The Permissions Sketch

Hey, Terry, Can I borrow your tags?¶

njr: Hi Terry

terrycojones: Hi Nick

njr: Seeing as we’re friends, could I see your, ratings please?

terrycojones: Sure. I’ve just set an exception on see for terrycojones/rating so njr can see it.

njr: Great thanks. Except, it’s odd. I can see that you have a rating on The Hitchhiker’s Guide to the Galaxy, but I can’t see its value.

terrycojones: Oh, you mean you want read permission. No problem. There I’ve set an exception for njr to be able to read terrycojones/rating too.

njr: Excellent. Yes, I can see it now. Just an 8, eh?

terrycojones: Yeah, well . . .

[A bit later]

njr: Terry, you know how we’re really good friends.

terrycojones: Sure.

njr: Well, I was wondering if it wouldn’t be useful if I couldn’t actually set ratings for you. For instance, when we were talking the other day, you were saying how maybe you didn’t even think THHGTTG deserved an 8, and you planned to take it down to a 6; only there you were working on three tickets and the net was down where you were, and basically you couldn’t be arsed?

terrycojones: Yeah, that makes sense. OK, I’ve given you `update permission on terrycojones/rating now, so you can change it.

njr: Wow, you’re really fast at that. Are you using some cool FluidDB client?

terrycojones: No, I just use curl and send the raw HTTP. The API’s so RESTful . . .

njr: [Rolls eyes]. OK, let me try that. No, not curl—changing your rating. Yeah, that worked. Cool. And I know you also wanted to give Pärt’s Tabular Rasa a 10, so I’ll just do that for you.

terrycojones: Great. Hang on, I’ll just give you permission.

njr: Eh? You’re going senile, mate: you just did. I changed your rating on Hitchhiker’s Guide to the Galaxy, remember?

terrycojones: Yes. But you only needed update permission for that. Now you want to tag a new object with terrycojones/rating. You need create permission to do that. But don’t worry, I’ve given you that too.

njr: Oh wow. These permissions are pretty-fined grained aren’t they? Yeah, I’ve done it. Except—fool!—I tagged the wrong object. I forgot the umlaut on Pärt in the about tag. I know you’re fussy about your accents, being Australian. (Mind you, Pärt might be fussy about it too.) So there I’ve put it on the right one now. Except—that’s weird, I can’t seem to untag the first one. Surely if I have update and create permission, that must allow me to remove a tag, right?

terrycojones: Of course not! Deletion is completely different! But no problem. I’ve given you delete permission on terrycojones/rating now.

njr: Right. So now I can do anything with terrycojones/rating, right? I can see it, read it, tag things with it (create), change tag values (update) and even untag things (delete). Truly, I have power over your ratings.

terrycojones: Yup. You could even make the world’s biggest Mariah Carey fan. But of course, I’d have to kill you if you did that. And you’re the only one apart from me who can set my ratings, so I’ll know.

njr: Consider it done.

But there’s more . . .¶

terrycojones: Of course, there are still things you can’t do with my ratings.

njr: There are?

terrycojones: Sure. You can’t do anything to the tag itself.

njr: You mean apart from see it, read it, apply it, change it and update it?

terrycojones: I said the tag itself.

njr: The tag . . . itself?

terrycojones: Yup.

njr: That sounds a bit abstract to me, Terry. I’m just a simple physicist. What are you talking about?

terrycojones: See, you change set my ratings, and change my ratings, but you can’t change terrycojones/rating itself. You can’t change what it means. And you can’t delete it.

njr: What it means?

terrycojones: Yes. If you look at the properties of the tag, you’ll find that the description of it is "terrycojones's ratings (Spinal Tap) scale".

njr: Spinal Tap scale?

terrycojones: Sure. Zero to eleven.

njr: Of course. Well, eleven’s nice, if a bit odd; and prime. What do you rate eleven?

terrycojones: Oh not much. The FluidDB permissions system. And Esteve.

njr: Esteve? Better not tell him. He’ll want a raise.

terrycojones: It’s OK; he’s on the exception list. He can’t read my ratings.

njr: But he writes the code!

