S-OGSA (Semantic-OGSA) is a reference architecture that extends OGSA with semantics. It defines semantic bindings between grid entities and knowledge entities. S-OGSA services include ontology, reasoning and semantic binding services. Example scenarios described include satellite image analysis, insurance claims processing, and role-based access control for authorizing insurance policies.
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Paper presentation @ CGW ‘06 workshop, 2006
1. CGW ‘06 Krakow, October 16 th 2006 Semantic Binding Specifications in S-OGSA Oscar Corcho, Pinar Alper , Ioannis Kotsiopoulos, Paolo Missier , Sean Bechhofer, Carole Goble www.ontogrid.eu
2.
3.
4. WS-DAIO nt XACML_AuthZService (PDP) CarFraudService (PEP) XACML AuthZ Request getInsurancePolicy VO Ontology Class Hierarchy -RDFS RDF John Doe has had 2 distinct accidents Pellet Reasoner Obtain Semantic Bindings of John Doe Obtain all classes that are subclass of ROLE Classify John Doe w rt VO ont Lookup w hether the ROLE that is inferred permits or not XACML AuthZ Response 1 2 3 4 5 6 7 Atlas PIP Proxy PDP Proxy VO Ontology OWL S-OGSA Scenario. Authorisation 8 Result or Exception /C=GB/O=PERMIS/CN=User0 Role Op Mapping
5. WS-DAIO nt XACML_AuthZService (PDP) CarFraudService (PEP) XACML AuthZ Request getInsurancePolicy VO Ontology Class Hierarchy -RDFS RDF John Doe has had 2 distinct accidents Pellet Reasoner Obtain Semantic Bindings of John Doe Obtain all classes that are subclass of ROLE Classify John Doe w rt VO ont Lookup w hether the ROLE that is inferred permits or not XACML AuthZ Response 1 2 3 4 5 6 7 Atlas PIP Proxy PDP Proxy VO Ontology OWL S-OGSA Scenario. Authorisation 8 Result or Exception Role Op Mapping
6. WS-DAIO nt XACML_AuthZService (PDP) CarFraudService (PEP) XACML AuthZ Request getInsurancePolicy VO Ontology Class Hierarchy -RDFS RDF John Doe has had 2 distinct accidents Pellet Reasoner Obtain Semantic Bindings of John Doe Obtain all classes that are subclass of ROLE Classify John Doe w rt VO ont Lookup w hether the ROLE that is inferred permits or not XACML AuthZ Response 1 2 3 4 5 6 7 Atlas PIP Proxy PDP Proxy VO Ontology OWL S-OGSA Scenario. Authorisation 8 Result or Exception Role Op Mapping
7. WS-DAIO nt XACML_AuthZService (PDP) CarFraudService (PEP) XACML AuthZ Request getInsurancePolicy VO Ontology Class Hierarchy -RDFS RDF John Doe has had 2 distinct accidents Pellet Reasoner Obtain Semantic Bindings of John Doe Obtain all classes that are subclass of ROLE Classify John Doe w rt VO ont Lookup w hether the ROLE that is inferred permits or not XACML AuthZ Response 1 2 3 4 5 6 7 Atlas PIP Proxy PDP Proxy VO Ontology OWL S-OGSA Scenario. Authorisation 8 Result or Exception Role Op Mapping
8. WS-DAIO nt XACML_AuthZService (PDP) CarFraudService (PEP) XACML AuthZ Request getInsurancePolicy VO Ontology Class Hierarchy -RDFS RDF John Doe has had 2 distinct accidents Pellet Reasoner Obtain Semantic Bindings of John Doe Obtain all classes that are subclass of ROLE Classify John Doe w rt VO ont Lookup w hether the ROLE that is inferred permits or not XACML AuthZ Response 1 2 3 4 5 6 7 Atlas PIP Proxy PDP Proxy VO Ontology OWL S-OGSA Scenario. Authorisation 8 Result or Exception Role Op Mapping
20. S-OGSA Model and Capabilities. The complete picture Semantic Provisioning Service Knowledge Resource Grid Entity Semantic Binding Grid Service Is-a 0..m 0..m 1..m 1..m Semantic aware Grid Service consume produce 0..m 0..m 1..m 1..m uses WebMDS SAML file DFDL file JSDL file Is-a Knowledge Entity Is-a Ontology Service Is-a Reasoning Service Semantic Binding Provisioning Service Annotation Service Metadata Service Grid Resource OGSA-DAI CAS Is-a Is-a Is-a Knowledge Service Is-a Ontology Rule set Knowledge Semantic Grid Grid Is-a
21. S-OGSA Scenario. Satellite Image Quality Analysis WebDAV WS-DAIOnt SatelliteDomain Ontology Grid-KP XML Summary File WebDAV client e.g. MS Windows Explorer HTTP PUT Atlas Metadata Service QUARC-SG client JSP 2 UTC2Seconds Soaplab 3 4 7 2 1 1 3 6 Convert time to canonical representation Annotate file Obtain ontology Type metadata Store Query Convert time to canonical representation Input criteria Copy satellite XML summary file Metadata generation process Metadata querying process RDF RDF
22. S-OGSA Scenario. Insurance settlement WS-DAIOnt Negotitation Service (Manager) Job Negotiation client 1 2 Do Negotiation Atlas RDF RDF RDF RDF RDF InsurranceCo DB Motor Vahicles Car Parts Job + Contractor List Job Job Cfp Cfp Cfp propose Offer Refuse propose Offer 2 2 4 4 4 accept 5 Reject 5 WS-DAIOnt Car Repair DB RDF RDF RDF Car Repair DB 3 calculatePrice 3 calculatePrice 3 calculatePrice Retrieve public Job desc. Legacy databases Legacy databases Repair CO. 1 (Nego. Srvc. Contractor) Repair CO. 2 (Nego. Srvc. Contractor) Repair CO. 3 (Nego. Srvc. Contractor)
