General Information
A place to record thoughts on the interaction of resource versions and WAC authorization in the context of the Fedora API alignment sprint.
JIRA issue:
- If we are preserving ACLs as part of a version rather than using the original resource's, then for resources without an assigned or inherited ACLs Fedora would need to record the Default ACL at the time of the snapshot somehow. 5.3 Inheritance and Default ACLs
- Similarly, an inherited ACL would also need to be recorded for the snapshot.
Memento and Security
Memento has very little to say about security, mainly just that it is up to the server in terms of how access to previous versions work (most likely we want it to behave the same way it behaved at the point of the snapshot, but that is something that needs to be decided), and what memento headers to expose during authentication:
https://tools.ietf.org/html/rfc7089#section-7
Delta Documentation
For versioning: Versioning Delta/Specification Notes
For authorization: TBD
Design
Finding the ACL on a LDPRm (memento):
There are three separate entities at play in this scenario.
- LDPRv - the original resource. Potentially has it's own ACL or has one via inheritance.
- LDPCv - is a full LDPR in and of itself and should have it's own ACL because it's a means of discovery for finding information about mementos.
- LDPRm - is a full LDPR as well, but the existing ACL that it references should maybe not be it's ACL anymore, so that an admin can further change azn to the mementos w/o affecting the original LDPR.
To find the ACL that relates to a LDPRm, follow this algorithm:
- First look at the LDPCv for the LDPRm to see if it has an access control triple for memento items associated with it ('memento:accessControl'). If so, stop there and honor that ACL as it will apply to all mementos it contains.
- Otherwise follow the pattern specified by the SOLID WebAC specification for finding an ACL for a LDPRv:
- Use the document's (LDPR) own ACL resource if it exists (in which case, stop here).
- Otherwise, look for authorizations to inherit from the ACL of the document's container. If those are found, stop here.
- Failing that, check the container'sparent container to see if that has its own ACL file, and see if there are any permissions to inherit.
- Failing that, move up the container hierarchy until you find a container with an existing ACL file, which has some permissions to inherit.
- The root container of a user's account MUST have an ACL resource specified. (If all else fails, the search stops there.)
Given this, the following is then true:
- LDPCv's can have an ACL applied to them. If not, then the LDPRv's ACL applies to all the mementos in the LDPCv.
- LDPRv and it's mementos can have different ACLs.
@prefix ldp: <http://www.w3.org/ns/ldp#> .
@prefix memento: <http://example.com/memento#> .
</path/to/timemap/resource/xyz> a memento:TimeMap, ldp:Container ;
memento:hasOriginalResource </path/to/orig/resource/xyz> ;
memento:hasTimeGate </path/to/orig/resource/xyz> ;
memento:hasAccessControl </path/to/acls> ;
memento:first </path/to/orig/resource/xyz/datetimestamp1> ;
memento:last </path/to/orig/resource/xyz/datetimestamp27> ;
ldp:contains </path/to/orig/resource/xyz/datetimestamp1>, </path/to/orig/resource/xyz/datetimestamp4>,
</path/to/orig/resource/xyz/datetimestamp2>, </path/to/orig/resource/xyz/datetimestamp27> .
@prefix memento: <http://example.com/memento#> .
</path/to/resource/xyz/memento/12345> a memento:Memento , ldp:RDFSource ;
memento:datetime "20010320133610" ;
memento:hasTimegate </path/to/orig/resource/xyz> ; #original resource == timegate
memento:hasOriginalResource </path/to/orig/resource/xyz> ;
memento:next </path/to/orig/resource/datetimestamp12346> ;
memento:prev </path/to/orig/resource/datetimestamp12344> ;
... triples from original resource at the time of the versioning are here as well.
Use Cases
Versioning/Authorization Use-Cases
Issues / Concerns:
URIs in LDPRm, and the "multiple parent" problem
It seems to be difficult to determine the identity of the "parent" of a resource via ldp:contains with versioning.
- LDPR contains LDPR (without versioning). This one is simple. A ldp:contains A/B. A/B has exactly one parent: A.
- LDPRv contains LDPRv. This one is also pretty simple. A ldp:contains A/B, A/B has exactly one parent: A.
- LDPRm contains LDPRv. This one is a little less straightforward. There could be multiple resources that assert they contain B: What does a client need to know the identity of the resource that contains B?
- A_m1 (an LDPRm for A): <A_m1> <ldp:contains> <B>
- A_m2 (a different LDPRm for A): <A_m2> <ldp:contaiins> <B>
- A (an LDPRv): <A> <ldp:contains> <B>
- LDPRm contains LDPRm. This one causes problems due to the fact that an LDPRm MUST be contained by an LDPCv as well. For memento B_m1 of resource B What does a client need to know in order to determine which one is B_m1's parent via containment?:
- A_m1 (an LDPRm for A): <A_m1> <ldp:contains> <B_m1>
- A_m2 (a different LDPRm for A): <A_m2> <ldp:contaiins> <B_m1>
- B_cv (The LDPCv for B): <B_cv> <ldp:contains> <B_m1>
Snapshot Versioning (problem ?)
The current fedora implementation creates (and links to) new LDPRs when a non-empty LDPRv is versioned. These resources are neither an LDPRv, nor LDPRm
For example, consider a container A and A/B where A ldp:contains B.
Creating a version v1 of <A> creates a resource <A/fcr:versions/v1>. This is essentially an LDPRm, and contains triple <A/fcr:versions/v1> ldp:contains <A/fcr:versions/v1/B>.
Issues are:
- <A/fcr:versions/v1/B> is a new LDPR, bit its relationship to versioning is not defined in any spec. It is not an LDPRv, nor an LDPRm. It does not the have equivalent of an LDPCv associated with it.
- There is no explicit or implicit relationship between <A/fcr:versions/v1/B> and <B>
All of this may be fine, but it lies outside of any specification. Essentially, "when you create a new version of a resource, that resource versions now points new and different things that it didn't previously point to, and have nothing to do with versioning"
