Joint work with - PowerPoint Presentation

Slide1

Joint work with Emilien Antoine, Gerome Miklau, Julia Stoyanovich and Vera Zaychik Moffitt

ICDE 2012

Mai 30, 2012

Introducing Access Control in

Webdamlog

Serge Abiteboul

INRIA Saclay

& ENS CachanSlide2

2The Web as a distributed knowledge baseWebdamlog: a rule-based language for the WebAccess control in WebdamlogThe Webdamlog systemConclusionSlide3

3A typical Web user’s dataWhat kinds of data?data: photos, music, movies, reports, emailmetadata: photo taken by Alice in Paris on ...ontologies: Alice’s ontology and mapping with other ontologieslocalization: Alice’s pictures are on Picasa, back-ups are at INRIAsecurity: Facebook credentials (Alice, 123456)annotations: Alice likes Elvis’ websitebeliefs: Alice believes Elvis is aliveexternal knowledge: Bob keeps copies of Alice’s picturestime, provenance, ...all kinds

Social

dataSlide4

4A typical Web user’s dataWhat kinds of data?Where is the data?laptop, desktop, smartphone, tablet, car computermail, address book, agendaFacebook, LinkedIn, Picasa, YouTube, Tweetersvn, Google docsalso access to data / information of family, friends, companies associationsall kindseverywhereSlide5

5A typical Web user’s dataWhat kinds of data?Where is the data? all kinds everywhereWhat kind of organization? terminology: different ontologiessystems: personal machines, social networks

distribution: different localizationsecurity: different protocols

quality: incomplete / inconsistent information

heterogeneousSlide6

6Example of processingAlice and Bob are getting engaged. Their friends want to offer them an album of photos where they are togetherTo make such a photo albumFind friends of Alice & Bob (say with Facebook)for each friend, find where she keeps her photos (say, Picassa)find the means to access her photos possibly via friendsfind the photos that feature Bob and Alice together, e.g., using tags or face recognition softwarepossibly ask someone to verify the resultsSome reasoning is needed to execute these tasks

automatically!Slide7

A typical Web userOverwhelmed by the mass of informationCannot find the information neededIs not aware of important eventsCannot manage/control how others access and use his/her own data7Slide8

YOU need help!How can systems help?We need to move from a Web of text to a Web of knowledgeIn the spirit of semantic WebTo better support user needs, Systems need to analyze what is happening and construct knowledgeSystems should exchange knowledgeSystems should reason and infer knowledge

8Slide9

ThesisAll this forms a distributed knowledge base with processing based on automated reasoning9Slide10

10Our topicDistributed reasoning Exchanging facts and rules WebdamlogAccess control with access controlSlide11

11The Web as a distributed knowledge baseWebdamlog: a rule-based language for the WebAccess control in WebdamlogThe Webdamlog systemConclusionSlide12

12Webdamlog: a datalog-style languageDatalog A prehistoric language by Web time...+ nice and compact syntax+ well-studied with many extensions+ recursion essential: network cyclesWebdamlogNot as simple/beautiful & proceduralNeeded for real Web applications!Webdamlog is not datalogSlide13

Webdamlog: an extension of datalogDatalog program fof(x,y) :- friend(x,y) fof(x,y) :- friend(x,z), fof(z,y)Extensional facts (stored in the database) friend(“peter”,”paul”) friend(“paul”, “mary”) friend(“mary”,”sue”) Intentional facts (derived) fof(“peter”,”paul”) fof

(“peter”,”mary”) fof(“peter”, “sue”) fof(“paul

”, “mary”) fof(“paul”, “sue”) fof(“mary”,”sue”)

13Slide14

14Webdamlog: an extension of datalogExtends datalognegation, updates, distribution, delegation, timeFor a world that isdistributed: autonomous and asynchronous peersdynamic: knowledge evolves; peers come and goInfluenced byActive XML (INRIA) - for distribution & intentional dataDedalus (UC Berkeley) - for time & implementationSlide15

15FactsFacts are of the form m@p(a1, ..., an), wherem is a relation name & p is a peer namea1, ..., an are data values (n is the arity of m@p)the set of data values includes the relations and peer namesExamplesfriend@my-iphone(“peter”, “

paul”) extensionalfof@my-iphone(

“adam”, “paul”) intentionalSlide16

16Examples of factsdata & metadata: pictures@alice-iphone(1771.jpg, “Paris”, 11/11/2011)ontology: isA@yago.com("Elvis”, theKing)annotations: tags@delicious.com(“wikipedia.org”, encyclopedia)localization: where@alice(pictures, picasa/alice)access rights: right@picasa(pictures, friends, read)security: secret@picasa/alice; public@picasa/aliceSlide17

17RulesRules are of the form $R@$P($U) :- (not) $R1@$P1($U1), ..., (not) $Rn@$Pn($Un)where$R, $Ri are relation terms$P, $Pi are peer terms $U, $Ui are tuples of

termsSafety condition$R and $P must appear positively bound in the body

each variable in a negative literal must appear positively bound in the body

A

term is a variable or a constant

Examples coming up, stay tunedSlide18

18State transitionChoose some peer p randomly – asynchronouslyCompute the transition of pthe database updates at pthe messages sent to other peersthe delegations of rules to other peersKeep going forever(I0, Γ0, ∅) ➝ (I1

, Γ1, Γ1*

) ➝... ➝ (In, Γn

, Γn

*) ➝...