23.
24.
25.
26. WS-DAIO nt XACML_AuthZService (PDP) CarFraudService (PEP) XACML AuthZ Request getInsurancePolicy VO Ontology Class Hierarchy -RDFS RDF John Doe has had 2 distinct accidents Pellet Reasoner Obtain Semantic Bindings of John Doe Obtain all classes that are subclass of ROLE Classify John Doe w rt VO ont Lookup w hether the ROLE that is inferred permits or not XACML AuthZ Response 1 2 3 4 5 6 7 Atlas PIP Proxy PDP Proxy VO Ontology OWL S-OGSA Scenario. Authorisation 8 Result or Exception Ignorant of semantics Semantic aware and capable of processing semantics Semantic provisioning services Semantic aware but incapable of processing semantics Role Op Mapping
Notas do Editor
Metadata that relates Grid and Knowledge Entities A bunch of RDF statements A set of XML documents A set of descriptions in natural language ... Model Not the only way, but a semantic Web way. Could just be sub-classing approach. A semantic web based approach with annotations and bindings. An alternative would be to a subtyping scheme STICKY METADATA – when you don’t own the data(annotation), or when you do (embedding). In OGSA (and consequently in S-OGSA) any nameable entity is defined a Grid entity. Based on this, users/subjects within a VO are also Grid Entities generally identified by their Distinguished Names –DNin certificates issued to them (see the DN CN=John Doe, OU=IMG, O=UoM, C=UK for John Doe within the digital certificate in the figure) Early Semantic Grid approaches to modelling VOs and their sharing rules have been through the use of various SW technologies, viz. ontologies and rules [40, 43]. These VO Ontologies are examples of the Knowledge Entity concept of S-OGSA. VOs are transient confederations formed to solve particular problems; therefore, in addition to generic aspects, which could be used to characterize nearly every VO (e.g. Institutions, Persons, Resources), a VO ontology is also expected to model problem/application specific aspects such as domain specific resource types (e.g., scientific data sets). A small extract of a generic VO ontology is given in the figure. Furthermore, VO Ontologies are functional not only in representing the entities in the environment but also the VO formation and operation policies. • Policies for VO establishment are used to designate who can be a member under what conditions. These conditions are represented through definitions of roles within the VO. An example could be as follows: VO member is a user that is affiliated with an organization that is itself a member of the VO. 6 Some of the existing policy representation languages are: XACML [47], SAML [48], WS-Policy [49], WSPL [45], KAoS [43], Rei [46], PeerTrust [50], and WS-Trust [51]. Different languages are aimed at different aspects of the policy specification and at different functions. 7 See, for instance, http://www.cl.cam.ac.uk/users/mywyb2/publications/ehrpolicy.pdf 12 • Resource Sharing policies are expressed through the concepts of Roles, Actions and Resources and the simple authorization pattern: Role is authorized to perform Action on Resource . We should note that there might be different technology specific methods (such as rules, axioms, defined classes, etc.) for modelling these policies, which are later exploited for making access control decisions at the time of resource utilization. An example of a resource sharing policy could be Role X can perform a read operation on a resource (e.g. a job submitted to a Job Execution Manager) if (a) the VO member in that role is the job owner or (b) the member is the job owner’s manager. The choice of a declarative approach to specify the sharing policies through roles and their associations to Action and Resource types brings flexibility. The Knowledge entities in the Semantic Grid provide the essential conceptualizations, which can be used to structure metadata assertions about Grid entities. Within S-OGSA this structured metadata is represented by the Semantic Binding entity. Figure 6 depicts an example of a Semantic Binding as a group of assertions about the Grid Entity John Doe. In this example metadata assertions are structured with respect to the schema in the VO Ontology, though they could be also related to a set of rules or even textual descriptions. The semantic bindings could come into existence and evolve both during the formation and operation of the VO. For example the Semantic Binding on John Doe’s institutional affiliation could be generated at formation time, whereas the Semantic Binding expressing John Doe being the owner of a submitted job could be generated when the Grid entity representing the job comes into existence.
