Taking Control of Access to Resources Stored in Google Drive, Dropbox, Microsoft OneDrive, Box, and Amazon S3

Using OpenLink Virtuoso, Dynamic Extended Type (DET) WebDAV Folders, Linked Data, & WebID

Ted Thibodeau Jr
Jan 3, 2018 · 8 min read

The decentralized ideals of the Internet and the Web have been increasingly undermined and diluted by a generation of tools and services that are centralized at their core. This centralization arose in response to various challenges, including primarily —

  • Web-scale verifiable identity
  • the proliferation of Web 2.0-oriented Software-as-a-Service (SaaS) deployment model for Web Services

Additional negative effects of the Web 2.0 architecture have included —

  • non-existent identity
  • flawed privacy models
  • broken security
  • siloed data access
  • semi-structured data representation based on attribute = value pairs, instead of structured data representation based on entity → attribute → value triples (also known as 3-tuples)
  • an ever-increasing number of APIs

Usage Scenario

Still, each presents problems and adds inertia to my workflow:

  • Google Drive doesn’t handle MIME types properly.
  • Dropbox is a little better with MIME types, but doesn’t let me share folders unless I pay for it by granting them access to my social network.
  • OneDrive only works with recent versions of Mac OS X (Yosemite [10.10.x] and later), though it has broader version support for Windows.
  • Worst of all, none of these storage services implements a decentralized identity verification protocol that’s controlled by users rather than service providers i.e., domain ownership is mandatory for any kind of identity verification heuristics.

Problem

Solution

The DET feature was initially implemented to produce XML from SQL data (SQL-to-XML transformation). In modern times, it is used to transform many formats to many others, such as SQL to RDF-Turtle, or RDF-Turtle to JSON-LD, or RDF-Turtle to CSV. This dynamism is not strictly programmatic, but can also be applied to HTTP content negotiation ("conneg"), whether that negotiation is itself basic (e.g., Accept: text/html) or dynamic (i.e., using QoS Algorithms, such as Accept: text/html;q=0.9, text/plain;q=0.8).

One powerful use of DETs is to address and/or expose filesystem resources (typically, documents and directories) as if they were Virtuoso resources.

If considered as elements of the network computer paradigm, the storage services discussed earlier are little more than external drives, similar to a USB thumb-drive or CD/DVD, connected through very long cables.

Given these insights, this post will demonstrate how our ODS-Briefcase application may be used to mount any or all of those storage services (as you might with any removable volume or disk) into a Personal Data Space (also known as a Personal Data Pod or Personal Data Locker).

Once ODS-Briefcase has connected to a Storage Mount Point (treated as a folder within ODS-Briefcase) from each service, I can use WebID-based ACLs (Access Control Lists) to control who has access to the content saved there, when accessed through my personal data space. At their most basic, these ACLs can be applied to an entire folder (Mount Point), and sometimes, that is enough. Sometimes, I may want to apply a different ACL to each of their sub-folders or even to each-and-every document therein — and Virtuoso lets me do so, regardless of the permissions model of the back-end storage service!

As my use of these storage services increases, I may wish to further refine control over the access I’ve granted. With ODS-Briefcase and Virtuoso, I can use commonly understood Role-Based Access Control (RBAC, i.e., Users and Roles/Groups), or the much more sophisticated and similarly less commonly available Attributed-Based Access Control (ABAC) to evaluate whether any given visitor has appropriate access permissions for whatever resource they’ve requested, on-the-fly.

Image for post
Image for post

WebID ACL Demonstration

Mounting Remote Services to DET Folders

Mounting Google Drive to a DET Folder

Image for post
Image for post
Image for post
Image for post

Mounting Dropbox to a DET Folder

Image for post
Image for post
Image for post
Image for post

Mounting OneDrive to a DET Folder

Image for post
Image for post
Image for post
Image for post
Image for post
Image for post

Mounting Box to a DET Folder

Image for post
Image for post
Image for post
Image for post

Mounting Amazon S3 to a DET Folder

Image for post
Image for post
Image for post
Image for post

Setting up ACLs on the DET Folders

Image for post
Image for post

For purposes of demonstration, I have applied a very simple ACL to each folder mounted above, which grants READ access to any visitor who verifies their WebID.

Setting up ACLs on Google Drive DET Folder

Image for post
Image for post
Image for post
Image for post

Setting up ACLs on Dropbox DET Folder

Image for post
Image for post
Image for post
Image for post

Setting up ACLs on OneDrive DET Folder

Image for post
Image for post
Image for post
Image for post

Setting up ACLs on Box DET Folder

Image for post
Image for post
Image for post
Image for post

Setting up ACLs on Amazon S3 DET Folder

Image for post
Image for post
Image for post
Image for post

Testing Access to Third-Party Storage through DET Mountpoints

Image for post
Image for post
ODS-Briefcase File and Folders UI

You have live access to all of these documents through my ODS-Briefcase instance via any of the following links:

If you can’t now access the resources listed above, and you are interested in finishing this experiment/demonstration, simply perform two steps:

Step 1. Get Yourself a WebID

Step 2. Visit one of the mounted DET folders

Conclusion

Key Examples include:

  • HTTP with Content Negotiation enabled
  • WebDAV — for Read-Write Operations
  • Linked Data Protocol (LDP) — for Read-Write operations
  • WebID-Profile Document Storage — this enables full exploitation of the WebID+TLS and WebID+TLS+Delegation protocols for identity claims verification
  • Linked Open Data Deployment — leveraging relative URIs, you can deploy 5-Star Linked Data over virtually any storage service
  • Modern Read-Write Web tools (e.g., Dokieli) can use these services for annotation storage that doubles as linked data deployment

Fundamentally, courtesy of the open standards based virtualization layer provided by ODS-Briefcase, these centralized storage services are now integrated into a more decentralized ecosystem that provides modern functionality by loosely-coupling disparate data sources and protocols.

Related

Links

OpenLink Virtuoso Weblog

News & Articles related to OpenLink Virtuoso & Related…

Ted Thibodeau Jr

Written by

Technical Evangelist for OpenLink Software. Mac Geek. Human Middleware. Shamanic Witch. Shapeshifter. Singer. Drummer. Dancer. Dreamer.

OpenLink Virtuoso Weblog

News & Articles related to OpenLink Virtuoso & Related Technologies

Ted Thibodeau Jr

Written by

Technical Evangelist for OpenLink Software. Mac Geek. Human Middleware. Shamanic Witch. Shapeshifter. Singer. Drummer. Dancer. Dreamer.

OpenLink Virtuoso Weblog

News & Articles related to OpenLink Virtuoso & Related Technologies

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store