n3

Examples for Rein Policy Framework

Installating

  1. Download cwm from the public w3c CVS repository
  2. Install cwm
  3. The Rein reasoning engine and filter can be run off the web

Example

We have developed a simple example of photo sharing between members of a girl scout troop to show how Rein can be used. The troop ontology describes troops, photos, meetings, and jamborees. Using this ontology, information about a certain troop, troop42 (RDF, N3), is defined. The policy of troop42 uses terms from the troop ontology as well as the policy language. The troop policy is

  1. Photos taken at meetings of the troop can be shared with any current member of the troop.
  2. Photos taken at a jamboree can be shared with anyone in the troop or with anyone who attended the jamboree.
  3. Photos of the girls winning awards can be shared with anyone currently in the troop, or who was ever a member. These award photos can also be shared with the public if, and only if, the girl's parents allow it.
Currently only the first 2 parts of the policy have been implemented. The policy also includes the authentication of the requester. The troop42 page defines members by their foaf pages. The passwords that users submit are checked against the hexdigest field in their foaf files.

There are four pictures defined in troop42 (RDF, N3) each of which has its own policy.
  1. http://demo.policyawareweb.org/images/group.jpg
  2. http://demo.policyawareweb.org/images/camping.jpg
  3. http://demo.policyawareweb.org/images/award.jpg
  4. http://demo.policyawareweb.org/images/alice-award.jpg

In order to execute this example, request files are required. Along with including properties of the client and the resource being requested, each request file also states which policy (policies) is associated with the resource. When a client first makes a request for an image, the server returns a 401 error and provides URLs of the policies that the client must satisfy. The client includes these URLs in his/her request to the Rein engine to get a proof for why he/she should have access to the resource.

Requests are usually run as
cwm <input> <request> --n3 http://dig.csail.mit.edu/2005/09/rein/engine.n3 --think 
--filter="http://dig.csail.mit.edu/2005/09/rein/filter.n3" <output>

We have developed several request files to test different portions of the policy. After being processing by the Rein engine, if the request made has a property rein:ans set to rein:Valid and the requester has rein:access to the resource, then the request is valid under the policy.
  1. Judy makes a request for a certain picture, group.jpg. The request includes Judy's secret key which is used for authenticating her. Judy attended the meeting at which the picture was taken, so she is permitted to view the picture. This request is valid under the policy of the resource.

    This example can be run as

    cwm --rdf http://dig.csail.mit.edu/2005/09/rein/examples/judy-req.rdf --n3 http://dig.csail.mit.edu/2005/09/rein/engine.n3 --think --filter="http://dig.csail.mit.edu/2005/09/rein/filter.n3"

    If cwm was installed correctly, the following is the output

    #Processed by Id: cwm.py,v 1.176 2005/08/10 17:03:22 syosi Exp 
            #    using base file:/....
            
    #  Notation3 generation by
    #       notation3.py,v 1.183 2005/08/22 21:12:53 timbl Exp
    
    #   Base was: file:/...
         @prefix : <http://dig.csail.mit.edu/2005/09/rein/network#> .
         @prefix http: <http://dig.csail.mit.edu/2005/09/rein/examples/http-access#> .
        
        <http://dig.csail.mit.edu/2005/09/rein/examples/judy-req.rdf#req>     :ans :Valid;
             :requester  [
                 http:can-get <http://www.policyawareweb.org/group-photo.jpg> ] .
        
    #ENDS
    
    
  2. Bob makes a request for a picture,award.jpg, taken at a Jamboree. The policy states that anyone who is a member can access pictures taken at a Jamboree. Bob is a member, so the request is valid under the policy of award.jpg.

    cwm --rdf http://dig.csail.mit.edu/2005/09/rein/examples/bob-req.rdf --n3 http://dig.csail.mit.edu/2005/09/rein/engine.n3 --think --filter="http://dig.csail.mit.edu/2005/09/rein/filter.n3" --rdf

    The output of Bob's request is

    <rdf:RDF xmlns="http://dig.csail.mit.edu/2005/09/rein/network#"
        xmlns:http="http://dig.csail.mit.edu/2005/09/rein/examples/http-access#"
        xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
        xmlns:rein="http://dig.csail.mit.edu/2005/09/rein/network#">
    
