Problem with Named Graph Security over Java API

Rubén Navarro Piris

unread,

Mar 7, 2016, 5:03:16 AM3/7/16

to Stardog

Hi!

I'm trying to setup a new database user with limited named graph access using the Java API, but it is not working. Although I set read & write access to 2 graphs, whenever an update query is executed towards those graphs, an error occurs.

I created a database named 'stardog' with the 'security.named.graphs=true' parameter in the 'stardog.properties' as requested in the documentation and I'm using stardog 4.0.3

Here the sample code & exception:


    ConnectionConfiguration config = ConnectionConfiguration

        .to("stardog")

        .credentials("admin", "admin")

        .server("snarl://localhost:5820");

    AdminConnection adminConnection = config.connect().admin();

    UserManager userManager = Preconditions.checkNotNull(adminConnection.getUserManager());

    PermissionManager permissionManager = Preconditions.checkNotNull(adminConnection.getPermissionManager());



    String username = "username";

    String pwd = "userpass";



    // - create

    userManager.addUser(username, false, pwd.toCharArray());

    permissionManager.addUserPerm(Permissions.create(username, ActionType.READ, CoreResourceType.DATABASE, "stardog"));

    permissionManager.addUserPerm(Permissions.create(username, ActionType.WRITE, CoreResourceType.DATABASE, "stardog"));



    List<String> graphs = Lists.newArrayList("http://example.org/graphOne", "http://example.org/graphTwo");



    // - set READ access

    permissionManager.addUserPerm(Permissions.create(username, ActionType.READ, CoreResourceType.NAMED_GRAPH, graphs));

//      for (String graph : graphs) {

//        permissionManager.addUserPerm(Permissions.create(username, ActionType.READ, CoreResourceType.NAMED_GRAPH, graph));

//      }



    // - set WRITE access

    permissionManager.addUserPerm(Permissions.create(username, ActionType.WRITE, CoreResourceType.NAMED_GRAPH, graphs));

//      for (String graph : graphs) {

//        permissionManager.addUserPerm(Permissions.create(username, ActionType.WRITE, CoreResourceType.NAMED_GRAPH, graph));

//      }



    // execute update

    try (Connection connection = config.credentials(username, pwd).connect()) {

      String update = "INSERT DATA { " +

          "GRAPH <http://example.org/graphOne> {<urn:a> <urn:b> <urn:c>} " +

          "GRAPH <http://example.org/graphTwo> {<urn:x> <urn:y> <urn:z>}" +

          "}";

      connection.update(update).execute(); // the exception takes places at this point

    }



    // execute select

    try (Connection connection = config.credentials(username, pwd).connect()) {

      String query = "SELECT * FROM <http://example.org/graphOne> FROM <http://example.org/graphTwo> {?s ?p ?o}";

      TupleQueryResult result = connection.select(query).execute();

      while (result.hasNext()) {

        System.out.println(result.next());

      }

    }

com.complexible.stardog.StardogException: User does not have access to one or more named graphs
        at com.complexible.stardog.protocols.client.SPECClientUtil.toStardogException(SPECClientUtil.java:86)
        at com.complexible.stardog.protocols.client.SPECClientUtil.toStardogException(SPECClientUtil.java:34)
        at com.complexible.stardog.api.impl.SPECUpdateQuery.execute(SPECUpdateQuery.java:43)
        at com.complexible.stardog.api.impl.SPECUpdateQuery.execute(SPECUpdateQuery.java:26)
        at ***** (StardogAccessControlTest.java:67)

        Caused by:
        com.complexible.common.protocols.client.ClientException: User does not have access to one or more named graphs
            at com.complexible.common.protocols.client.rpc.DefaultRPCClient.get(DefaultRPCClient.java:285)
            at com.complexible.common.protocols.client.rpc.DefaultRPCClient.execute(DefaultRPCClient.java:261)
            at com.complexible.stardog.protocols.snarl.client.AbstractSNARLClient.update(AbstractSNARLClient.java:171)
            at com.complexible.stardog.protocols.snarl.client.AbstractSNARLClient.update(AbstractSNARLClient.java:62)
            at com.complexible.stardog.api.impl.SPECUpdateQuery.execute(SPECUpdateQuery.java:40)
            ... 2 more

            Caused by:
            java.lang.Exception: User does not have access to one or more named graphs

Am I missing something when creating the user? Thanks in advance!

