Emilien Antoine Gerome Miklau Julia Stoyanovich and Vera Zaychik Moffitt ICDE 2012 Mai 30 2012 Introducing Access Control in Webdamlog Serge Abiteboul INRIA Saclay ID: 399271
Download Presentation The PPT/PDF document "Joint work with" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Joint work with Emilien Antoine, Gerome Miklau, Julia Stoyanovich and Vera Zaychik Moffitt
ICDE 2012
Mai 30, 2012
Introducing Access Control in
Webdamlog
Serge Abiteboul
INRIA Saclay
& ENS CachanSlide2
2The Web as a distributed knowledge baseWebdamlog: a rule-based language for the WebAccess control in WebdamlogThe Webdamlog systemConclusionSlide3
3A typical Web user’s dataWhat kinds of data?data: photos, music, movies, reports, emailmetadata: photo taken by Alice in Paris on ...ontologies: Alice’s ontology and mapping with other ontologieslocalization: Alice’s pictures are on Picasa, back-ups are at INRIAsecurity: Facebook credentials (Alice, 123456)annotations: Alice likes Elvis’ websitebeliefs: Alice believes Elvis is aliveexternal knowledge: Bob keeps copies of Alice’s picturestime, provenance, ...all kinds
Social
dataSlide4
4A typical Web user’s dataWhat kinds of data?Where is the data?laptop, desktop, smartphone, tablet, car computermail, address book, agendaFacebook, LinkedIn, Picasa, YouTube, Tweetersvn, Google docsalso access to data / information of family, friends, companies associationsall kindseverywhereSlide5
5A typical Web user’s dataWhat kinds of data?Where is the data? all kinds everywhereWhat kind of organization? terminology: different ontologiessystems: personal machines, social networks
distribution: different localizationsecurity: different protocols
quality: incomplete / inconsistent information
heterogeneousSlide6
6Example of processingAlice and Bob are getting engaged. Their friends want to offer them an album of photos where they are togetherTo make such a photo albumFind friends of Alice & Bob (say with Facebook)for each friend, find where she keeps her photos (say, Picassa)find the means to access her photos possibly via friendsfind the photos that feature Bob and Alice together, e.g., using tags or face recognition softwarepossibly ask someone to verify the resultsSome reasoning is needed to execute these tasks
automatically!Slide7
A typical Web userOverwhelmed by the mass of informationCannot find the information neededIs not aware of important eventsCannot manage/control how others access and use his/her own data7Slide8
YOU need help!How can systems help?We need to move from a Web of text to a Web of knowledgeIn the spirit of semantic WebTo better support user needs, Systems need to analyze what is happening and construct knowledgeSystems should exchange knowledgeSystems should reason and infer knowledge
8Slide9
ThesisAll this forms a distributed knowledge base with processing based on automated reasoning9Slide10
10Our topicDistributed reasoning Exchanging facts and rules WebdamlogAccess control with access controlSlide11
11The Web as a distributed knowledge baseWebdamlog: a rule-based language for the WebAccess control in WebdamlogThe Webdamlog systemConclusionSlide12
12Webdamlog: a datalog-style languageDatalog A prehistoric language by Web time...+ nice and compact syntax+ well-studied with many extensions+ recursion essential: network cyclesWebdamlogNot as simple/beautiful & proceduralNeeded for real Web applications!Webdamlog is not datalogSlide13
Webdamlog: an extension of datalogDatalog program fof(x,y) :- friend(x,y) fof(x,y) :- friend(x,z), fof(z,y)Extensional facts (stored in the database) friend(“peter”,”paul”) friend(“paul”, “mary”) friend(“mary”,”sue”) Intentional facts (derived) fof(“peter”,”paul”) fof
(“peter”,”mary”) fof(“peter”, “sue”) fof(“paul
”, “mary”) fof(“paul”, “sue”) fof(“mary”,”sue”)
13Slide14
14Webdamlog: an extension of datalogExtends datalognegation, updates, distribution, delegation, timeFor a world that isdistributed: autonomous and asynchronous peersdynamic: knowledge evolves; peers come and goInfluenced byActive XML (INRIA) - for distribution & intentional dataDedalus (UC Berkeley) - for time & implementationSlide15
15FactsFacts are of the form m@p(a1, ..., an), wherem is a relation name & p is a peer namea1, ..., an are data values (n is the arity of m@p)the set of data values includes the relations and peer namesExamplesfriend@my-iphone(“peter”, “
paul”) extensionalfof@my-iphone(
“adam”, “paul”) intentionalSlide16
16Examples of factsdata & metadata: pictures@alice-iphone(1771.jpg, “Paris”, 11/11/2011)ontology: isA@yago.com("Elvis”, theKing)annotations: tags@delicious.com(“wikipedia.org”, encyclopedia)localization: where@alice(pictures, picasa/alice)access rights: right@picasa(pictures, friends, read)security: secret@picasa/alice; public@picasa/aliceSlide17
17RulesRules are of the form $R@$P($U) :- (not) $R1@$P1($U1), ..., (not) $Rn@$Pn($Un)where$R, $Ri are relation terms$P, $Pi are peer terms $U, $Ui are tuples of
termsSafety condition$R and $P must appear positively bound in the body
each variable in a negative literal must appear positively bound in the body
A
term is a variable or a constant
Examples coming up, stay tunedSlide18
18State transitionChoose some peer p randomly – asynchronouslyCompute the transition of pthe database updates at pthe messages sent to other peersthe delegations of rules to other peersKeep going forever(I0, Γ0, ∅) ➝ (I1
, Γ1, Γ1*
) ➝... ➝ (In, Γn
, Γn
*) ➝...
