permissions

6 views
Skip to first unread message

Conrad Leonard

unread,
Apr 26, 2015, 10:28:29 PM4/26/15
to sta...@clarkparsia.com
I've been trying to understrand the Stardog permissions model (using 3.0 - I see there is a newer release, but nothing in release notes suggests related changes from 3.0->3.0.1) and am hitting an issue with the interpretation or possibly implementation of "create" and "delete".

I have the following little shell script that sets up 4 users, with respectively read, read-create, read-delete, and read-write permissions, and then performs explicit SELECT, INSERT, DELETE queries, as well as the cli commands stardog data add and stardog data remove:

#!/bin/sh
DB=perm-test
TMPDATA=/tmp/$DB.$NOW.`date +%s`.ttl
echo "@prefix ex: <http://example.org> .
ex:example rdf:type ex:Example;
        rdfs:label '''example'''^^xsd:string .
" > $TMPDATA
stardog-admin db drop -n $DB
stardog-admin db create -n $DB
stardog namespace add --prefix ex --uri http://example.org/ $DB
stardog data add $DB $TMPDATA

# combinations of permissions
permsArray=( R CR DR RW )

for perms in "${permsArray[@]}"; do
        stardog-admin user remove  $DB-user-$perms
        stardog-admin user add $DB-user-$perms -N 1234
        if [[ $perms == *R* ]]; then
                stardog-admin user grant -a read -o db:$DB $DB-user-$perms
        fi
        if [[ $perms == *C* ]]; then
                stardog-admin user grant -a create -o db:$DB $DB-user-$perms
        fi
        if [[ $perms == *D* ]]; then
                stardog-admin user grant -a delete -o db:$DB $DB-user-$perms
        fi
        if [[ $perms == *W* ]]; then
                stardog-admin user grant -a write -o db:$DB $DB-user-$perms
        fi
done

# check it out
for perms in "${permsArray[@]}"; do stardog-admin user permission  perm-test-user-$perms; done

for perms in "${permsArray[@]}"; do
        echo "SELECT query with '$perms' permissions:"
        stardog query -u $DB-user-$perms -p 1234 -- $DB "SELECT * WHERE {?s ?p ?o}" > /dev/null && echo "OK" || "No permissions"
        echo "INSERT query with '$perms' permissions:"
        stardog query -u $DB-user-$perms -p 1234 -- $DB "INSERT {?s ex:dataProp '''datatProp'''^^xsd:string} WHERE {BIND (ex:example AS ?s)}"
        echo "DELETE query with '$perms permissions:"
        stardog query -u $DB-user-$perms -p 1234 -- $DB "DELETE {?s ?p ?o} WHERE {?s ?p ?o}"
        echo "'stardog data remove' with '$perms' permissions:"
        stardog data remove -u $DB-user-$perms -p 1234 $DB $TMPDATA
        echo "'stardog data add' with '$perms' permissions:"
        stardog data add -u $DB-user-$perms -p 1234 $DB $TMPDATA
done

rm $TMPDATA



In the case of the read-only user and the read-write user I understand the results, but not for the CR and DR users:

+---------------+---------------+-------------+--------------------+
| Resource Type | Resource Name | Permissions |       Source       |
+---------------+---------------+-------------+--------------------+
| db            | perm-test     | --R----     | [perm-test-user-R] |
+---------------+---------------+-------------+--------------------+
+---------------+---------------+-------------+---------------------+
| Resource Type | Resource Name | Permissions |       Source        |
+---------------+---------------+-------------+---------------------+
| db            | perm-test     | C-R----     | [perm-test-user-CR] |
+---------------+---------------+-------------+---------------------+
+---------------+---------------+-------------+---------------------+
| Resource Type | Resource Name | Permissions |       Source        |
+---------------+---------------+-------------+---------------------+
| db            | perm-test     | -DR----     | [perm-test-user-DR] |
+---------------+---------------+-------------+---------------------+
+---------------+---------------+-------------+---------------------+
| Resource Type | Resource Name | Permissions |       Source        |
+---------------+---------------+-------------+---------------------+
| db            | perm-test     | --RW---     | [perm-test-user-RW] |
+---------------+---------------+-------------+---------------------+
SELECT query with 'R' permissions:
OK
INSERT query with 'R' permissions:
User does not have write permissions for the index.  User identification "perm-test-user-R"; index name "perm-test"
DELETE query with 'R permissions:
User does not have write permissions for the index.  User identification "perm-test-user-R"; index name "perm-test"
'stardog data remove' with 'R' permissions:
Permission denied.
'stardog data add' with 'R' permissions:
Permission denied.
SELECT query with 'CR' permissions:
OK
INSERT query with 'CR' permissions:
User does not have write permissions for the index.  User identification "perm-test-user-CR"; index name "perm-test"
DELETE query with 'CR permissions:
User does not have write permissions for the index.  User identification "perm-test-user-CR"; index name "perm-test"
'stardog data remove' with 'CR' permissions:
Permission denied.
'stardog data add' with 'CR' permissions:
Permission denied.
SELECT query with 'DR' permissions:
OK
INSERT query with 'DR' permissions:
User does not have write permissions for the index.  User identification "perm-test-user-DR"; index name "perm-test"
DELETE query with 'DR permissions:
User does not have write permissions for the index.  User identification "perm-test-user-DR"; index name "perm-test"
'stardog data remove' with 'DR' permissions:
Permission denied.
'stardog data add' with 'DR' permissions:
Permission denied.
SELECT query with 'RW' permissions:
OK
INSERT query with 'RW' permissions:
Update query processed successfully in 00:00:00.101.
DELETE query with 'RW permissions:
Update query processed successfully in 00:00:00.081.
'stardog data remove' with 'RW' permissions:
Removing data from file: /tmp/perm-test..1430101302.ttl
Removed 0 triples in 00:00:00.084
'stardog data add' with 'RW' permissions:
Adding data from file: /tmp/perm-test..1430101302.ttl
Added 2 triples in 00:00:00.090