F

air

sequence: each peer is selected infinitely oftenSlide19

The semantics of rulesClassification based on locality and nature of head predicates (intentional or extensional)Local rule at my-laptop: all predicates in the body of the rules are from my-laptopLocal with local intentional head classic datalogLocal with local extensional head database updateLocal with non-local extensional head messaging between peersLocal with non-local intentional head view delegationNon-local general delegation19Slide20

20Local rules with local intentional headExample: Rule at peer my-laptopfriend is extensional, fof is intentionalfof@my-iphone($x, $y) :- friend@my-iphone($x,$y)fof@my-iphone($x,$y) :- friend@my-iphone($x,$z), fof@my-iphone

($z,$y)fof

is the transitive closure of friend

Datalog

= Webdamlog

with only local rules and local intentional headSlide21

21Local rules with local extensional headA new fact is inserted into the local databasebelieve@my-iphone(“Alice”, $loc) :- tell@my-iphone($p,”Alice”, $loc),friend@my-iphone($p)Slide22

22Local rules with non-local extensional headA new fact is sent to an external peer via a message$message@$peer($name, “Happy birthday!”) :- today@my-iphone($date),birthday@my-iphone($name, $message, $peer, $date)Extensional facts:today@my-iphone

(March 6)

birthday@my-iphone("Manon”

, “

sendmail”,

“

gmail.com

”

,

March 6

)

sendmail

@

gmail.com

(

"

Manon

”

,

“

Happy birthday”)Slide23

23Local rules with non-local intentional headView delegation!boyMeetsGirl@gossip-site($girl, $boy) :- girls@my-iphone($girl, $loc),boys@my-iphone($boy, $loc)Semantics of boyMeetGirl@gossip-site

is a join of relations girls and

boys from my-iphoneFormally, my-iphone

delegates a rule boyMeetGirl

@gossip-site(

g,b

) for each g, b, l,

girls

@my-iphone

(

g,l

),

boys

@my-iphone

(

b,l

)Slide24

24Non-local rules: general delegation(at my-iphone): boyMeetsGirl@gossip-site($girl, $boy) :- girls@my-iphone($girl, $loc), boys@alice-iphone($boy, $loc)Suppose that girls@my-iphone(“Alice”, “Julia's birthday”) holds.

Then my-iphone installs the following rule at alice-iphone

(at alice-iphone): boyMeetsGirl@gossip-site(“Alice”, $boy) :- boys

@alice-iphone($boy, “Julia's birthday”)

When girls@my-iphone(“Alice”, “Julia's birthday”) no longer holds,

my

-

iphone

uninstalls the ruleSlide25

25Non-local rules: general delegation(at my-iphone): boyMeetsGirl@gossip-site($girl, $boy) :- girls@my-iphone($girl, $loc), boys@alice-iphone($boy, $loc)An alternative, more database-ish, way of looking at this:at my-iphone :

seed@alice-iphone($girl, $loc):-

girls@my-iphone($girl, $loc)at alice-iphone :

boyMeetsGirl@gossip-site($girl, $boy) :-

seed@alice-iphone

($girl,

$loc),

boys@

alice-

iphone

($boy,

$loc)

view

delegation

delegationSlide26

26Complexity of delegation: illustrationfof(x,y) :- friend(x,y)(at p) fof@p(x,y) :- peers@p($q), friend@$q(x,y)If peers@p contains 100 000 tuples peers@p(q1), ...., peers@p(q100

000)This rule will install 100 000 rules!for i=1 to 100

000 (at qi) fof@p(x,y) :- friend@qi(

x,y)Data

complexity transformed into program

complexitySlide27

27Summary of results [PODS 2011]Formal definition of the semantics of WebdamlogResults on expressivitythe model with delegation is more general, unless all peers and programs are known in advanceConvergence is very hard to achievepositive Webdamlogstrongly stratified programs with negationSlide28

28The Web as a distributed knowledge baseWebdamlog: a rule-based language for the WebAccess control in WebdamlogThe Webdamlog systemConclusionSlide29

RequirementsData access Users would like to control who can read and modify their informationData dissemination Users would like to control how their data are transferred from one participant to another, and how they are combined, with the owner of each piece of data keeping some control over itApplication control Users would like to control which applications can run on their behalf, and what information these applications can access.29Slide30

The general pictureThe privileges we consider: read, write, grantFor read:Coarse grained access control: at the relation levelFine grain access control: at the tuple level 30Slide31