F
air
sequence: each peer is selected infinitely oftenSlide19
The semantics of rulesClassification based on locality and nature of head predicates (intentional or extensional)Local rule at my-laptop: all predicates in the body of the rules are from my-laptopLocal with local intentional head classic datalogLocal with local extensional head database updateLocal with non-local extensional head messaging between peersLocal with non-local intentional head view delegationNon-local general delegation19Slide20
20Local rules with local intentional headExample: Rule at peer my-laptopfriend is extensional, fof is intentionalfof@my-iphone($x, $y) :- friend@my-iphone($x,$y)fof@my-iphone($x,$y) :- friend@my-iphone($x,$z), fof@my-iphone
($z,$y)fof
is the transitive closure of friend
Datalog
= Webdamlog
with only local rules and local intentional headSlide21
21Local rules with local extensional headA new fact is inserted into the local databasebelieve@my-iphone(“Alice”, $loc) :- tell@my-iphone($p,”Alice”, $loc),friend@my-iphone($p)Slide22
22Local rules with non-local extensional headA new fact is sent to an external peer via a message$message@$peer($name, “Happy birthday!”) :- today@my-iphone($date),birthday@my-iphone($name, $message, $peer, $date)Extensional facts:today@my-iphone
(March 6)
birthday@my-iphone("Manon”
, “
sendmail”,
“
gmail.com
”
,
March 6
)
sendmail
@
gmail.com
(
"
Manon
”
,
“
Happy birthday”)Slide23
23Local rules with non-local intentional headView delegation!boyMeetsGirl@gossip-site($girl, $boy) :- girls@my-iphone($girl, $loc),boys@my-iphone($boy, $loc)Semantics of boyMeetGirl@gossip-site
is a join of relations girls and
boys from my-iphoneFormally, my-iphone
delegates a rule boyMeetGirl
@gossip-site(
g,b
) for each g, b, l,
girls
@my-iphone
(
g,l
),
boys
@my-iphone
(
b,l
)Slide24
24Non-local rules: general delegation(at my-iphone): boyMeetsGirl@gossip-site($girl, $boy) :- girls@my-iphone($girl, $loc), boys@alice-iphone($boy, $loc)Suppose that girls@my-iphone(“Alice”, “Julia's birthday”) holds.
Then my-iphone installs the following rule at alice-iphone
(at alice-iphone): boyMeetsGirl@gossip-site(“Alice”, $boy) :- boys
@alice-iphone($boy, “Julia's birthday”)
When girls@my-iphone(“Alice”, “Julia's birthday”) no longer holds,
my
-
iphone
uninstalls the ruleSlide25
25Non-local rules: general delegation(at my-iphone): boyMeetsGirl@gossip-site($girl, $boy) :- girls@my-iphone($girl, $loc), boys@alice-iphone($boy, $loc)An alternative, more database-ish, way of looking at this:at my-iphone :
seed@alice-iphone($girl, $loc):-
girls@my-iphone($girl, $loc)at alice-iphone :
boyMeetsGirl@gossip-site($girl, $boy) :-
seed@alice-iphone
($girl,
$loc),
boys@
alice-
iphone
($boy,
$loc)
view
delegation
delegationSlide26
26Complexity of delegation: illustrationfof(x,y) :- friend(x,y)(at p) fof@p(x,y) :- peers@p($q), friend@$q(x,y)If peers@p contains 100 000 tuples peers@p(q1), ...., peers@p(q100
000)This rule will install 100 000 rules!for i=1 to 100
000 (at qi) fof@p(x,y) :- friend@qi(
x,y)Data
complexity transformed into program
complexitySlide27
27Summary of results [PODS 2011]Formal definition of the semantics of WebdamlogResults on expressivitythe model with delegation is more general, unless all peers and programs are known in advanceConvergence is very hard to achievepositive Webdamlogstrongly stratified programs with negationSlide28
28The Web as a distributed knowledge baseWebdamlog: a rule-based language for the WebAccess control in WebdamlogThe Webdamlog systemConclusionSlide29
RequirementsData access Users would like to control who can read and modify their informationData dissemination Users would like to control how their data are transferred from one participant to another, and how they are combined, with the owner of each piece of data keeping some control over itApplication control Users would like to control which applications can run on their behalf, and what information these applications can access.29Slide30
The general pictureThe privileges we consider: read, write, grantFor read:Coarse grained access control: at the relation levelFine grain access control: at the tuple level 30Slide31
Insertion in extentional relationsDefinition of intensional relationsRequires write privilege on the target relation [at Alice] alicePhotos@Bob($f) :- person@Alice($p, “Friend”), personInPhoto@Alice($pid, $p), photo@Alice($pid,−, $f)[at Alice] allPhotos@Alice($f) : alicePhotos@Alice($f)[at Bob] allPhotos@Alice($f) :- bobPhotos@Bob($f)31Slide32