S-OGSA Capabilities. S-OGSA is a mixed economy of these semantically enabled and disabled services. We add to the set of capabilities that Grid middleware should provide to include the Semantic Provisioning Services and Semantically Aware Grid Services (Figure 4). Semantic Provisioning Services dynamically provision an application with semantic grid entities in the same way a data grid provisions an application with data. The services support the creation, storage, update, removal and access of different forms of Knowledge Entities and Semantic Bindings. Ontology services store and provide access to the conceptual models representing knowledge; reasoning services support computational reasoning with those conceptual models; metadata services store and provide access to semantic bindings and the annotation services generate metadata from different types of information sources, like databases, services and provenance data. These four build on past work of members of the consortium: a knowledge parser ---------------------------------- According to our design principle of diversity , S-OGSA is a mixed economy of semantically enabled and disabled services. To achieve this goal, we extend the set of capabilities that Grid middleware should provide to include Semantic Provisioning Services and Semantically Aware Grid Services . This extension is shown in Figure 1 with pink boxes (for semantic provisioning services) and dotted pink squares in the OGSA capability services (for semantically aware Grid services). Semantic Provisioning Services are those responsible for the provisioning and management of explicit semantics and its association with Grid entities. Semantically Aware Grid Services are those enhanced Grid services that deliver OGSA enumerated capabilities but differ from others by having an affiliation with, or operating using, explicit semantics. Next we describe both types of services in more detail. 3.2.1 Semantic Provisioning Services Semantic Provisioning services are the services that give support to the provision of semantics, by allowing the creation, storage, update, removal and access of different forms of knowledge and metadata (i.e. Knowledge Entities and Semantic Bindings of the S-OGSA model). The semantics provisioned by these new categories of services apply to knowledge and metadata both in the Grid (i.e. related to the operation Grid middleware) and on the Grid (i.e. related to the Application domain). Semantic provisioning services are further classified into two major categories (see Figure 4), namely Knowledge Provisioning Services and Semantic Binding Provisioning Services, reflecting the S-OGSA model. Semantically Aware Grid Services Certain classes of middleware services in the Grid could exploit knowledge technologies to deliver their functionality. In Figure 4 we have identified these enhanced Grid services as Semantically Aware Grid Services (SAGS) . Semantic Awareness here means being able to consume semantics bindings and being able to take actions based on knowledge and metadata. Examples of such actions are • Metadata aware authorization of a given identity by a VO Manager service ; • Execution of a search request over entries in a semantic resource catalogue ; • Incorporation of a new concept in to an ontology hosted by an ontology service ; • Reduction of an annotated scientific data set to a smaller subset by a scientist . SAGS allow for sharing of community-wide knowledge and may outsource knowledge related activities. The explicit expression of knowledge in formalisms with well-defined interpretation mechanisms allows for representation of a common understanding of the environment among components both in and on the Grid. Sharing this knowledge brings flexibility to components and increases interoperability. Furthermore, the reasoning tasks can be outsourced to other specialised components (e.g. inference engines, rule engines).
Please note there are no references to technologies here… As part of our S-OGSA activity however we can define a RDF and Description Logic profile for S-OGSA.. Ignorant…
Please note there are no references to technologies here… As part of our S-OGSA activity however we can define a RDF and Description Logic profile for S-OGSA.. AWARE but incapable
Please note there are no references to technologies here… As part of our S-OGSA activity however we can define a RDF and Description Logic profile for S-OGSA.. Aware and capable.