is not safe. This may prevent further publication of datasets, at the expense of the growth of the Web of Data itself.

In literature, authentication and authorization mechanisms either introduce undesired complexity such as ad-hoc policy languages, or rely on basic access control lists, thus resulting in limited policy expressiveness.

Features

  • Authorization for r/w HTTP Methods on RDF resources
  • RDF Resource-oriented
  • Policy Language in RDF/SPARQL or RDF only
  • Attribute-based
  • "Context-aware" Policies

Access Policy Vocabularies

Access Policies must be defined as a preliminary step, to protect RDF resources. Each Access Policy is associated to a privilege level and includes a set of Access Conditions, i.e. attribute constraints that must be satisfied, conjunctively or disjunctively, to access the protected resources.

Shi3ld access policies rely on two complementary lightweight vocabularies: S4AC deals with core access control concepts and PRISSMA models client attributes (client context).

What follows is a sample access policy protecting :resource1. It allows read access to :resource1 if the user is located in a given geographic area.

:policy1 a s4ac:AccessPolicy; 
           s4ac:appliesTo :resource1; 
           s4ac:hasAccessPrivilege s4ac:Read;
           s4ac:hasAccessConditionSet :acs1.

:acs1 a s4ac:AccessConditionSet; 
        s4ac:hasAccessCondition :ac1.

:ac1 a s4ac:AccessCondition;
	 s4ac:hasQueryAsk 
	"""ASK 
	  {?ctx a prissma:Context; 
		    prissma:environment ?env;
		prissma:user . 
	  ?env prissma:currentPOI ?poi. 
	  ?poi prissma:based_near ?p.
	  ?p geo:lat ?lat;geo:lon ?lon.
	  FILTER(((?lat-45.8483) > 0 && (?lat-45.8483) < 0.5
	  || (?lat-45.8483) < 0 && (?lat-45.8483) > -0.5)
	  && ((?lon-7.3263) > 0 && (?lon-7.3263) < 0.5 
	  || (?lon-7.3263) < 0 && (?lon-7.3263) > -0.5 ))}""".

Evaluation

ESWC 2013 paper full evaluation data available here [txt].

Policies used in the test campaign available here.

The client used for evaluation is available here, along with client attributes.

Publications



Contacts

Luca Costabello, Serena Villata, Oscar Rodriguez-Rocha, Fabien Gandon