feat: use ODRL policy for authorisation configuration#41
Merged
Conversation
mirdono
force-pushed
the
feat/odrl-policy-for-authz-sparql-parser
branch
from
1e6f2d6 to
fb4b3c7
Compare
mirdono
force-pushed
the
feat/odrl-policy-for-authz-sparql-parser
branch
from
fb4b3c7 to
f0fc8a7
Compare
mirdono
force-pushed
the
feat/odrl-policy-for-authz-sparql-parser
branch
5 times, most recently
from
81e90f3 to
e0cd19b
Compare
mirdono
changed the title
mirdono
force-pushed
the
feat/odrl-policy-for-authz-sparql-parser
branch
4 times, most recently
from
0185ec5 to
91325d0
Compare
Member
Author
|
Merged the changes from #83 in this branch. In terms of behaviour nothing should really change, except that it is no longer possible to write data to the |
tdn
approved these changes
Apr 13, 2026
Contributor
tdn
left a comment
tdn
left a comment
There was a problem hiding this comment.
Looks good as far as I can tell, and didn't notice anything weird when running it locally.
Bring the ODRL policy up to date with the authorization policy as defined in lisp. To verify whether the ODRL policy and list policy are indeed equivalent, the former can be converted to lisp as follows: 1. Clear any contents from the `http://mu.semte.ch/graphs/odrl-policy` graph 2. Regenerate `./config/odrl-parser/config.nt` using the `ttl-to-ntriples` project script. 3. Load the contents of the ntriples config into the triplestore using the `odrl-parser` service: `docker compose exec odrl-parser curl http://localhost/load-policy` 4. Generate the lisp config from the import policy: `docker compose exec odrl-parser curl http://localhost/generate-config`, the resulting file written to `./config/odrl-parser/decideAuthorizationPolicy.lisp`. 5. Compare `./config/authorization/decide.lisp` and the file generated in previous step. Note, the order of elements differs so one cannot simply to a line by line comparison. Furthermore, the generated file will define more prefixes as it includes all prefixes known by the service.
- Move the ttl file with the ODRL policy to sparql-parser's configuration folder such that the service can read it from there. - Remove the 'environment variable' from to switch between regular lisp config and generated lisp config from sparql-parse's configuration.
Now that sparql-parser can use ODRL policies directly this service is not longer needed.
With the `sparql-parser` service now supporting reading ttl configurations directly the manual conversion is no longer needed.
Replace the public read+write permission to the human-validation graph by a scoped permission for the `annotation-review-service`. This way only this service can write `ext:ReviewAnnotation` resources to that graph. Furthermore, additional scoped permissions are added such that the service can read data from the appropriate graphs.
During development it can be useful to easily switch between the Lisp and ODRL config. The added commented lines allow to do this by simply uncommenting them if you want the Lisp config.
Replace the public read+write grant to the human-validation graph by a scoped grant for the `annotation-review-service`. This way only this service can write `ext:ReviewAnnotation` resources to that graph. Furthermore, additional scoped grant are added such that the service can read data from the appropriate graphs.
mirdono
force-pushed
the
feat/odrl-policy-for-authz-sparql-parser
branch
from
af5c2e9 to
7da4511
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Use an ODRL authorisation policy as configuration for
sparql-parser. With support for ODRL configuration being added tosparql-parserwe no longer need theodrl-parser-serviceto translate an ODRL policy tosparql-parser's lisp ACL.databaseservice configuration to use ODRL as implemented in sparql-parser using builds from a feature-branch.odrl-parserservice and its configuration.How to test
Running the app with ODRL configuration
databaseservice:docker compose pull databasedatabaseservice usingdocker compose up -d database, or start the app's stack as usual if not yet running.databaseservice logs should now contain the following lines indicating it read its configuration from the ttl file.Understanding and modifying the ODRL policy
As part of this feature
sparql-parser's README has been extended with a how-to guide for ODRL policies. Feedback can be provided as part of PR #12 for sparql-parser.Check policy equivalence
To double-check that the ODRL policy and the original lisp configuration are equivalent. The policy update commit contains both the original lisp config
config/authorization/decide.lispand the one generated from the ttl fileconfig/odrl-parser/decideAuthorizationPolicy.lisp. You can check out this commit and compare the files, but take into consideration things:decideAuthorizationPolicyconfig defines more (unnecessary) prefixes as theodrl-parser-servicesimply adds all prefixes it knows to the output it generates.Note, the commit message of the mentioned commit also contains instructions on how to (re)generate the
decideAuthorizationPolicy.lispfile yourself. If you checked out that commit you should be able to follow them as is. Otherwise, you will have to re-add theodrl-parser-serviceand ttl-to-ntriples conversion script to your local stack as these are removed by a subsequent commit.TODO
Before merging and deploying, also do the following:
Related tickets