Named graph permissions granted to roles don't appear to propagate to users with the role
2 views
Skip to first unread message
Conrad Leonard
Jul 23, 2015, 2:44:15 AM7/23/15
to Stardog
Create a role and a user with the role:
Create a database with 2 simple named graphs, and security.named.graphs=true:
Now grant the role read permission on the database and one of the named graphs in it:
So I would expect that ngUser should have read permissions on test\http://example.org/a, inherited from the role ngRole, but selecting for results in that graph gives nothing:
If one directly grants the user the same permission as was granted the role:
Then results are returned as expected:
[conradL@qimr13054 ~]$ stardog-admin role add ngRoleSuccessfully added role ngRole.[conradL@qimr13054 ~]$ stardog-admin user add ngUser -N 1234Successfully created user ngUser.[conradL@qimr13054 ~]$ stardog-admin user addrole -R ngRole -- ngUserRole ngRole has been successfully assigned to user ngUser.[conradL@qimr13054 namedGraphTesting]$ stardog-admin role list -v+--------+-----------+| Role | Users |+--------+-----------+| ngRole | ngUser || reader | anonymous |+--------+-----------+Create a database with 2 simple named graphs, and security.named.graphs=true:
[conradL@qimr13054 ~]$ cat foo.trig @prefix ex: <http://example.org/> .
ex:a { ex:b ex:c ex:d}[conradL@qimr13054 ~]$ cat bar.trig @prefix ex: <http://example.org/> .
ex:e { ex:f ex:g ex:h}[conradL@qimr13054 ~]$ stardog-admin db create -n test -o security.named.graphs=true -- foo.trig bar.trigBulk loading data to new database test.Loaded 2 triples to test from 2 file(s) in 00:00:00.397 @ 0.0K triples/sec.Successfully created database 'test'.
[conradL@qimr13054 namedGraphTesting]$ stardog query test "SELECT * WHERE { GRAPH ?g {?s ?p ?o} }"+-------+-------+-------+-------+| g | s | p | o |+-------+-------+-------+-------+| ex:a | ex:b | ex:c | ex:d || ex:e | ex:f | ex:g | ex:h |+-------+-------+-------+-------+Now grant the role read permission on the database and one of the named graphs in it:
[conradL@qimr13054 ~]$ stardog-admin role grant -a read -o db:test ngRoleSuccessfully granted the permission.
[conradL@qimr13054 ~]$ stardog-admin role grant -a read -o named-graph:test\\http://example.org/a ngRoleSuccessfully granted the permission.
[conradL@qimr13054 ~]$ stardog-admin user permission -v ngUser+---------------+---------------------------+-------------+----------+| Resource Type | Resource Name | Permissions | Source |+---------------+---------------------------+-------------+----------+| db | test | --R---- | ngRole || named-graph | test\http://example.org/a | --R---- | ngRole || user | ngUser | --R---- | [ngUser] |+---------------+---------------------------+-------------+----------+So I would expect that ngUser should have read permissions on test\http://example.org/a, inherited from the role ngRole, but selecting for results in that graph gives nothing:
[conradL@qimr13054 ~]$ stardog query -u ngUser -p 1234 test "SELECT * FROM <http://example.org/a> WHERE {?s ?p ?o}"+-------+-------+-------+| s | p | o |+-------+-------+-------++-------+-------+-------+If one directly grants the user the same permission as was granted the role:
[conradL@qimr13054 ~]$ stardog-admin user grant -a read -o named-graph:test\\http://example.org/a ngUserSuccessfully granted the permission.
[conradL@qimr13054 ~]$ stardog-admin user permission -v ngUser+---------------+---------------------------+-------------+-----------------+| Resource Type | Resource Name | Permissions | Source |+---------------+---------------------------+-------------+-----------------+| db | test | --R---- | ngRole || named-graph | test\http://example.org/a | --R---- | [ngUser],ngRole || user | ngUser | --R---- | [ngUser] |+---------------+---------------------------+-------------+-----------------+Then results are returned as expected:
[conradL@qimr13054 ~]$ stardog query -u ngUser -p 1234 test "SELECT * FROM <http://example.org/a> WHERE {?s ?p ?o}"+-------+-------+-------+| s | p | o |+-------+-------+-------+| ex:b | ex:c | ex:d |+-------+-------+-------+
Michael Grove
Jul 23, 2015, 8:40:43 AM7/23/15
to stardog
Yep, I was able to reproduce, thanks for the detailed test case. The issue number for this is #2410 and will be fixed for the next release.
Cheers,
Mike
--
-- --
You received this message because you are subscribed to the C&P "Stardog" group.
To post to this group, send email to sta...@clarkparsia.com
To unsubscribe from this group, send email to
stardog+u...@clarkparsia.com
For more options, visit this group at
http://groups.google.com/a/clarkparsia.com/group/stardog?hl=en
Reply all
Reply to author
Forward
0 new messages