Closed balmas closed 8 years ago
I added security policies for sparql/select
and sparql/update
and enabled them temporarily with security.configured = true
. After using the SPARQL endpoint for tests I have disabled the configuration again and it defaults to the value in security.profile
.
A more robust intermediate approach would be to create users with editor
roles that have read/write access to sparql/*
ok, so just be sure I'm clear, the following are what needed to be added to system-config.properties?
security.permission.update.pattern = /sparql/update
security.permission.update.methods = GET,OPTIONS,HEAD,PUT,POST,DELETE
security.permission.update.priority = 5
security.permission.select.pattern = /sparql/select
security.permission.select.methods = GET,OPTIONS,HEAD,PUT,POST,DELETE
security.permission.select.priority = 5
Yes, they take effect when security.configured = true
, otherwise security.policy
supersedes them.
it seems marmotta's security config is seriously bugged:
https://mail-archives.apache.org/mod_mbox/marmotta-users/201501.mbox/54BE3F73.2010805@apache.org https://mail-archives.apache.org/mod_mbox/marmotta-users/201512.mbox/CAOfJQJ1Kj1V73w3JfpDRBc3_8Tyb2UP-WU-zBY+AsQ_fxXUGCw@mail.gmail.com https://issues.apache.org/jira/browse/MARMOTTA-534?jql=project%20%3D%20MARMOTTA%20AND%20resolution%20%3D%20Unresolved%20ORDER%20BY%20priority%20DESC
user logins are just not going to work without a bug fix to marmotta so we cannot create a user which has rights to edit/update data as a means to lock up the database.
@fbaumgardt and I have determined that the best solution for now will be to do the following:
security.configured=true
in the system-config.properties . this will allow anybody read/write access on the sparql queries/sparql/update
and /sparql/query
. We will probably also want to protect the entire Marmotta gui.Marmotta's security component has proven to be incomplete and unreliable.
@balmas has now dealt with this issue by essentially proxying the SPARQL endpoint through an OAuth-secured route in the Nemo plugin: https://github.com/fbaumgardt/nemo_annotator_plugin/pull/1
This is a good solution, giving us a possibility to inspect the SPARQL queries in is_authorized and filter them based on the current user.
we need to determine the correct security config for marmotta for production environment.
This link might help.
https://mail-archives.apache.org/mod_mbox/marmotta-users/201410.mbox/%3C1412539844.13368.YahooMailNeo@web140003.mail.bf1.yahoo.com%3E