        <rdf:Description rdf:about="http://dig.csail.mit.edu/2005/09/rein/examples/bob-req#req">
            <ans rdf:resource="http://dig.csail.mit.edu/2005/09/rein/network#Valid"/>
            <requester rdf:parseType="Resource">
                <http:can-get rdf:resource="http://demo.policyawareweb.org/images/award.jpg"/>
            </requester>
        </rdf:Description>
    </rdf:RDF>
    
  3. Carol makes a request for camping.jpg, a picture taken at a meeting. However, she did not attend the meeting, so the request is not valid under the policy.
    cwm --rdf http://dig.csail.mit.edu/2005/09/rein/examples/carol-req.rdf --n3 http://dig.csail.mit.edu/2005/09/rein/engine.n3 --think --filter="http://dig.csail.mit.edu/2005/09/rein/filter.n3"

    The output of Carol's request is
    #Processed by Id: cwm.py,v 1.176 2005/08/10 17:03:22 syosi Exp 
            #    using base file:/...
            
    #  Notation3 generation by
    #       notation3.py,v 1.183 2005/08/22 21:12:53 timbl Exp
    
    #   Base was: file:/...
         @prefix : <http://dig.csail.mit.edu/2005/09/rein/network#> .
        
        <http://dig.csail.mit.edu/2005/09/rein/examples/carol-req.rdf#req>     :ans :Invalid .
        
    #ENDS
    
  4. Judy makes another request for an image, award.jpg, which is controlled by another policy. This policy uses a policy language, rei3, that has a meta policy for conflict resolution. The policy is described over concepts defined in troop ontology and is similar to troop42-policy. However, it also includes a rule that forbids anyone who has attended a meeting from seeing any pictures taken at a jamboree. This policy is mainly developed to test the meta policy.Judy is both permitted and prohibited from accessing the image. However, as the policy's default is that positive modality override, Judy is permitted to access the picture.

    This example can be run as

    cwm --rdf http://dig.csail.mit.edu/2005/09/rein/examples/rei/judy-req.rdf --n3 http://dig.csail.mit.edu/2005/09/rein/engine.n3 --think --filter="http://dig.csail.mit.edu/2005/09/rein/filter.n3"

    The output of Judy's request is
    #Processed by Id: cwm.py,v 1.176 2005/08/10 17:03:22 syosi Exp
            #    using base file:/...
    
    #  Notation3 generation by
    #       notation3.py,v 1.183 2005/08/22 21:12:53 timbl Exp
    
    #   Base was: file:/...
         @prefix : <http://dig.csail.mit.edu/2005/09/rein/network#> .
    
         @prefix lang: <http://dig.csail.mit.edu/2005/09/rein/examples/rei/rei3#> .
    
        <http://dig.csail.mit.edu/2005/09/rein/examples/judy-req.rdf#req>     :ans :Valid;
             :requester  [
                 lang:permitted <http://www.policyawareweb.org/award.jpg> ] .
    
    #ENDS
    
  5. Dan makes a request for a picture of Alice getting an award, alice-award.jpg. This is described in troop42 (RDF, N3). The policy associated with this image allows only members to view the picture or the public if approved by the member's parent. Alice's foaf page points to her parents foaf page. Alice's mom has granted public access to a class of pictures to which this picture belongs to on her foaf page, so Dan is permitted to view this picture even though he is not a member of the troop.

    Assumption : A picture is accessible by the public if any one parent of any girl scout in an award picture allows public access.

    This example can be run as

    cwm --rdf http://dig.csail.mit.edu/2005/09/rein/examples/dan-req.rdf --n3 http://dig.csail.mit.edu/2005/09/rein/engine.n3 --think --filter="http://dig.csail.mit.edu/2005/09/rein/filter.n3"

    The output of Dan's request is
    #Processed by Id: cwm.py,v 1.176 2005/08/10 17:03:22 syosi Exp 
            #    using base file:/....
            
    #  Notation3 generation by
    #       notation3.py,v 1.183 2005/08/22 21:12:53 timbl Exp
    
    #   Base was: file:/Users/lkagal1/Research/rein/2005/09/rein/examples/
         @prefix :  .
         @prefix http:  .
        
             :ans :Valid;
             :requester  [
                 http:can-get  ] .
        
    #ENDS
    

    It is also possible for a parent to use N3 rules (example)to describe her preferences.

References

Rei - An owl-based policy language for Distributed Environments
N3 - Notation3 - Design Issues article
N3 Rules - Experience with N3 rules
Cwm - A general purpose reasoner for the Semantic Web

maintained by Lalana Kagal
$Revision: 2.14 $
$Date: 2006/01/13 18:40:15 $