terrycojones: Yeah, but you should see his principles. He’s uncorruptable.

njr: Alright, alright.

terrycojones: Anyway, the point is, you can’t change that.

njr: The incorruptable genius of Esteve?

terrycojones: Well, that too. But I meant the meaning of my ratings.

njr: Even though I have have every conceivable write permission on the tag?

terrycojones: Yeah, but not on the tag itself.

njr: (If you say itself in that meaningful tone one more time . . .)

terrycojones: Yeah, well, anyway, there’s a separate permission for updating the tag itself.

njr: [Expletives deleted.] Of course there is. And what’s that called?

terrycojones: update.

njr: No, see, you already gave me update permission, wise guy

terrycojones: On the tag. Not the tag itself.

njr: Oh, update on the tag itself. I see. And what about delete? You said I couldn’t delete the tag. But I’ve already removed that Part tag from the object without the umlaut.

terrycojones: Ah yes; but you haven’t deleted the tag itself

njr: [Further colourful expletives deleted] Right. So I can delete every terrycojones/rating you’ve ever put on anything, and indeed, any terrycojones/rating anyone else has ever put on anything for you. But I can’t delete the essence of terrycojones/rating, the meta-data about terrycojones/rating, the terrycojones/rating itself.

terrycojones: That’s right. (And it’s not meta-data; it’s data. All data is equal in FluidDB.)

njr: Whatever. So it that it? Is that really it?

terrycojones: Yup.

njr: So let me see if I have this straight. There are permissions for seeing, creating, reading, updating and deleting tags. And then there are some special administrative permissions for updating and deleting the tag itself.

terrycojones: That’s right.

njr: And that’s absolutely it? If you gave me those, I really would own you. I’d have complete control of terrycojones/rating.

terrycojones: Ah, well, it’s funny you should say that.

njr: There’s more isn’t there?

terrycojones: Well, there’s control.

njr: There’s control.

terrycojones: Yes, there’s control.

njr: Meaning . . .?

terrycojones: Well, who do you think’s been giving you all these permissions to tell the world about my secret infatuation with Mariah Carey?

njr: Ah, yes, Of course. There’s control of tags. Kind of like ownership of files. But surely, you own all the ``terrycojones tags, don’t you?

terrycojones: Sure I do. But I could given them to you if I wanted to. Or I could even let us share them: so we both controlled them.

njr: And that’s called control?

terrycojones: Right.

njr: And that works the same way? With an open/closed policy and an exception list?

terrycojones: Sure does.

njr: Wow. So you could you set it to be closed and not have any exceptions?

terrycojones: Yup.

njr: And then no one would be able to change it?

terrycojones: Not even God.

njr: Really? Is God subject to the FluidDB permissions system.

terrycojones: Well, not yet. She doesn’t have an account. But if she ever gets on, it’s the same rules for her as you, and me, and FluidDB. No exceptions.

njr: Wow, so you if you closed off all the permissions on your ratings and then took away control, your ratings would be like digital tatoos. No one could ever change them.

terrycojones: That’s right. I’m going to rate my mum 10 and then do that.

njr: Aaahhh . . .

Some months later¶

terrycojones: Hi Nick

njr: Hi Terry

terrycojones: You know how we’re great friends and all that shit?

njr: Sure

terrycojones: And how I trusted you with my ratings, and you mostly didn’t abuse except for that whole rating-Mariah-Carey-11 business.

njr: You love her really.

terrycojones: Whatever. The thing is, I thought it would be good if you have me permission on your njr/guardian-1000 namespace, so I can add some stuff and fix all the unicode you screwed up.

njr: Ah, unicode, yes. OK, what do I need to do.

terrycojones: Well, you could just give me control of it; then I could do anything.

njr: Control of njr/guardian-1000? So I guess control on a namespace is like control on a tag?

terrycojones: On a tag itself, right.

njr: Well, you know, Terry, I trust you and everything, but . . .

terrycojones: Yeah, OK. I don’t really need control. But create permission would be useful.

njr: OK, done. Is that it?

terrycojones: Well, actually, update would be useful too. Since you screwed its description.

