search

openlink / virtuoso-opensource

Virtuoso is a high-performance and scalable Multi-Model RDBMS, Data Integration Middleware, Linked Data Deployment, and HTTP Application Server Platform
https://vos.openlinksw.com
Other
867 stars 210 forks source link

Enforcing graph permissions when using the sparql-graph-crud-auth endpoint #854

Open langens-jonathan opened 5 years ago

langens-jonathan commented 5 years ago

Hi

I have created a user with the following rights: DB.DBA.USER_CREATE ('bob', 'bob'); DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('bob', 0); GRANT SPARQL_UPDATE TO "bob"; GRANT SPARQL_SELECT TO "bob"; DB.DBA.RDF_GRAPH_USER_PERMS_SET ('http://graphs.example.com/public', 'bob', 3); When I now perform a SPARQL query on the sparql-auth endpoint and I try to INSERT anything into a graph that is not http://graphs.example.com/public I get a permissions error as expected.

When I use the sparql-graph-crud-auth endpoint though this is not enforced. I have the impression that a user who has any update rights will be able to perform crud operations on any graph.

Is there a work around for this? Or should I change the user settings?

Thanks a lot! Jonathan

HughWilliams commented 5 years ago

Did you also add the http://graphs.example.com/public graph to the special http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs ie

DB.DBA.RDF_GRAPH_GROUP_INS ('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs', 'http://graphs.example.com/public');

as without that the DB.DBA.RDF_GRAPH_USER_PERMS_SET ('http://graphs.example.com/public', 'bob', 3); gives error:

SQL> DB.DBA.RDF_GRAPH_USER_PERMS_SET ('http://graphs.example.com/public', 'bob', 3);

*** Error RDF99: VD [Virtuoso Server]Permissions of unauthenticated user are broader than new permissions of user "bob" on specific graph <http://graphs.example.com/public>
in
signal:(BIF),
        __01 => 'RDF99',
        __02 => 'Permissions of unauthenticated user are broader than new permissions of user "bob" on specific graph' (truncated),
DB.DBA.RDF_GRAPH_USER_PERMS_SET([executable]/sparql.sql:13973),
   graph_iri => 'http://graphs.example.com/public',
       uname => 'bob',
       perms => 3,
<Top Level>
at line 5 of Top-Level:
DB.DBA.RDF_GRAPH_USER_PERMS_SET ('http://graphs.example.com/public', 'bob', 3)
SQL>
langens-jonathan commented 5 years ago

I did not add that graph to the special graphs but rather restricted the anonymous rights. DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 0);

langens-jonathan commented 5 years ago

Hey @HughWilliams

Do you have any update for this? My problem is not that I cannot create bob. With SPARQL queries the rights are enforced correctly. But I have added the http://graphs.example.com/public graph to the private graphs.

The problem is that when using the graph-crud and graph-crud-auth endpoints, the rights are not enforced. For instance, even though I say that bob's default permissions are 0 he can still upload to any graph. And on the sparql-graph-crud endpoint, I can also upload to any graph (and the triples are persisted).

Is there a way we can configure Virtuoso to apply privileges on the sparql-graph-crud and/or sparql-graph-crud-auth endpoints?

Many Thanks! Jonathan