Accounts creation via Sparql Update API

[J. Dornbusch]

Hello all,

We load the user data from our information system into a fresh Vivo instance  through sparql update api. Everything works well and we now want to create the accounts for external authentication in the same way. We encounter several problems :

• As soon as the first user account is created through the API, the original admin account resulting from the initialization of Vivo disappears.

As a result, the sparql client has no longer access to the API and the batch load stops! Only the first user account has been created.

• A workaround that I found is to create a "clone" of the original admin account through the API before sending other data.
  

It works : the batch loading process goes on and all accounts are created. Authentication through external CAS service is ok and individual users are allowed to edit their own data.

But : when we try to log in as admin, we get the message : "You have logged in, but the system contains no profile for you.". And we can't access to the administration back office any more (no access link provided).

It's pretty funny: we have either the administrator or the user accounts, but we can not get both at the same time !

Another weird thing is that if we manually create accounts from the back office (for testing purposes), they reappear after the reinitialization of Vivo (drop-create database + tomcat restart). Grep finds that they are persisted in a file: [VIVO_HOME] /tdbModels/nodes.dat. They're all suppressed by API batch accounts creation.

Example of data :

This is what I send into the graph 'http://vitro.mannlib.cornell.edu/default/vitro-kb-userAccounts' for a simple user. It's a success but the administrator account vanishes...

<http://data.monuniversite.fr/individual/u127j7jvhh> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#UserAccount> .
<http://data.monuniversite.fr/individual/u127j7jvhh> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#emailAddress> "preno...@monuniversite.fr" .
<http://data.monuniversite.fr/individual/u127j7jvhh> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#passwordLinkExpires> "0"^^<http://www.w3.org/2001/XMLSchema#integer> .
<http://data.monuniversite.fr/individual/u127j7jvhh> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#passwordChangeRequired> "false"^^<http://www.w3.org/2001/XMLSchema#boolean> .
<http://data.monuniversite.fr/individual/u127j7jvhh> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#externalAuthOnly> "true"^^<http://www.w3.org/2001/XMLSchema#boolean> .
 <http://data.monuniversite.fr/individual/u127j7jvhh> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#loginCount> "0"^^<http://www.w3.org/2001/XMLSchema#integer> .
<http://data.monuniversite.fr/individual/u127j7jvhh> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#lastLoginTime> "0"^^<http://www.w3.org/2001/XMLSchema#integer> .
<http://data.monuniversite.fr/individual/u127j7jvhh> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#status> "ACTIVE" .
<http://data.monuniversite.fr/individual/u127j7jvhh> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#hasPermissionSet> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#SELF_EDITOR> .
<http://data.monuniversite.fr/individual/u127j7jvhh> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#externalAuthId> "lelogin" .
<http://data.monuniversite.fr/individual/u127j7jvhh> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#firstName> "Prénom" .
<http://data.monuniversite.fr/individual/u127j7jvhh> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#lastName> "Nom" .

Now I try to recreate a clone of the original admin-user : i write this data into 'http://vitro.mannlib.cornell.edu/default/vitro-kb-userAccounts'

<http://data.monuniversite.fr/individual/admin> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#UserAccount> .
<http://data.monuniversite.fr/individual/admin> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#RootUserAccount> .
<http://data.monuniversite.fr/individual/admin> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#emailAddress> "vivo...@mydomain.edu" .
<http://data.monuniversite.fr/individual/admin> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#firstName> "root" .
<http://data.monuniversite.fr/individual/admin> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#lastName> "user" .
<http://data.monuniversite.fr/individual/admin> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#passwordLinkExpires> "0"^^<http://www.w3.org/2001/XMLSchema#integer> .
<http://data.monuniversite.fr/individual/admin> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#passwordChangeRequired> "false"^^<http://www.w3.org/2001/XMLSchema#boolean> .
<http://data.monuniversite.fr/individual/admin> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#md5password> "xxxxxxxxxxxxxx" .
<http://data.monuniversite.fr/individual/admin> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#externalAuthOnly> "false"^^<http://www.w3.org/2001/XMLSchema#boolean> .
<http://data.monuniversite.fr/individual/admin> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#loginCount> "0"^^<http://www.w3.org/2001/XMLSchema#integer> .
<http://data.monuniversite.fr/individual/admin> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#lastLoginTime> "0"^^<http://www.w3.org/2001/XMLSchema#integer> .
<http://data.monuniversite.fr/individual/admin> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#status> "ACTIVE" .
<http://data.monuniversite.fr/individual/admin> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#hasPermissionSet> <http://vitro.mannlib.cornell.edu/ns/vitro/authorization#ADMIN> .

But as I said above, this root user has no access to the admin.

Thanks in advance for your help.

Joachim

[Andrew Woods]

Hello Joachim,

Which VIVO version are you using?

Thanks,

Andrew

--
You received this message because you are subscribed to the Google Groups "VIVO Tech" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vivo-tech+...@googlegroups.com.
To post to this group, send email to vivo...@googlegroups.com.
Visit this group at https://groups.google.com/group/vivo-tech.
To view this discussion on the web visit https://groups.google.com/d/msgid/vivo-tech/22648d67-c66a-4da9-a9be-0e9a9fe26285%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Fabien berthomé]

Hello Andrew

I work with Joachim. We use 1.9.3 version.

Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/vivo-tech/CADz%3D0U%3DmKnKsR2d8Yw7P3YSr2BkwL9hpCE5KQWSD-smM4ku3Vg%40mail.gmail.com.

[Fabien berthomé]

Hello

I work with Joachim. I use 1.9.3 version.

