Pod Resources#
ESS provides/hosts Solid Pods. Pods are data storage locations.
Resource Types#
ESS Pods supports storing different types of resources.
Resource Description Framework (RDF) Resource#
A Resource Description Framework (RDF) resource is a file whose contents consists of statements (also known as triples) that describe some “subject” by its relationships:
<subject> <predicate> <object>
The predicate describes the relationship between the subject and the object.
For more information, see RDF Data Model.
Container#
A Container is an RDF resource that can contain other Containers as well as RDF and non-RDF resources. It is analogous to a folder in a file system.
Important
Container URLs always end with a slash /
.
Non-RDF Resource#
A non-RDF Resource is any non-RDF binary or text file, such as .pdf
, .jpeg
, etc.
CRUD Operations#
ESS supports the Solid Protocol specification. As such, retrieving, creating, deleting and editing Solid Resources within a Pod is directly supported via the standard HTTP interfaces.
Access Control#
This section summarizes the relationship between Create/Read/Update/Delete (CRUD) operations and the required access modes.
To create a resource, the user requires either an Append
or
Write
access.
Note
The creation operation creates the resource (be it container, RDF resource, non-RDF resource) and updates the content of the parent container with the new resource’s metadata.
Resource |
Description |
---|---|
Either For example, to create
|
|
Either For example, to create
|
|
Either For example, to create
|
For read operations [1], the user requires Read
access.
Resource |
Description |
---|---|
Reading a container (which stores metadata about the
resources contained within the container) allows a client
to discover what resources are contained inside the
container and their resource type (i.e., analogous to an
|
|
For example, if a resource has as its URL
|
|
For example, if a non-RDF resource has as its URL
|
For update operations, the user requires Append
or Write
access, depending on the specific update operation.
Resource |
Description |
---|---|
Resource |
Description |
To add resources to the Container, see the To delete resources from the Container, see the |
|
|
|
For example, if the non-RDF resource has as its URL
|
For delete operations, the user requires Write
access.
Resource |
Description |
---|---|
For example, to delete
Tip To delete a container, the container must be empty. |
|
To delete an RDF resource , For example, to delete
|
|
To delete a non-RDF resource, For example, to delete
|
Other Considerations#
Resource Deletion#
For resource deletions, ESS uses soft deletes. That is, ESS marks the resource as deleted but does not perform an actual delete from the data store. The use of soft deletes can:
Help maintain throughput when compared to database delete operations that may be potentially costly due to locking.
Facilitate disaster recovery.
Be part of a data-retention strategy.
Note
Overwriting a resource (file) with a new resource (file) also results in a soft delete of the old version of the resource.
Overwriting a resource with a new resource is separate from an operation that just modifies the contents of a resource. Instead, modification of the contents (even though the modification may completely replace the contents) results in orphan data.
Starting in 2.1, ESS provides the ability to schedule hard deletes for the soft deleted resources
Modification of Resource Content#
When data in a file is modified or deleted, the old data remains but is no longer referenced by metadata. That is, the replaced/deleted data is orphaned.
Starting in 2.1, ESS provides the ability to schedule hard deletes for the orphan data.
Note
The modification/deletion of the data is separate from overwriting a file with a new file. Overwriting a file does not result in orphan data. Instead, overwriting a file with a new file results in a soft delete of the old version of the file.
Initial Access Policies#
When a Pod is created, like any other Pod resource, an Access Control Resource is also created for the Pod Root. The ACR is initialized with default ACP policies.
The initial policies give the Pod Owner read and write access to the Pod. These policies also specify a client matcher as well if the Authorization service’s configuration for the initial client allow list is set:
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
or if that is unset,
Disambiguation
Both Authorization Service and
Pod Storage Service have a
INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
setting.
Only the Authorization Service setting affects which clients are allowed. The Pod Storage Service is for Discovery purposes only.
A Pod’s Initial Policies are set when the Pod is provisioned. As such, updates to the operator-controlled allow lists do not affect existing Pods.
Note
Starting in 2.1, ESS uses the values in its Authorization service’s
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
(at
the time of Pod creation) to create the client matcher for the
initial ACP policies. If the setting is unset, ESS uses the values
in its Authorization service’s INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
(at
the time of Pod creation).
Using the value of the Pod owner’s WebID and an initial client allow list, ESS creates the initial policies of the form:
If allOf(AgentMatcher and ClientMatcher) evaluates to true, Then allow (Read and Write).
Specifically, ESS creates:
- Policy 1 for the Pod Root:
If the agent matches the Pod owner’s WebID, and if the client application’s Client ID has a match in the initial client allow list, allow Read and Write access.
- Policy 2 for the Pod Root’s Initial Member Policies:
If the agent matches the Pod owner’s WebID, and if the client application’s Client ID has a match in the initial client allow list, allow Read and Write access.
For more information on a Container’s Member Policies, see Member Policies.
Note
Starting in 2.1, ESS uses the values in Authorization service’s
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
(at
the time of Pod creation) to create the client matcher for the
initial policies. If the setting is unset, ESS uses the values
in its Authorization service’s INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
(at
the time of Pod creation).
If the initial client allow list is empty (when creating the policy), ESS uses the value of the Pod owner’s WebID to create initial policies of the form:
If allOf(AgentMatcher) evaluates to true, Then allow (Read and Write).
Specifically, ESS creates:
- Policy 1 for the Pod Root:
If the agent matches the Pod owner’s WebID, allow Read and Write access.
- Policy 2 for the Pod Root’s Initial Member Policies:
If the agent matches the Pod owner’s WebID, allow Read and Write access.
For more information on a Container’s Member Policies, see Member Policies.
Note
After a Pod’s initial policies have been created, changes to
INRUPT_AUTHORIZATION_DEFAULT_ACR_CLIENT_ID_ALLOW_LIST
(or INRUPT_AUTHORIZATION_CLIENT_ID_ALLOW_LIST
) do not impact the Pod’s
policies.