Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define creator #315

Open
csarven opened this issue Sep 23, 2021 · 6 comments
Open

Define creator #315

csarven opened this issue Sep 23, 2021 · 6 comments
Assignees
@csarven
Labels
topic: resource access
Milestone
~First Public Wor...

Comments

@csarven
Copy link
Member

csarven commented Sep 23, 2021
edited
Loading

The notion of "creator" of a resource has been in discussions and in being implemented for some time now e.g. solid/solid#111 (in 2016), #66 , #197 (comment) , #265 (comment) ..

"Creator" is an important piece of information, with plethora of use cases involving resource management, audit trails, notification of changes, provenance records, subject rights, privacy, authorization... that can be used by both servers and applications for different purposes.

Creators of resources have some sense of right to control the lifecycle of their own creations. It is similar to the current definition of storage "owner" in the Protocol:

An owner is a person or a social entity that is considered to have the rights and responsibilities of a data storage. An owner is identified by a URI, and implicitly has control over all data in a storage. An owner is first set at storage provisioning time and can be changed.

but in fact it is closer to the existing definition of "owner" in http://www.w3.org/ns/auth/acl#owner :

The person or other agent which owns this.
For example, the owner of a file in a filesystem.
There is a sense of right to control. Typically defaults to the agent who craeted
something but can be changed.

with the exception of not being changeable. (The current solid:owner was informed by acl:owner).

The creator (as per authenticated agent or possibly a group) of a resource needs to persist somehow/where.

Looking at #227 (search for "creator" or "authoritative resource metadata") and #177 , it is acknowledged to be a data point that should be available in the Protocol and most likely made available through a server-managed resource, i.e., server reads and writes to it, and it is read-only by agents/clients that are properly authorized. The creator goes well together with other "information such as last modification, size, resource type etc." that's server managed.

Alternatively, for RDF documents, the information can be part of the resource, and any attempt to updating it can be rejected - similar to attempts to directly updating containment statements. For example, LDP also mentions dcterms:creator as a server-managed property e.g., in https://www.w3.org/TR/ldp/#ldpr-put-replaceall . That has the advantage of following best practice on self-describing documents.

To make it uniformly available for all resources, there are two options:

  • HTTP Link header (with creator link relation type)
  • Auxiliary resource (including authoritative resource metadata)

(I'd say that the auxiliary resource is the way to go.. as that is going to solve a bunch of other issues in one go. On a related note, we may want to consider making owner information available from there as well.)
@csarven csarven added this to the ~First Public Working Draft milestone Sep 23, 2021
@csarven csarven self-assigned this Sep 23, 2021
@elf-pavlik
Copy link
Member

Alternatively, for RDF documents, the information can be part of the resource, and any attempt to updating it can be rejected - similar to attempts to directly updating containment statements. For example, LDP also mentions dcterms:creato as a server-managed property e.g., in https://www.w3.org/TR/ldp/#ldpr-put-replaceall . That has the advantage of following best practice on self-describing documents.

👎 given the direction of resource-level access control I believe this only complicates things. We have HTTP/2 available as well as content types that can represent datasets and include more than one graph. AFAIK only container currently has the quirk of mixing server-managed and client-managed triples and it brings all kinds of problems with it.

@bblfish
Copy link
Member

bblfish commented Sep 24, 2021
edited
Loading

I agree there are some pretty important use cases for having this.
One use case is an access control rule that would give Write ability to everyone who created a resource.
That is being discussed here: solid/authorization-panel#261

@dmitrizagidulin
Copy link
Member

+1 to using dcterms:creator, in the server-managed auxiliary resource.

@justinwb
Copy link
Member

+1 to using dcterms:creator, in the server-managed auxiliary resource.

+1 to the same.

@elf-pavlik
Copy link
Member

Given the conversation in solid/web-access-control-spec#97, it would be good to hear from @RubenVerborgh if access policies relying on information in server-managed auxiliary resource impact architecture discussed there. I would expect not, since server-managed auxiliary resource seems similar to ACL (WAC) / ACR (ACP), and both could be available to the authorization layer.

@bblfish bblfish mentioned this issue Sep 29, 2021
Open
@matthieubosquet matthieubosquet mentioned this issue Oct 11, 2021
Closed
@matthieubosquet
Copy link
Member

+1 to a clear separation of server managed and non server managed triples.
No strong opinion on Link headers vs auxiliary resource.
+1 to consistency of mechanism for advertising owner and creator.

@csarven csarven mentioned this issue Oct 18, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@csarven csarven

Labels
topic: resource access
Projects
None yet
Milestone
~First Public Working Draft
Development

No branches or pull requests
6 participants
@bblfish @csarven @matthieubosquet @justinwb @elf-pavlik @dmitrizagidulin