Ruben

Michael Grove

unread,

Mar 7, 2016, 6:49:40 AM3/7/16

to stardog

Yes. Named graph permissions are not global, they're not working because you have not specified the database to which they apply.

This is briefly illustrated in the example [1] in the docs, but we need to add a working example to the stardog-examples repo.

The permissions need to specify first, the database, and second the named graph as the object of the permission.

permissionManager.addUserPerm(Permissions.create(username, ActionType.WRITE, CoreResourceType.NAMED_GRAPH, "theDatabase", "theNamedGraph"));

If you want permissions over multiple named graphs, you need to create one permission per graph.

Alternatively, you can use the utility class `NamedGraphPermissions` to help construct permissions.

Cheers,

Mike

[1] http://docs.stardog.com/#_example

Ruben

--
-- --
You received this message because you are subscribed to the C&P "Stardog" group.
To post to this group, send email to sta...@clarkparsia.com
To unsubscribe from this group, send email to
stardog+u...@clarkparsia.com
For more options, visit this group at
http://groups.google.com/a/clarkparsia.com/group/stardog?hl=en

Rubén Navarro Piris

unread,

Mar 7, 2016, 7:49:36 AM3/7/16

to sta...@clarkparsia.com

Hi Mike!

Thanks, works like a charm. I'll take a look at the 'NamedGraphPermissions' class also, thanks for the hint!

Cheers!

Rubén Navarro Piris

---
You received this message because you are subscribed to a topic in the Google Groups "Stardog" group.
To unsubscribe from this topic, visit https://groups.google.com/a/clarkparsia.com/d/topic/stardog/FO9Iw8Egy7k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to stardog+u...@clarkparsia.com.

Rubén Navarro Piris

unread,

Mar 7, 2016, 9:41:09 AM3/7/16

to Stardog

Hi Mike!

I added a precondition check to ensure that the 'security.named.graphs' flag is active for the current database, but no value is returned.

AdminConnection adminConnection = this.getConnectionConfiguration().connect().admin();

Boolean namedGraphSecurityEnabled = adminConnection.get(databaseName, SecurityOptions.NAMED_GRAPH_SECURITY_ENABLED);

The value of namedGraphSecurityEnabled was null (instead of true or false).

Any ideas?

Best regards,

Rubén

Michael Grove

unread,

Mar 7, 2016, 9:51:15 AM3/7/16

to stardog

On Mon, Mar 7, 2016 at 9:41 AM, Rubén Navarro Piris <ruben.nav...@gmail.com> wrote:

Hi Mike!

I added a precondition check to ensure that the 'security.named.graphs' flag is active for the current database, but no value is returned.

AdminConnection adminConnection = this.getConnectionConfiguration().connect().admin(); Boolean namedGraphSecurityEnabled = adminConnection.get(databaseName, SecurityOptions.NAMED_GRAPH_SECURITY_ENABLED);

The value of namedGraphSecurityEnabled was null (instead of true or false).

Any ideas?

You said that you set it globally in `stardog.properties`. If you did not set the option on the database, I would not expect it to have a value.

Cheers,

Mike

Rubén Navarro Piris

unread,

Mar 7, 2016, 10:37:22 AM3/7/16

to Stardog

Fair enough. But how do I retrieve this global value? The following code returns 'false', although the flag is set in the properties file:

adminConnection.currentStatus().get(SecurityOptions.NAMED_GRAPH_SECURITY_ENABLED)

I didn't find any documentation on this matter.

Cheers!

Ruben

Michael Grove

unread,

Mar 7, 2016, 10:42:50 AM3/7/16

to stardog

On Mon, Mar 7, 2016 at 10:37 AM, Rubén Navarro Piris <ruben.nav...@gmail.com> wrote:

Fair enough. But how do I retrieve this global value? The following code returns 'false', although the flag is set in the properties file:
adminConnection.currentStatus().get(SecurityOptions.NAMED_GRAPH_SECURITY_ENABLED)

Server status does not return configuration, it's more runtime information such as what STARDOG_HOME is, the JDK, system information, etc.

