Skip to first unread message
Conrad Leonard
Jun 11, 2015, 1:33:52 AM6/11/15
to sta...@clarkparsia.com
Hi;
In summary, I have a user with read permissions on the database "grafli". It also has explicit read permissions only on the default graph. But this user can query data that is added to a different named graph in the database. Is that as expected? I tried removing the db-level permission (leaving named-graph permissions only) and then all queries received 'Permission denied'.
We're really pleased to see from release notes that named graph security is in version 3.1! I wonder if you could point us in the direction of some documentation about this feature. A specific question, how do named-graph permissions play with database-level permissions? In particular, how to explain the following:
[conradL@qimr13054 ~]$ stardog-admin metadata get grafli+-----------------------------------+----------------------------------------------------------------------------------+| Option | Value |+-----------------------------------+----------------------------------------------------------------------------------+| database.archetypes | || database.connection.timeout | 1h || database.creator | admin || database.name | grafli || database.namespaces | owl=http://www.w3.org/2002/07/owl#, || | rdf=http://www.w3.org/1999/02/22-rdf-syntax-ns#, || | rdfs=http://www.w3.org/2000/01/rdf-schema#, stardog=tag:stardog:api:, || | skos2=http://www.w3.org/2008/05/skos#, foaf=http://xmlns.com/foaf/0.1/ || database.online | true || database.time.creation | 2015-06-11T15:25:17.782+10:00 || database.time.modification | 2015-06-11T15:25:17.782+10:00 || icv.active.graphs | * || icv.consistency.automatic | false || icv.enabled | false || icv.reasoning.enabled | false || index.differential.enable.limit | 1000000 || index.differential.merge.limit | 10000 || index.differential.size | 0 || index.last.commit.id | 0 || index.literals.canonical | false || index.named.graphs | true || index.persist | true || index.persist.sync | true || index.size | 2140 || index.statistics.update.automatic | true || index.type | Disk || preserve.bnode.ids | true || progress.monitor.enabled | true || query.all.graphs | false || query.timeout | 5m || reasoning.approximate | false || reasoning.consistency.automatic | false || reasoning.punning.enabled | false || reasoning.sameas | OFF || reasoning.schema.graphs | http://purl.org/net/grafli#tbox || reasoning.schema.timeout | 1m || reasoning.type | SL || search.enabled | true || search.reindex.mode | sync || strict.parsing | true || transactions.durable | false || transactions.last | b42dc7d0-573e-4db4-89b6-4c2ca3d04ab5 || versioning.directory | versioning || versioning.enabled | true |+-----------------------------------+----------------------------------------------------------------------------------+[conradL@qimr13054 ~]$ stardog-admin user permission grafli-ro+---------------+---------------------------------+-------------+-------------+| Resource Type | Resource Name | Permissions | Source |+---------------+---------------------------------+-------------+-------------+| db | grafli | --R---- | [grafli-ro] || metadata | grafli | --R---- | [grafli-ro] || named-graph | tag:stardog:api:context:default | --R---- | [grafli-ro] || user | grafli-ro | --R---- | [grafli-ro] |+---------------+---------------------------------+-------------+-------------+[conradL@qimr13054 ~]$ stardog data add --named-graph http://purl.org/net/grafli#test -- grafli workspace/grafli/bootstrap/bootstrap_users.ttlAdding data from file: workspace/grafli/bootstrap/bootstrap_users.ttlAdded 77 triples in 00:00:01.447[conradL@qimr13054 ~]$ stardog query grafli "select distinct ?g where { graph ?g { ?s ?p ?o } }"+-------+| g |+-------+| :tbox || :test |+-------+
Query returned 2 results in 00:00:00.028[conradL@qimr13054 ~]$ stardog query --username grafli-ro -- grafli "select (count(?s) as ?n) from <http://purl.org/net/grafli#test> where {?s ?p ?o}"+-------+| n |+-------+| 77 |+-------+
Query returned 1 results in 00:00:00.030
In summary, I have a user with read permissions on the database "grafli". It also has explicit read permissions only on the default graph. But this user can query data that is added to a different named graph in the database. Is that as expected? I tried removing the db-level permission (leaving named-graph permissions only) and then all queries received 'Permission denied'.
Michael Grove
Jun 11, 2015, 7:21:57 AM6/11/15
to stardog
On Thu, Jun 11, 2015 at 1:33 AM, Conrad Leonard <conrad....@hotmail.com> wrote:
Hi;We're really pleased to see from release notes that named graph security is in version 3.1! I wonder if you could point us in the direction of some documentation about this feature.
Our documentation can be found at [1].
A specific question, how do named-graph permissions play with database-level permissions?
They build on top of them. You'll still have to give users access to the database, having the ability to read a graph within a database does not imply that you can read from the database, that access must be specifically granted.
Yes and no. Your intuition is correct, a user w/ read access and read permission to only the default graph should only be able to ready from there. However, named graph security is disabled by default because it does incur a small overhead because the active graph of all queries must be rewritten to respect the permissions held by the user. You'll need to either enable named graph security for the database by setting `security.named.graphs=true`, or you can enable it globally in stardog.properties using the property of the same name.
Cheers,
Mike
--
-- --
You received this message because you are subscribed to the C&P "Stardog" group.
