Which permissions are required for deleting a resource? #197
Comments
|
History in solid/web-access-control-spec#48. Summary:
We need to decide whether we want Linux compatibility or not. |
|
If LDP's behaviour is applied to R and C: Write permissions on R as well as C is required in order to remove the containment triple from C. This requirement can be derived from LDP's |
|
What if we end up with |
|
I'd like to clarify https://github.com/solid/solid-spec/issues/195#issuecomment-559619352 because of a subtle point related to this issue. With the given that containment triples are server-managed, while Write is required on R, Write is not explicitly required on C for the purpose of removing the containment triple. There is an implicit write operation on C based on LDP's interaction model (when R is removed from containment triples) but that burden is not placed on the requesting agent, hence their access to C can be seen as out of scope. However, as LDPR's lifecycle is dependent and controlled by the LDPC in which it has a binding relationship with, it can be expected that any changes to that binding should require permission to alter C. What's argued is more of a design decision based on connecting some basic assumptions. AFAICT, requiring Write on C and R in order to delete R is compatible with *nix behaviour. |
If [Aside:
] Having In any case, |
|
Yeah, I think the attractiveness of As for |
|
Edit: As of this writing, the text in spec says ( as per PR #188 ) based on #197 (comment) (which was one possible approach) :
The counter argument below indicates why it'd be preferable to not require Write on the container of the contained resource. It would prevent over permissioning and easier policy management. By not requiring Write on container to delete a contained resource, agents are not granted more access than what they need. Granting an agent with Write on container allows them to modify the container description, potentially modify or delete all contained resources, as well as delete the container. Use case being that a user needs to create resources in a container where they can then work on the created resource ie. read, update, delete. They don't need to have knowledge or access to anything else in that container, including the container itself. To put it generally, it is possible for a container and contained resources to have different authorization policies. Example code snippets: ### container's ACL:
<#container-policy>
acl:accessTo <./> ;
acl:agentClass foaf:Agent ;
acl:mode acl:Append ;
<#contained-resources-by-default-read-policy>
acl:default <./> ;
acl:agent <http://example.org/the-oracle#i> ;
acl:mode acl:Read .
<#contained-resources-by-default-control-policy>
acl:default <./> ;
acl:agentGroup <http://example.org/the-architect-and-friends#i> ;
acl:mode acl:Control .### a contained resource's ACL:
<#contained-resource-policy>
acl:accessTo <./contained-resource> ;
acl:agent <http://example.org/agent-smith#i> ;
acl:mode acl:Read, acl:Write .Then, Agent Smith should only need Write to delete a contained resource. |
|
+1 from me |
|
Yeah, I guess both options make sense, but your argument for changing this are convincing. If you have write on R then you can already set it to zero bytes anyway, which is almost the same as deleting it. It's a bit weird that you end up affecting the container's contents without having explicit permission to change it, but that's probably unavoidable. Since it reduces the required permissions, it will not break many clients. But this is a semver-major change, so I'll change the behaviour in NSS 6. I hadn't added any tests for this in https://github.com/solid/web-access-control-tests yet, so I'll immediately create the tests to test the new behaviour. |
|
+1 on not requiring |
|
Also a very strong +1 to not requiring
Agree with @csarven and echo these points 1000% 👆 |
|
+1. because write would not be needed on anything else in the container, restricting write only to the resource meant to be deleted makes sense to me. |
|
Great! Updated based on most recent consensus: 4fd701f |
|
Here is a counter argument to keep the need for Write access to the container also. We have at the moment an invariant property of the system is that if I remove Write access to something it won't change. I like that. It's logical. For example, if I am reading a file which has no write (or append) access then I can cache it on a much more serious basis. If I don't give anyone write access to a folder, I can assume, like for a file, that it won't change. If you then delete one of its contents, then that breaks - I thought I had a valid copy of the list, and I don't. One of the directions we have talked about was getting into immutable resources. An immutable resource is one where is is not only unwritable now but will never be writable in the future. That's a fairly short step. With immutable resources, we can refer to them by their hash. They can be Merkle trees, you can stick them in IPFS and do lots of other things. You can send them to the Internet Archive as a final version of this resource. Lots of things get optimizable when something can't change. You don't need to lock access to it at all. Being able to tie these good things to the ACL only having Read access is something we would lose. |
|
I see I am too late with this comment |
|
So if I want to keep my say /usr/local/ folder to always just have the fixed three /usr/local/ lib /usr/local/src and /usr/local/bin then I have to bock write access to it and each of the container folders ? The suggested change means that I can't preserve my folder structure without both remove Write access for /usr/local/ AND ALSO /usr/local/ * which defeats the point as you can't use the child folders. |
|
"""Granting an agent with Write on container allows them to modify the container description, potentially modify or delete all contained resources, as well as delete the container.""" -- Not "as well as delete the container" as for that they need W on its parent to. |
|
If you allow files to be deleted from a folder without write access to that folder then surely you have to allow them to be added too? |
While agents with Control can make that assumption, agents with Read-only should not. Essentially only storage controller/"owner" can rightfully assume some resources to be immutable in context of immutable authorization policies. Wouldn't the promise of immutable resources by URI owners be better advertised declaratively with eg. HTTP Link rel=type http://www.w3.org/2006/gen/ont#FixedResource , or negotiated using the Memento protocol ( http://mementoweb.org/ns#Memento ) ?
