expose protected SPARQL endpoint

[ThomasThelen]

It looks like we should be able to create accounts for any services that we want to allow. The administrators of those services can then generate an OAuth token for their account and use it in their queries. Virtuoso + OAuth

There's a stale pull request that might be a fix for this not working on HTTP/HTTPS, which I've run into

[ThomasThelen]

I've spent a bit of time on this and haven't been able to get it to work. I filed an issue; there's either a bug (I provided steps to reproduce), the guide is outdated, or I've somehow missed something. In the meantime I've pushed my changes to the feature_secure_sparql_endpoint which has everything working up to the actual identity verification. It also has instructions for disabling the public endpoint and how to setup the authenticated one.

[mbjones]

ok, let's have @amoeba take a look and maybe you two can come up with an alternate proposal, or see a way to make this work. For the time being an unprotected endpoint is probably ok as long as the kubernetes deployment has appropriate resource limitation guards in place. @gothub put together some of these limits in his config for MetaDIG, so he may have examples.

[ThomasThelen]

I found that this method of authentication works. The gist is that we manually create a user under the admin account and can give them SELECT, UPDATE, or SPONGE roles. When they visit the sparql/ endpoint, they'll be prompted to login (shown below)

I'm not sure if there's much more to this issue other than describing this in the README for when we want to do this on production.

[amoeba]

Good find @ThomasThelen. That might be enough for us to grant a few folks direct access. I'll leave this open for a while in case there's more discussion.

[ThomasThelen]

Virtuoso put in a fix for the broken OAuth feature! So that should be possible now with Virtuoso 7.2.6

[amoeba]

That's great. I see we probably oughta switch to using the official VOS docker images. I must've went with the tenforce images because Virtuoso wasn't pushing up official images back then? I'll file a separate issue.