njr: So update permission on a namespace is like the administrative update permission on a tag?

terrycojones: On the tag itself. Right. It lets you change the data about the namespace. Like the description.

njr: OK, I’ve done that too. Anything else.

terrycojones: Well you have an open policy on list, so I can see what’s there. But there seems to be some junk. I mean you have a sub-namespace njr/guardian-1000/best-FluidDB-UUIDs. I don’t think the Guardian has published its list of all-time best FluidDB-UUIDs yet. And even if it did, I think you’d want a tag not a namespace for that. So I think we could lose it. You know how I love deleting things.

njr: So delete it!

terrycojones: I will. But you need to give me delete permission on the namespace for that

njr: Right, so that would be another administrative permission on the namespace. Like delete on the abstract tag itself.

terrycojones: You’re finally getting this.

njr: Slowly, slowly, the egg walks, (as they say in Addis Ababa).

terrycojones: You ever been to Addis Ababa?

njr: No. But I know a woman who rates it an 11.

terrycojones: OK. It’s in the njr/guardian-1000/cities now too.

njr: It is?

terrycojones: It is!

njr: OK, Ciao, Terry. I’ll let you get back to your Mariah Carey records.

terrycojones: [Expletives I’ve never even heard before deleted.]

Permissions Worth Getting Excited About

Permissions. Doesn’t the very subject set your heart racing?

No?

Well, me neither; normally. But, rather to my surprise, my thesis today is that one of the most revolutionary and remarkable features of FluidDB is its permissions system, and that this, more than anything else, explains why it has a shot at blowing apart web applications and social data.

I accept it’s an unlikely claim. But let’s see if I can make a case.

WTF?¶

If you ever hear Terry talk about FluidDB, or read his stuff, the guy speaks in riddles. One minute he sounds like Richard Stallman, banging on about freedom and how when he rules the world no one will have to ask permission to write data, no one will own objects, everything will be shared and social and anarchic and messy and we’ll all be able to do exactly what we want. He even calls FluidDB the database with the heart of a wiki, whatever that’s supposed to mean. And the very next next minute, he’s talking about how at the heart of FluidDB lies a really strong permissions system that allows us to control exactly what goes in FluidDB.

The guy’s clearly schizophrenic, if not paranoid delusional. Right?

In Defence of Terry¶

FluidDB is a remarkably simple conception. At its heart, it’s just a collection of initially empty containers to which we can attach tags. In best computer-science tradition, we call the containers objects and they really are 100% shared.

If you can find an object, you can tag it . . . and so can anyone else.

As you can see, the objects all have rather long, individual identifiers—actually 128-bit numbers sometimes known as UUIDs [1]. Some objects also have a second identifier, known as the about tag. About tags are unique and never change, so there can only be one object in FluidDB whose about tag is set to the (exact) string oxygen, though there can be any number with no about tag.

So objects are not owned, but shared, and once created, are never destroyed [2].

So one half of the claim is good: objects are shared, and anyone can tag them with whatever they like. Where do all the permissions and control come in?

Tags and Values¶

When we say that anyone can write to any objects in the system, that’s true. Anyone can stick any tag they like onto any object they can find [3]. The tag has a name, such rating or colour or Ulysses and may have a value—such as 7, or interesting or a picture of some leaves. Like this:

The only restriction your tag names all start with your FluidDB username. For example, my FluidDB username is njr, so my tag names start with njr/. So I can have njr/rating, njr/colour njr/Ulysses, or anything else I like. And you, Josephine, can have tags called josephine/rating, josephine/colour (or even josephine/color, if you’re that way inclined) and so on.

Placing tags on the same object in FluidDB is, of course, a way of relating them, but that isn’t the focus of this article.

Permissions¶

So finally, we come to the bit.

By default, I can only create and set tags starting njr, but can read any tags, while Josephine, naturally enough, can only create and set tags starting josephine. Unlike objects, tags are owned.

But there is a permissions system that means that I, as the owner of the owner of tags starting njr, can control exactly what Josephine can do with my tags and vice versa.