Controller shouldn't assume a container to be immutable if at the same it is possible to give Write access to a contained resource. Information about the container can change as a side-effect of changing its member, and so we should be careful about how this is interpreted. For example, while the the containment listing may not change after modifying a contained resource, container's description may be updated to indicate last modified date/time of a contained resource or even the container itself. [*nix filesystem does it]
Yes, must remove Write in this case. Consider the case where a contained resource has its own ACL and you have Write on that resource. The algorithm doesn't need to check your permissions on the container in order for you to modify the resource. So then requiring Write on container in order to delete a resource is something different. If the delete operation is significantly different than the modify operation, then having Write on a resource doesn't necessarily mean you are allowed to delete. Something like
True. [I've mistakenly introduced that when I edited the comment.]
No. Append or Write is required on container to create a new resource in that container to begin with. The issue is about changing the frame of how delete operations work in context of ACL and inheritance. From that perspective, I don't object to requiring both Write on container and contained resource in order to delete the contained resource. To be clear, Write on a resource only entails access privilege to modify it. Only by also having Write on the container of a resource can delete work. Limiting delete by requiring more privilege is a double edged sword. Great to set higher privileges for destructive operations but it is not particularly a simple design or intuitive - especially when one should only be able to delete a particular contained resource. |
I disagree. It's not a bug, it's a feature. With append-only access we are creating not a read-write space but we are allowing the semantics of sending messages. Sending a message is a an event which is at core is not retractable. (You can have all kinds of variety of system which allow actually allow different forms of complete or limited retraction, but basically sending a message adds it to the ever-growing log of things sent, and is not revocable.) In message-based systems, you can send a new message revoking the effect of the first message, but you can't un-send a message. This is valuable. |
|
When I give something only read access, I expect it not to change. |
|
Core invariants of the system like that make it simpler. They make it better foundation to build other systems on top of. Developers will get used to using them, and hopefully will find the systems easier to learn and easier to remember. |
To be fair, that is not what your use case says. The only mention of delete is that she not be allowed to delete those three containers (/usr/local/lib, /usr/local/src, /usr/local/bin). With the added clarification that she should be able to delete things, it changes the approach. The follow-up question being - which things?. Only things that she creates, or anything in those three containers? |
I agree that when you have append on a document - you should have confidence that it can only grow. When giving an agent append access to a container, there is also value in scenarios where agents can only add new resources to the container, but have the ability to manage the resources they added (example case - https://solid.github.io/authorization-panel/authorization-ucr/#collection-readappendwrite) Note that I absolutely agree it is valuable to append to a container so it can only grow per your example @timbl - I'm just pointing out there's a case where it is useful to configure permissions so it can grow, but allow for subsequent management (including deletion) of added resources by their creators |
Sorry @csarven I missed that point in the thread earlier. This does add another dimension to it, but if there was not a specific acl set on the resource, I imagine that inherited write permissions from the container would apply and satisfy that requirement? |
Only the policies including |
|
From hierarchical containment and access controls, I believe it follows that agents with I suggest to clarify this in the spec. |
|
There are use cases to allow creators of resources to have some sense of right to control the lifecycle of their own creations. In the case with multiple agents having I'd like to connect this with #66 , #153 (and issues therein). The commonality is that agents that assign a URI to a resource also control it - who controls can change over time. This also includes the storage - root container (like Hence, reconfirming the need to record the creator/owner with respect to access controls. Related: |
|
+1 to revert, i.e. going back to requiring Write on both C and R. |
|
For the record,
That would be a spec change because that's not how Solid work currently.
Also not currently the case, but of course it's something we could introduce in a future spec change. |
|
I summarize this discussion as the result of the following questions:
In any case we can add use cases such as Tim's above to the WAC use case document. (note: The link in the use case does not work for me) |
|
So then moving forward with the change: to delete a contained resource, Write required on both the container and the contained resource. Consistent with the rest of the design. Related changes to be moved separately (with no dependency on what's discussed in this issue):
Right that the proposed change would prescribe behaviour that wasn't previously but it will eliminate implementation variation. At the moment, one implementation may allow loss of control of a subpath while another wouldn't. Are there any implementations with the intention where an agent controlling a path would be prevented from ever controlling a subpath because the subpath is being controlled by another agent? Losing control seems counter intuitive and problematic to me.
There are also use cases where servers may not want to record the creator and clients may not want their identity associated (or tracked) with the created resource. For the latter, the client needs to make that request explicit and the server may accept. |
It may appear to be equivalent in some situations however they are significantly different:
Having Write on a resource is not destructive without also having Write on its container. |
|
As long as the controllers/owners ( As Control access on a resource would only allow read/write access to its ACL, even agents having Control access on |
|
Thanks for this issue and discussion. Closing this issue as consensus is deemed to be captured in WAC Editor's Draft: https://solid.github.io/web-access-control-spec/ . See #authorization-evaluation , #reading-writing-resources , #loss-of-control-mitigation , #access-mode-extensions . Please use https://github.com/solid/web-access-control-spec for future discussion. |
No description provided.
The text was updated successfully, but these errors were encountered: