search

perseids-project / plokamos

RDF-based annotations for Perseids
MIT License
6 stars 2 forks source link

determine production security config for db #11

Closed balmas closed 8 years ago

balmas commented 8 years ago

we need to determine the correct security config for marmotta for production environment.

This link might help.

https://mail-archives.apache.org/mod_mbox/marmotta-users/201410.mbox/%3C1412539844.13368.YahooMailNeo@web140003.mail.bf1.yahoo.com%3E

fbaumgardt commented 8 years ago

I added security policies for sparql/select and sparql/update and enabled them temporarily with security.configured = true. After using the SPARQL endpoint for tests I have disabled the configuration again and it defaults to the value in security.profile.

fbaumgardt commented 8 years ago

A more robust intermediate approach would be to create users with editor roles that have read/write access to sparql/*

balmas commented 8 years ago

ok, so just be sure I'm clear, the following are what needed to be added to system-config.properties?

security.permission.update.pattern = /sparql/update
security.permission.update.methods = GET,OPTIONS,HEAD,PUT,POST,DELETE 
security.permission.update.priority = 5
security.permission.select.pattern = /sparql/select
security.permission.select.methods = GET,OPTIONS,HEAD,PUT,POST,DELETE
security.permission.select.priority = 5
fbaumgardt commented 8 years ago

Yes, they take effect when security.configured = true, otherwise security.policy supersedes them.

balmas commented 8 years ago

it seems marmotta's security config is seriously bugged:

https://mail-archives.apache.org/mod_mbox/marmotta-users/201501.mbox/54BE3F73.2010805@apache.org https://mail-archives.apache.org/mod_mbox/marmotta-users/201512.mbox/CAOfJQJ1Kj1V73w3JfpDRBc3_8Tyb2UP-WU-zBY+AsQ_fxXUGCw@mail.gmail.com https://issues.apache.org/jira/browse/MARMOTTA-534?jql=project%20%3D%20MARMOTTA%20AND%20resolution%20%3D%20Unresolved%20ORDER%20BY%20priority%20DESC

user logins are just not going to work without a bug fix to marmotta so we cannot create a user which has rights to edit/update data as a means to lock up the database.

@fbaumgardt and I have determined that the best solution for now will be to do the following:

  1. set security.configured=true in the system-config.properties . this will allow anybody read/write access on the sparql queries
  2. protect the RESTful routes to the sparql queries via proxies and/or firewall rules. including /sparql/update and /sparql/query. We will probably also want to protect the entire Marmotta gui.
fbaumgardt commented 8 years ago

Marmotta's security component has proven to be incomplete and unreliable.

@balmas has now dealt with this issue by essentially proxying the SPARQL endpoint through an OAuth-secured route in the Nemo plugin: https://github.com/fbaumgardt/nemo_annotator_plugin/pull/1

This is a good solution, giving us a possibility to inspect the SPARQL queries in is_authorized and filter them based on the current user.