So if I want to, I can hide my ratings from Josephine, but let her see my colours. Or I can hide them from everyone except Josephine and Terry.

Slightly more unusually, I can also choose to allow some, or even all other users to write some of my tags if I like. For example, I might decide that I trust Terry enough to allow him to set some of my tags.

This ability to control who can do what extends not only to users, but to applications as well. So suppose someone writes an application called Read-Planner that allows people to tag any book they run across on the web (or anywhere, in fact) with a to-read tag. If I want to use this application, I don’t have to give it my password or open up access to all the rights that I have: I can simply give Read-Planner the ability to create to-read tags for me. And if at some point I become unhappy with it, of course I can revoke that permission. I don’t even need something like OAuth: I can just do it.

Even better, I can also choose to allow other applications whatever form of access to my to-read tags I want—maybe read only, or maybe some of them have write access too. It’s up to me.

And this is why we think FluidDB has the potential to be so revolutionary: it is truly social, while leaving each user firmly in control of his or her data.

New Rules for Web Applications¶

At the moment, any of us who use web applications tend to spend a lot of time and effort populating application databases to make them useful to us. But when we do so, we tend to lose control of our data. They go into a private database schema, and what access we have to that depends entirely on what the application allows us to do. Sometimes there are reasonable ways to get the data back out (some kind of an XML dump perhaps), sometimes not. But always the application is in control. And linking data across applications is, in general, somewhere between hard and impossible.

FluidDB can change all that by leaving the user in control of his or her data, granting the application only such permissions as necessary or desired, and ensuring that the user retains flexability and control.

Now obviously, this only works if applications agree to work with data in this way, and equally obviously, a lot of them are going to be extremely reluctant to do so. After all, in the well-worn phrase, information is power. So it’s more than possible that far from embracing the openness and intrinsic cross-application, cross-user interoperability championed and facilitated by FluidDB, many applications will seek to hold onto the data. We fully expect this.

But we also expect that there will be some applications, perhaps new ones, perhaps small ones initially, that will embrace the idea. And over time, a movement can grow, perceptions can change, and maybe in ten years time the idea of an application owning and controlling your data will seems as antiquated as the notion that you shouldn’t be allowed to see your own medical records.

A Tiny Bit of Detail¶

I’ll close by talking in slightly more detail about the way the permissions system in FluidDB operates. Further articles will go into the gory details.

Briefly, you can set permissions for each group of tags sharing a name. [4] So for example, if I use a rating tag, I can control exactly who can read, change and create this njr/ratings tag. And I can control each of those aspects independently. [5]

Similarly, if I choose to use names that contain slashes, like maybe njr/book/rating and njr/book/own I can choose control who can do what at the level of a stem like njr/rating if I choose. So I could allow some book applications, or a bookish friends, to manipulate my book tags, maybe even creating new ones for me, but not my other tags (especially not my njr/private ones!)

Conclusion¶

Unlikely as it sounds, one of the key innovations in FluidDB is its combining a completely shared set of information containers (the objects) with the ability for users to tightly control, at a granular level, precisely who can read, write and create the tags used to store information on those objects. This applies not only to users, but also to applications, giving a simple way for users to grant applications broad or narrow access to read or manipulate some or all of their data while, ultimately retaining complete control of it.

In FluidDB, you never need to ask permission to write to an object, but you always need permission to use someone else’s tags.

It’s a powerful combination.

---

[1]	So-called Universal Unique Identifiers.

[2]

In fact, we sometimes like to say that objects for every possible about tag already exist, in rather the same way that Plato believed that all numbers and other mathematical objects existed in perpetuity in what we now call his platonic universe. It’s simply that we only bother to allocate storage for objects with any particular about tag when someone actually wants to use it.

[3]	If it doesn’t have an about tag, an object might be very hard to find, essentially requiring you to guess a 128-bit number. But it doesn’t really matter, as we’ll see.

[4]	We sometimes call the set of tags having, or potentially having a particular name (like njr/rating) as an abstract tag. We can think of the (concrete) tags that we actually attach to FluidDB objects as concrete instantiation of a canonical, abstract, platonic, master tag of the same name.