Insertion in extentional relationsDefinition of intensional relationsRequires write privilege on the target relation [at Alice] alicePhotos@Bob($f) :- person@Alice($p, “Friend”), personInPhoto@Alice($pid, $p), photo@Alice($pid,−, $f)[at Alice] allPhotos@Alice($f) : alicePhotos@Alice($f)[at Bob] allPhotos@Alice($f) :- bobPhotos@Bob($f)31Slide32

Who can read a fact ? – default Extensional relations: if you have read privilege to the relationIntensional relations: if you have read privilege to the relation &if you can read all the tuples that have been used to create this fact – provenance of the fact32Slide33

Digression: provenanceProvenance of a tupleHow it was constructed: conjunctionAlternatives: disjunction33Slide34

34Digression: provenance graphgossip@p(Jane, John)rule3

×

girls@

p

(

Jane,

Julia’s birthday)

boys@

p

(

John,

Julia's birthday)

rule

1

×

×

boyMeetsGirl@p(Jane, John)

×

+

(Also

used for maintenance

in case of

update)Slide35

Coarse grain access control[at Alice] alicePhotos@Bob($f) :- person@Alice($p, “Friend”), personInPhoto@Alice($pid, $p), photo@Alice($pid,−, $f)alicePhotos@Bob is extensionalWhoever has read access to alicePhotos@Bob sees all the relation35Slide36

Fine grain access control[at Alice] allPhotos@Alice($f) : alicePhotos@Alice($f)[at Bob] allPhotos@Alice($f) :- bobPhotos@Bob($f)allPhotos@Alice is intensionalSue who has read privilege to allPhotos@Alice and alicePhotos only, can see only the photos of Alice in allPhotosLili who has read privilege to the three relations, sees everything36Slide37

Overwriting the default for intensional dataLet us change the rule to:[at Alice] allPhotos@$x($f) :- alicePhotos@Alice($f), friends@Alice($x)Issue: you can read the photos only if you also have read privilege to friends@Alice 37Slide38

Overwriting the default for intensional data[at Alice] allPhotos@$x($f) :- alicePhotos@Alice($f), [hide friends@Alice($x)]Hide: block the provenance from friends@AliceSimilar mechanism for extensional data – expose 38Slide39

Issues with non local rules[at Bob] message@Sue(“I hate you”) :- date@Alice(d)aliceSecret@Bob(x) :- date@Alice(d), secret@Alice(x)Ignoring access rights, by delegation, this results in running[at Alice] message@Sue(“I hate you”) :- date@Alice(d) aliceSecret@Bob(x) :- date@Alice(d), secret@Alice(x)39Slide40

Default solution: sand boxWe run the rule at Alice in a SandboxWe use the access rights of BobSo the second rule does not succeed in sending secretsThe message specifies that this is done at Bob’s requestSo requires authentication/signaturesAlternative: delegation without sandbox. Possible if the peer that asks for the delegation is given the privilege to install rules at the other peer – Here if Alice gives Bob the right to install a rule in her environment40Slide41

Access control implementation A program with access control is compiled locally in a Webdamlog program without that is executedAccess control data is managed like any other data Relation acl (defines relation access) Relation kind (ext or int)Based on provenance implemented as a distributed graphOn-going work on optimization 41Slide42

42The Web as a distributed knowledge baseWebdamlog: a rule-based language for the WebAccess control in WebdamlogThe Webdamlog systemSlide43

43The Webdamlog engineBased on Buddeveloped at UC BerkeleyManages knowledgeStores facts and rulesexchanges knowledge with other enginesperforms reasoningSlide44

44The engine: beyond BudCompilation of (Bud’s language)Main Webdamlog features not supported by BudVariable relation and peer namesDelegations with dynamic changes of the programWebdamlog+AC ⇒ Webdamlog ⇒ Bloom Slide45

45The Webdamlog peerSupport communication with other peers and with usersSupport common security protocolsSupport wrappers to external systems such as FacebookProvides Web interfaces Slide46

46Provenance graphs Records the history of derivationProvenance semiring semantics [Green et al. 07]Used for performance optimization Used for fine grain access controlOther possible uses such as explanation of resultsSlide47

47The Web as a distributed knowledge baseWebdamlog: a rule-based language for the WebAccess control in WebdamlogThe Webdamlog systemConclusionSlide48

ThesisLet us turn the Web into a distributed knowledge base with billions of users supported by billions of systems analyzing information extracting knowledge exchanging knowledge inferring knowledge48Slide49

WebdamlogLanguageA language for distributed data management [PODS 2011]Datalog with distribution, updates, messaging Main novelty: delegationImplementation WebdamExchange peer in Java [demo ICDE 2011]Webdamlog engine based on Bud [demo Sigmod 2013]Access control: on-going work with Miklau-StoyanovichProbabilistic Webdamlog: on-going work with Deutch-Vianu49Slide50

Cambridge University Press, 2012http://webdam.inria.fr/JorgeGrazie !