To post to this group, send email to sta...@clarkparsia.com
To unsubscribe from this group, send email to
stardog+u...@clarkparsia.com
For more options, visit this group at
http://groups.google.com/a/clarkparsia.com/group/stardog?hl=en
Conrad Leonard
Jun 11, 2015, 7:36:41 AM6/11/15
to sta...@clarkparsia.com
On Thursday, 11 June 2015 21:21:57 UTC+10, Michael Grove wrote:
On Thu, Jun 11, 2015 at 1:33 AM, Conrad Leonard <conrad....@hotmail.com> wrote:Hi;We're really pleased to see from release notes that named graph security is in version 3.1! I wonder if you could point us in the direction of some documentation about this feature.Our documentation can be found at [1].
Oh, sorry about that; my institute's proxy server must have been caching an old version of the docs page that didn't have the new stuff on named graphs on it.
Cool, got it, thanks!
Conrad Leonard
Jun 12, 2015, 1:18:29 AM6/12/15
to sta...@clarkparsia.com
Hi Mike;
I'm still having trouble with this. Once I assign read permission to a user on a database, I can't seem to enforce any restriction on what named graphs it can read from:
[conradL@qimr13054 ~]$ stardog-admin versionStardog 3.1For information on Stardog, please visit http://stardog.com.For help using Stardog, visit the documentation http://docs.stardog.com.[conradL@qimr13054 ~]$ cat $STARDOG_HOME/stardog.propertiessecurity.named.graphs=true[conradL@qimr13054 ~]$ stardog-admin server stop && stardog-admin server start
<snip... server starts ok>Create database with data in default & one named graph
[conradL@qimr13054 ~]$ stardog-admin db create -n namedGraphTestSuccessfully created database 'namedGraphTest'.
[conradL@qimr13054 ~]$ stardog query namedGraphTest "INSERT DATA {
GRAPH <http://example.org/g1> { } }"Update query processed successfully in 00:00:00.082.[conradL@qimr13054 ~]$ stardog query namedGraphTest "SELECT ?foo WHERE { ?foo a <http://example.org/bar> }"+------------------------+| foo |+------------------------++------------------------+
Query returned 1 results in 00:00:00.042[conradL@qimr13054 ~]$ stardog query namedGraphTest "SELECT ?foo FROM <http://example.org/g1> WHERE { ?foo a <http://example.org/bar> }"+------------------------+| foo |+------------------------++------------------------+
Query returned 1 results in 00:00:00.030
Create a user with read permissions on the default graph
[conradL@qimr13054 ~]$ stardog-admin user add -N 1234 defaultReaderSuccessfully created user defaultReader.[conradL@qimr13054 ~]$ echo "localhost:5820:namedGraphTest:defaultReader:1234" >> .sdpass[conradL@qimr13054 ~]$ stardog-admin user grant -a read -o db:namedGraphTest defaultReaderSuccessfully granted the permission.[conradL@qimr13054 ~]$ stardog-admin user grant -a read -o 'named-graph:namedGraphTest\tag:stardog:api:context:default' defaultReaderSuccessfully granted the permission.
[conradL@qimr13054 ~]$ stardog-admin user permission defaultReader
+---------------+------------------------------------------------+-------------+-----------------+| Resource Type | Resource Name | Permissions | Source |+---------------+------------------------------------------------+-------------+-----------------+| db | namedGraphTest | --R---- | [defaultReader] || named-graph | namedGraphTest\tag:stardog:api:context:default | --R---- | [defaultReader] || user | defaultReader | --R---- | [defaultReader] |+---------------+------------------------------------------------+-------------+-----------------+[conradL@qimr13054 ~]$ stardog query --username defaultReader namedGraphTest "SELECT ?foo WHERE { ?foo a <http://example.org/bar> }"+------------------------+| foo |+------------------------++------------------------+
Query returned 1 results in 00:00:00.028[conradL@qimr13054 ~]$ stardog query --username defaultReader namedGraphTest "SELECT ?foo FROM <http://example.org/g1> WHERE { ?foo a <http://example.org/bar> }"+------------------------+| foo |+------------------------++------------------------+
What am I missing here?
Unrelatedly, how does one set db-level named graph security as suggested as an alternative to global setting? Trying with stardog-admin metadata command I get:
[conradL@qimr13054 ~]$ stardog-admin metadata set -o security.named.graphs=true namedGraphTestJun 12, 2015 3:09:45 PM com.complexible.stardog.metadata.MetadataIO readWARNING: Option not recognized security.named.graphsInvalid option value: security.named.graphs=true.thanks,
Conrad.
Michael Grove
Jun 12, 2015, 11:24:07 AM6/12/15
to stardog
Nothing. This should work. It looks like the server default is being ignored because we're setting a default value for `security.named.graphs` (to false) along with some of the other default values. We'll fix this in the next release (#2345)
Unrelatedly, how does one set db-level named graph security as suggested as an alternative to global setting? Trying with stardog-admin metadata command I get:
You've got the right idea here, it just looks like the options for security are out of scope in the CLI, hence that warning log message which foreshadows the subsequent failure in setting the property. A workaround for this is to set the option programmatically. This too we'll fix for the next release (#2344).
We're aiming for 3.1.1 on Tuesday.
Cheers,
Mike
Reply all
Reply to author
Forward
0 new messages