[5]	There are actually more than three aspects I can control, but this the essence of it.

FDB 1.21

I just pushed fdb.py 1.21 to GitHub (http://github.com/njr0/fdb.py).

The command line utilities and the API now work consistently with subnamespaces using the funcitonality introduced in 1.19.

So

fdb tag -a DADGAD /njr/rather/deep/space/rating=9

will now work, creating namespaces for as many of rather, deep, space and rating as required.

FDB 1.20: Namespace Functions Added to API

I’ve added some new functions to the python API to FluidDB in the fdb.py library. This has been pushed to GitHub (http://github.com/njr0/fdb.py).

At the moment, the functionality is somewhat embryonic, but useful. Basically there are new functions to:

• Create a namespace, e.g.

  id = db.create_namespace ('/njr/bas/bar/foo',  'three levels deep',
                            verbose=True)
  

  This is recursive, and will create bas under /njr and bar under bas if required.

• Delete a namespace:

  status = db.delete_namespace ('bas/bar/foo')
  

  This is not recursive, though arguments for recurse and force have been added to the function signature. (They are casually ignored at present.)

• Fetch the description of a namespace, e.g.

  print db.describe_namespace ('bas/bar/foo')
  

These follow FDB’s usual convention that if paths start with a ‘/’ they are taken to be absolute, and if not they are taken to be relative to the user’s top-level namespace. So for me (njr), /njr/foo/bar is the same as foo/bar.

Points to note:

• There are no unit tests for this functionality yet (lazy, lazy, bad njr!)
• There is, however, a set of examples in nstest.py that illustrate and, to some extent, test the functionality (I know, I know, why not just make them tests. I will, I will.)
• There are no new commands in the CLI to leverage this APi functionality. (As you might imagine, I don’t intend that to be a permanent state of affairs.)
• Not only are there no new commands, but the existing commands have not been extended to take advantage of the new functionality properly, So, for example, fdb tag still can’t use the new namespace created. Ridiculous? Yes.

The following code shows the API:

import fdb
import simplejson as json

db = fdb.FluidDB ()
user = db.credentials.username

db.create_namespace ('subs', 'Subnamespace of njr', verbose=True)
print
db.delete_namespace ('/%s/subs' % user, verbose=True)
print

db.create_namespace ('bas/bar/foo',  'three levels deep', verbose=True)
print

print db.describe_namespace ('/%s/bas/bar/foo' % user), '\n'
print db.describe_namespace ('/%s/bas/bar' % user), '\n'
print db.describe_namespace ('/%s/bas' % user), '\n\n'

db.delete_namespace ('/%s/bas/bar/foo' % user, verbose=True)
db.delete_namespace ('bas/bar', verbose=True)
db.delete_namespace ('/%s/bas' % user, verbose=True)
print

assert db.describe_namespace ('bas/bar/foo') == 404
assert db.describe_namespace ('bas/bar') == 404
assert db.describe_namespace ('bas') == 404

print 'All namespaces verified to have been deleted.'

It produces the following output (starting from a clean sheet, anyway).

Created namespace /njr/subs with ID 1671aa1f-9cdb-44a0-b55e-ed4ca78553cd

Removed namespace /njr/subs

Created namespace /njr/bas with ID 2ce1aa8e-d069-4d3b-960c-40685c47868f
Created namespace /njr/bas/bar with ID 4328b9ec-d96a-40e4-9a30-6906d360d9a8
Created namespace /njr/bas/bar/foo with ID d83240e7-2863-4cac-95d2-42d61b2050d4

         description: three levels deep
                  id: d83240e7-2863-4cac-95d2-42d61b2050d4
      namespaceNames: []
            tagNames: []

         description: None
                  id: 4328b9ec-d96a-40e4-9a30-6906d360d9a8
      namespaceNames: ['foo']
            tagNames: []

         description: None
                  id: 2ce1aa8e-d069-4d3b-960c-40685c47868f
      namespaceNames: ['bar']
            tagNames: []


Removed namespace /njr/bas/bar/foo
Removed namespace /njr/bas/bar
Removed namespace /njr/bas

All namespaces verified to have been deleted.