search

BONSAMURAIS / triple-store

Competency questions and content related to the Bonsai RDF triple-store backend: Apache Jena
BSD 3-Clause "New" or "Revised" License
0 stars 0 forks source link

Configure Jena/Fuseki credentials, permissions, access #5

Open tmillross opened 5 years ago

tmillross commented 5 years ago

Requirements

In general, we want to enable public read-access (as a SPARQL endpoint). Including queries from the web-all widget.

In the case of abuse or overuse, we may need to restrict access to only the widget.

Write access should always be restricted to:

  1. developers
  2. the continuous integration pipeline

At the moment, the devs and CI use the same account. There is only the administrator login. Tom and Tomas have the details (ask us if needed).

Open Challenge

How can we manage the permissions model described above with our Aalborg Server & Jena-Fuseki instance?

Some ideas/notes

https://jena.apache.org/documentation/fuseki2/fuseki-security.html

Fuseki2 provides security by using Apache Shiro

Perhaps the default configuration described at that page is already satisfactory??

https://shiro.apache.org/configuration.html#Configuration-INISections We can add static usernames and passwords in the file described here. Can also configure hashing etc. so they're not stored there in plaintext.

Once Shiro has been configured to perform user authentication it provides a good foundation on which the Jena Permissions layer can be configured.

https://jena.apache.org/documentation/permissions/

Jena Permissions is a SecurityEvaluator interface and a set of dynamic proxies that apply that interface to Jena Graphs, Models, and associated methods and classes. It does not implement any specific security policy but provides a framework for developers or integrators to implement any desired policy... The developer using Jena Permissions is required to implement a SecurityEvaluator that provides access to the Principal (User) using the system and also determines if that Principal has the proper access to execute a method. Through the SecurityEvaluator the developer may apply full CRUD (Create, Read, Update, and Delete) restrictions to graphs and optionally triples within the graphs.

https://jena.apache.org/documentation/permissions/example.html

The goal of this document is to add Jena Permissions to a fuseki deployment to restrict access to graph data.

Is there an easier/better way to meet the requirements than described in these documents?

Is anyone able to take on this task?

Part of #1

mmr2187 commented 5 years ago

are we making user credentials? it might be optimal to at least have one level for simple querying for both the api side as well as for testing on the triplestore side. it can also be used by other people to validate that the data and ontology schema was entered properly. I'm not sure how to do this though. haven't really worked with limiting access to jena.

was thinking of a generic credential user that is only for querying so that it doesn't mess up what's already in the data store once we have data there (as they usually do when testing regular databases). it will make testing safer (rather than having to reup the data everytime something messes up).

tmillross commented 5 years ago

I'm not sure how to do this though

If you're happy to learn a little on this topic @mmr2187 and feedback the steps we require, that'd be really helpful! The links in my first comment could be a good starting place. What d'ya reckon?