Configuration specified via `stardog.properties` is not directly accessible. We'll expose this (ticket #2862) in a later release.

Cheers,

Mike

Rubén Navarro Piris

unread,

May 25, 2016, 11:03:24 AM5/25/16

to Stardog

Hi Michael!

I tested this with the latest Stardog version (4.1) and it does not work. The release notes state that the task was done (#2862).

Any ideas?

Also, is there any PasswordOptions class (to check also the 'password.length.max' & 'password.regex' values)?

Cheers!

Ruben

Michael Grove

unread,

May 25, 2016, 11:07:36 AM5/25/16

to stardog

On Wed, May 25, 2016 at 11:03 AM, Rubén Navarro Piris <ruben.nav...@gmail.com> wrote:

Hi Michael!

I tested this with the latest Stardog version (4.1) and it does not work. The release notes state that the task was done (#2862).
Any ideas?

What are you doing that seems like this is not working?

Also, is there any PasswordOptions class (to check also the 'password.length.max' & 'password.regex' values)?

No.

Cheers,

Mike

Rubén Navarro Piris

unread,

May 25, 2016, 11:14:04 AM5/25/16

to Stardog

I'm trying to get the value of the property 'security.named.graphs' used to configure the store. The value is set to true in the stardog.properties file, however when executing this code:

AdminConnection adminConnection = connectionConfiguration.connect().admin();

boolean namedGraphSecurityEnabled = adminConnection.currentStatus().get(SecurityOptions.NAMED_GRAPH_SECURITY_ENABLED);

the result is false (not true as expected).

Michael Grove

unread,

May 31, 2016, 3:01:10 PM5/31/16

to stardog

On Wed, May 25, 2016 at 11:14 AM, Rubén Navarro Piris <ruben.nav...@gmail.com> wrote:

I'm trying to get the value of the property 'security.named.graphs' used to configure the store. The value is set to true in the stardog.properties file, however when executing this code:

AdminConnection adminConnection = connectionConfiguration.connect().admin(); boolean namedGraphSecurityEnabled = adminConnection.currentStatus().get(SecurityOptions.NAMED_GRAPH_SECURITY_ENABLED);

the result is false (not true as expected).

Thanks for the report, the issue for this is #2961 and will be fixed in 4.1.1.

Cheers,

Mike

Rubén Navarro Piris

unread,

Jul 20, 2016, 4:37:45 AM7/20/16

to Stardog

Hi Mike!

I tried this again with version 4.1.2 of both the Java API & server, but it's still not working (although the issue #2961 is marked as finished in the release notes).

Any idea why?

Cheers!

Ruben

Michael Grove

unread,

Jul 22, 2016, 3:42:50 PM7/22/16

to stardog

On Wed, Jul 20, 2016 at 4:37 AM, Rubén Navarro Piris
<ruben.nav...@gmail.com> wrote:
> Hi Mike!
>
> I tried this again with version 4.1.2 of both the Java API & server, but
> it's still not working (although the issue #2961 is marked as finished in
> the release notes).
> Any idea why?

Probably because you have not set it to a value. It does not show the default.

Rubén Navarro Piris

unread,

Jul 28, 2016, 10:59:26 AM7/28/16

to Stardog

The value is set in the stardog.properties configuration file as 'security.named.graphs = true'

Any further ideas?

Michael Grove

unread,

Jul 28, 2016, 11:39:29 AM7/28/16

to stardog

On Thu, Jul 28, 2016 at 10:59 AM, Rubén Navarro Piris
<ruben.nav...@gmail.com> wrote:
> The value is set in the stardog.properties configuration file as
> 'security.named.graphs = true'

Can you create a self-contained example that demonstrates the
behavior? I wrote a Junit test case that I think replicates your
situation and it's working as expected.

Cheers,

Mike

Reply all

Reply to author

Forward