Data Model for LAPPS Licensing

NOTE: This is a rapidly evolving topic and this documentation is most likely already out of date...

This page serves as a “worksheet” to sketch out the data structures and algorithms that will be used to implement the LAPPS licensing model.

Definitions
JSON Structures
Algorithms and Workflows
- Logging In

Definitions

AAS
An Authentication and Authorization Service. Any service that can authenticate a user and determine if they are authorized to access a particular protected resource. The AAS must also return any access constraints that apply to the protected resource.

JSON Structures

License

Contains the name of a license, a URI to the full text of the license, and a short description of the license.

{
	"name":"Kitten",
	"uri":"http://www.example.com/TheKittenLicense.html",
	"description":"You must be nice to kittens."
}

toc

Request for Access

To access a protected resource the client will first get an authorization token from the DataSource AAS that must be presented with future requests.

{
	"userid":"Alice",
	"resource":"switchboard",
	"redirect": "http://grid.anc.org:8080/PipelinePlanner/login"
}

The redirect field indicates the URL that the user should be redirected to after the authorization process has completed, either successfully or unsuccessfully.

NOTE: The exact workflow used during the authentication and authorization process is still an open work item.

toc

Access Denied

If the user can not be authenticated the data source should return a simple access denied message. For security reasons the reason for the denial should be as vague as possible:

Access Denied. The user’s credentials could not be verified by the data source. For example the user is not known to the data source or the user could not provide the correct password.
Unauthorized. The user’s credentials could be verified, but the user does not have permission to access the requested resource.

{
	"error":"Unauthorized"
}

NOTE: During development and testing data sources may wish to return more detailed information regarding authorization failures. However, in production the response to a request for access should be a simple yes or no.

toc

Resource Authorization

Upon authenticating a user a DataSource AAS will return, amongst other things:

an access token
a timestamp (GMT relative to the Unix epoch)
a list of licenses users must agree to

{
	"userid":"Alice",
	"access_token":"9acc8ca4-2506-4d3c-b7ea-3d2a100814f9",
	"timestamp":1415992228527,
	"lifetime":86400000,
	"resource":"switchboard",
	"restrictions": [
		{
			"name":"Kitten",
			"uri":"http://www.example.com/TheKittenLicense.html",
			"description","You must be nice to kittens."
		},
		{
			"name":"CC Attribution",
			"uri":"http://creativecommons.org/licenses/by/4.0/legalcode",
			"description":"Attribution must be given to the original author or authors."
		}
	]
}

Algorithms and Workflows

Logging In

DataSources will provided a “login” page.
Clients wishing to access a protected resource on behalf of a user will forward the user to the datasource’s AAS.
The AAS will either grant or deny access and return one of the above JSON payloads.

toc

Notes

This is left here solely as a reminder of how to use % \latex % math mode in Markdown pages.

methods to compare instances of the Permissions class.
- For example, if user % U % has permissions % U_p % and resource % R % requires permissions % R_p % to allow access, the user % U % may access the resource % R % iff % U_p\bigcap R_p = R_p %

The Language Applications Grid

An open framework for interoperable NLP web services