So the user with create permissions is not being allowed to insert data either via SPARQL or the command-line, and the user with delete permissions is not being allowed to delete data via either mechanism.

What is happening here?

Michael Grove

unread,
Apr 27, 2015, 6:58:36 AM4/27/15
to stardog
The create & delete permissions do not correspond to SPARQL update operations.  Only read and write affect what users are authorized to do to a database.  Create and delete are more used for controlling whether or not a user could, for example, create a database, or delete a user account.

Cheers,

Mike
 

--
-- --
You received this message because you are subscribed to the C&P "Stardog" group.
To post to this group, send email to sta...@clarkparsia.com
To unsubscribe from this group, send email to
stardog+u...@clarkparsia.com
For more options, visit this group at
http://groups.google.com/a/clarkparsia.com/group/stardog?hl=en

Conrad Leonard

unread,
Apr 27, 2015, 11:05:10 AM4/27/15
to sta...@clarkparsia.com
Thanks, that clears it up. 

If I might suggest a small clarification in the docs - in the section http://docs.stardog.com/#_permissions there's nothing to suggest that the 'resources' referred to in the read/write permissions descriptions are fundamentally different from the 'resources' referred to in the create/delete permissions descriptions. Without any explicit documentation to the contrary and coming from SQL-land in particular web frameworks with the usual CRUD methods it was easy for me to (wrongly, obviously) assume that create for instance corresponded to SPARQL INSERT, delete to DELETE, and write to shorthand for INSERT+DELETE.

cheers,
C

Kendall Clark

unread,
Apr 27, 2015, 11:29:52 AM4/27/15
to stardog
Thanks, Conrad, for the excellent feedback as always.

I will try to clarify this issue in the docs. Yr interpretation was perfectly reasonable and there isn't anything in the docs to guide it otherwise.

Cheers,
Kendall

Conrad Leonard

unread,
Apr 29, 2015, 10:39:12 PM4/29/15
to sta...@clarkparsia.com
Thanks Kendall;
To follow up by way of a feature request, we think adding granular INSERT & DELETE permissions on graph data would be a great thing. We have many scenarios in which users/roles should be able to add data but not delete it. Not many I can think of for delete-only, but with granular insert, delete perms then update role is of course just composition of insert & delete. I'm using SPARQL endpoint terminology but same goes for API user.

cheers,
C

On Monday, 27 April 2015 12:28:29 UTC+10, Conrad Leonard wrote:

Michael Grove

unread,
Apr 30, 2015, 6:16:16 AM4/30/15
to stardog
On Wed, Apr 29, 2015 at 10:39 PM, Conrad Leonard <conrad....@hotmail.com> wrote:
Thanks Kendall;
To follow up by way of a feature request, we think adding granular INSERT & DELETE permissions on graph data would be a great thing. We have many scenarios in which users/roles should be able to add data but not delete it. Not many I can think of for delete-only, but with granular insert, delete perms then update role is of course just composition of insert & delete. I'm using SPARQL endpoint terminology but same goes for API user.

Stardog 3.1 will include named graph security, so you'll be able to specify read and write permissions down to the graph level.

Cheers,

Mike
 
Reply all
Reply to author
Forward
0 new messages