Hi Gang Fu,
On 04-Feb-15 2:22 AM, Gang Fu wrote:
Hi Rumi,
I have tried to expose a password-protected sparql endpoint, actually
it can be done using vhost_define() function as well, just add
sec=>'digest' and authentication function. But the vsp_user to expose
a password-protected sparql endpoint is still dba.
By default /sparq-auth is protected, so what you can try is :
1. Export /sparq-auth definition from Conductor->Web Application Server
-> Virtual Domains & Directories
2. Change in the generated script /sparql-auth with /sparql.
* Note: the vsp_user is dba, but in the next step you can change in
the authentication function a connection setting so to use your user.
3. In the authentication function DB.DBA.HP_AUTH_SPARQL_USER
(sparql_io.sql) there is:
Lin: 2935 user_id := connection_get ('SPARQLUserId', 'SPARQL');
Change it respectively so to use your user and execute the function
creation so the change to kick in.
4. Execute from Conductor or iSQL the changed script from step 2.
Please let me know if that worked for you.
Best Regards,
Rumi Kocis
Best,
Gang
On Tue, Feb 3, 2015 at 12:35 PM, Rumi <rtsek...@openlinksw.com
<mailto:rtsek...@openlinksw.com>> wrote:
Hi Gang Fu,
On 03-Feb-15 3:47 PM, Gang Fu wrote:
Hi Rumi,
I looked at the source code of libsrc/Wi/sparql_io.sql for
procedure WS.WS <http://WS.WS>."/!sparql/":
create procedure WS.WS."/!sparql/"(inout pathvarchar, inout
params any, inout lines any)
I am not sure whether the user as "SPARQL" for /sparql endpoint
are set by default here:
user_id :=connection_get ('SPARQLUserId', 'SPARQL');
set_user_id (user_id, 1);
I have tried to grant SPARQL_UPDATE to user "SPARQL", then the
/sparql endpoint is not read-only....
And when I tried to grant another role, I got
The object "SPARQL_LOAD_SERVICE_DATA" does not exist.
But it does not allow me to expose /sparql endpoint using
vsp_user "SPARQL". What I am really interested in is how to
expose sparql endpoint using vsp users other than dba.
Hm, I would say you grant the roles to another vsp user as this is
what you want to achieve is this correct?
As now you granted them to "SPARQL" instead?
Additionally, did you try the steps from the guide
http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VirtSPARQLProtectSQLDigestAuthentication
?
Best Regards,
Rumi Kocis
Best,
Gang
On Tue, Feb 3, 2015 at 8:10 AM, Rumi <rtsek...@openlinksw.com
<mailto:rtsek...@openlinksw.com>> wrote:
Hi Gang Fu,
On 03-Feb-15 1:15 PM, Gang Fu wrote:
Hi,
I am using function vhost_define() to expose read-only
sparql endpoint through another port (different from 8890)
for security concern.
I have two questions:
1) how can I expose a sparql endpoint using account other
than 'dba'. I have tried to using vsp_user=>'SPARQL', but I
got '404 cannot access' error when I tried the url. I also
set the opts->(executable, 'yes'), this option seems to
allow any vsp user to have execute permission, but it still
does not work. I also tried to set user 'SPARQL' to
administrator role, but still cannot work....
Please try the steps from this guide: "Secure SPARQL Endpoint
via SQL Accounts -- usage path digest authentication"
Link:
http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VirtSPARQLProtectSQLDigestAuthentication
Related:
-- Securing SPARQL endpoints:
http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VirtTipsAndTricksGuideSPARQLEndpoints
-- Securing your SPARQL Endpoint via OAuth:
http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtOAuthSPARQL
-- Securing your SPARQL Endpoint via WebID:
http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSecurityWebID
2) how can I know and configure the user account to use
'/sparql' endpoint by default. The system table
'DB.DBA.HTTP_PATH' only shows that the vsp_user is 'dba',
but it does not show the default user of that endpoint is
'SPARLQ' (ID=106). The documentation says the user is
'SPARLQ' for both '/sparql' and '/sparql-graph-crud', but I
cannot find any system table for that. Our system team wants
to audit that information.
The name 'SPARQL' is a constant in the code of SPARQL web
service endpoint pages ( /sparql and /sparql-auth ).
Another name can be used if authentication function sets
connection variable 'SPARQLUserId' to that name, for ex.,
placing inside authentication call:
connection_set ('SPARQLUserId', 'SOME_USER_NAME');
What you could try is to grant more roles to the user if
needed, such as:
SPARQL_LOAD_SERVICE_DATA or SPARQL_UPDATE, by granting
directly to the user or, better, to SPARQL_SELECT, since the
endpoint page will require that the user is member of
SPARQL_SELECT group -- that's the minimal practical
permission, however one can grant more permissions.
Best Regards,
Rumi Kocis
Best,
Gang
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is
your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more.
Take a
look and join the conversation now.http://goparallel.sourceforge.net/
_______________________________________________
Virtuoso-users mailing list
Virtuoso-users@lists.sourceforge.net
<mailto:Virtuoso-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/virtuoso-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Virtuoso-users mailing list
Virtuoso-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/virtuoso-users