Regards

Le 24 sept. 2018 à 20:47, Andrew Woods <awo...@duraspace.org> a écrit :

To view this discussion on the web visit https://groups.google.com/d/msgid/vivo-tech/CADz%3D0U%3DmKnKsR2d8Yw7P3YSr2BkwL9hpCE5KQWSD-smM4ku3Vg%40mail.gmail.com.

[fabien berthomé]

Hello andrew

Do you have an idea?

Thanks

[Andrew Woods]

Hello Fabien,

I do not have any immediate ideas on the root cause of the issue right now. 

Some of the team has been in the Authorization code recently and may have some thoughts. If you do not hear back by next Tuesday, please feel free to bring the issue to the weekly development call:

https://wiki.duraspace.org/display/VIVO/2018-10-02+-+VIVO+Development+IG

Regards,

Andrew

[Jim Blake]

Hello Fabien;

I am looking into your question. I am able to reproduce the problem. I will let you know what I find out.

Jim

[Jim Blake]

The immediate problem is that VIVO holds two separate triple-stores, and the SPARQL Update API only writes to one of them. A secondary problem is that the VIVO authorization code is imperfect.

The "content" triple-store (also called the "main store" on some of the site admin pages), contains the ontologies and instance data (TBox and ABox). The "configuration" triple-store contains RDF that affects VIVO's behavior, such as page configuration, display parameters, and (most relevant to this discussion) user accounts. Each of these triple-stores holds its data in named graphs.

User accounts are stored in the configuration triple-store, in a graph named "http://vitro.mannlib.cornell.edu/default/vitro-kb-userAccounts", but when you used the SPARQL Update API to write to "http://vitro.mannlib.cornell.edu/default/vitro-kb-userAccounts", it wrote in the content triple-store.

So what should have been the result? Nothing. 

VIVO should have said, "there is no change to the userAccounts graph in the configuration triple-store", and you should have seen no effect. Instead, some of the VIVO code was careless enough that it asks "what is in the userAccounts graph" without also asking "...in the configuration triple-store". So the result was that some of the things you wanted were granted to you, while others weren't.

Again, if the VIVO code were flawless, you should be unable to make any changes to the user accounts by using the SPARQL Update API.

So what can you do instead?

There is an interactive method to ingest user accounts. 

- login as root

- go to the Site Admin page

- click on "Ingest tools" to go to the "Ingest Menu" page.

- click on "Manage Jena Models"

- click on "Configuration Models"

- under "http://vitro.mannlib.cornell.edu/default/vitro-kb-userAccounts", click on "load RDF data"

- use "Choose File" to choose a file of RDF

- use the drop-down menu to select an RDF format

- click "Load Data"

If you still require an automated method to accomplish this, let me know. I believe it can be done.

I hope this helps, 

Jim

[J. Dornbusch]

Thank you, Jim, for that very detailed answer.
The manual method you propose is usable for the initialization of Vivo. But then, how to synchronize over time vivo accounts with our external user database ? An automated approach would be welcome.

Thanks again

Joachim

[Jim Blake]

Joachim, Fabien;

 

A proper solution for automated management of VIVO user accounts seems like a good idea, but will take considerable effort. I don’t know where that would appear in our priorities.

 

I have devised an automated process which may work for you, but which can only be described as a horrible hack. I am attaching

1. A file of N-triples that describe a user account. This is a piece of the file that you provided in your initial message.
2. A script that will add this user account to VIVO.
3. A script that will remove the user account from VIVO.

 

The scripts invoke pages in VIVO, and submit forms using curl. Sadly, those pages do not return error codes if the operation fails, so you will need to devise other methods to monitor for success.

 

Perhaps this will be helpful.

 

Jim

--
You received this message because you are subscribed to a topic in the Google Groups "VIVO Tech" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/vivo-tech/p_1EqIB7LF4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to vivo-tech+...@googlegroups.com.

To post to this group, send email to vivo...@googlegroups.com.
Visit this group at https://groups.google.com/group/vivo-tech.

To view this discussion on the web visit https://groups.google.com/d/msgid/vivo-tech/067981f4-bdaa-4890-9c30-2ee2e337e6a2%40googlegroups.com.

[J. Dornbusch]

Hi Jim

As our data feed system is written in Ruby, I made a quick and dirty test : I directly copied your code as raw shell commands to check the method. It works !

I will rewrite it with as pure Ruby code later (For lazy people like me, there's an automatic converter but  it doesnt seem to understand all the options you used).

The only drawback of this approach is that you can not update an account: you have to delete it and recreate it. Otherwise, it's pretty much the same as an API.

Thank you so much for all your help, because we would not have done it alone !

Joachim

Rails.logger.debug ("Account data stored in #{rdf_file}")
File.open(rdf_file, "w+") do |f|
  f.write(RDF::NTriples::Writer.buffer {|writer| data.each {|d| writer << d}})
end
[
 "curl -c #{cookie_file} -s -o /dev/null '#{Rails.configuration.vivo.uri}/programLogin?email=#{Rails.configuration.vivo.email}&password=#{Rails.configuration.vivo.password}'",
 "curl -b #{cookie_file} -s -o /dev/null -d action=configModels '#{Rails.configuration.vivo.uri}/ingest'",
 "curl -b #{cookie_file} -s -o /dev/null -F 'modelName=#{VIVO_USER_ACCOUNTS_BOX}' -F 'language=N-TRIPLE' -F 'filePath=@#{rdf_file}' '#{Rails.configuration.vivo.uri}/uploadRDF'"
].each do |command|
  Rails.logger.debug (command)
  system(command)
end