Who can read a fact ? – default Extensional relations: if you have read privilege to the relationIntensional relations: if you have read privilege to the relation &if you can read all the tuples that have been used to create this fact – provenance of the fact32Slide33
Digression: provenanceProvenance of a tupleHow it was constructed: conjunctionAlternatives: disjunction33Slide34
34Digression: provenance graphgossip@p(Jane, John)rule3
×
girls@
p
(
Jane,
Julia’s birthday)
boys@
p
(
John,
Julia's birthday)
rule
1
×
×
boyMeetsGirl@p(Jane, John)
×
+
(Also
used for maintenance
in case of
update)Slide35
Coarse grain access control[at Alice] alicePhotos@Bob($f) :- person@Alice($p, “Friend”), personInPhoto@Alice($pid, $p), photo@Alice($pid,−, $f)alicePhotos@Bob is extensionalWhoever has read access to alicePhotos@Bob sees all the relation35Slide36
Fine grain access control[at Alice] allPhotos@Alice($f) : alicePhotos@Alice($f)[at Bob] allPhotos@Alice($f) :- bobPhotos@Bob($f)allPhotos@Alice is intensionalSue who has read privilege to allPhotos@Alice and alicePhotos only, can see only the photos of Alice in allPhotosLili who has read privilege to the three relations, sees everything36Slide37
Overwriting the default for intensional dataLet us change the rule to:[at Alice] allPhotos@$x($f) :- alicePhotos@Alice($f), friends@Alice($x)Issue: you can read the photos only if you also have read privilege to friends@Alice 37Slide38
Overwriting the default for intensional data[at Alice] allPhotos@$x($f) :- alicePhotos@Alice($f), [hide friends@Alice($x)]Hide: block the provenance from friends@AliceSimilar mechanism for extensional data – expose 38Slide39
Issues with non local rules[at Bob] message@Sue(“I hate you”) :- date@Alice(d)aliceSecret@Bob(x) :- date@Alice(d), secret@Alice(x)Ignoring access rights, by delegation, this results in running[at Alice] message@Sue(“I hate you”) :- date@Alice(d) aliceSecret@Bob(x) :- date@Alice(d), secret@Alice(x)39Slide40
Default solution: sand boxWe run the rule at Alice in a SandboxWe use the access rights of BobSo the second rule does not succeed in sending secretsThe message specifies that this is done at Bob’s requestSo requires authentication/signaturesAlternative: delegation without sandbox. Possible if the peer that asks for the delegation is given the privilege to install rules at the other peer – Here if Alice gives Bob the right to install a rule in her environment40Slide41
Access control implementation A program with access control is compiled locally in a Webdamlog program without that is executedAccess control data is managed like any other data Relation acl (defines relation access) Relation kind (ext or int)Based on provenance implemented as a distributed graphOn-going work on optimization 41Slide42
42The Web as a distributed knowledge baseWebdamlog: a rule-based language for the WebAccess control in WebdamlogThe Webdamlog systemSlide43
43The Webdamlog engineBased on Buddeveloped at UC BerkeleyManages knowledgeStores facts and rulesexchanges knowledge with other enginesperforms reasoningSlide44
44The engine: beyond BudCompilation of (Bud’s language)Main Webdamlog features not supported by BudVariable relation and peer namesDelegations with dynamic changes of the programWebdamlog+AC ⇒ Webdamlog ⇒ Bloom Slide45
45The Webdamlog peerSupport communication with other peers and with usersSupport common security protocolsSupport wrappers to external systems such as FacebookProvides Web interfaces Slide46
46Provenance graphs Records the history of derivationProvenance semiring semantics [Green et al. 07]Used for performance optimization Used for fine grain access controlOther possible uses such as explanation of resultsSlide47
47The Web as a distributed knowledge baseWebdamlog: a rule-based language for the WebAccess control in WebdamlogThe Webdamlog systemConclusionSlide48
ThesisLet us turn the Web into a distributed knowledge base with billions of users supported by billions of systems analyzing information extracting knowledge exchanging knowledge inferring knowledge48Slide49
WebdamlogLanguageA language for distributed data management [PODS 2011]Datalog with distribution, updates, messaging Main novelty: delegationImplementation WebdamExchange peer in Java [demo ICDE 2011]Webdamlog engine based on Bud [demo Sigmod 2013]Access control: on-going work with Miklau-StoyanovichProbabilistic Webdamlog: on-going work with Deutch-Vianu49Slide50
Cambridge University Press, 2012http://webdam.inria.fr/JorgeGrazie !