Hi Gang Fu,
On 05-Feb-15 3:03 PM, Gang Fu wrote:
Hi Rumi,
Using vhost_define() through isql we can achieve the same thing:
DB.DBA.VHOST_DEFINE (
lhost=><ip:port>,
vhost=><name>,
lpath=>'/sparql',
ppath=>'/!sparql/',
is_dav=>1,
vsp_user=>'dba',
ses_vars=>0,
sec=>'digest',
auth_fn=>'DB.DBA.HP_AUTH_SPARQL_USER',
realm=>'SPARQL',
opts=>vector('noinherit', 1, 'exec_as_get', 1),
is_default_host=>0
);
It is password protected, but it is read+write ,even though I have:
'exec_as_get', 1
Right, so to me is not clear exactly what you want to do in this case,
with what user are you using to log in? It seems your user has
read+write permissions,
i.e you need to try to log in as user with read permissions only: a
simple scenario that demonstrates this:
1) Create 2 users, one can update, the other can only perform select:
SQL> DB.DBA.USER_CREATE ('ana', 'ana');
Done. -- 0 msec.
SQL> DB.DBA.USER_CREATE ('brad', 'brad');
Done. -- 0 msec.
Done. -- 16 msec.
SQL> GRANT SPARQL_UPDATE to "ana";
Done. -- 0 msec.
SQL> GRANT SPARQL_SELECT to "brad";
Done. -- 0 msec.
So "ana" can update, "brad" can only select.
2) Then from the default /sparql-auth endpoint, if I log in as brad and:
-- 1) attempt to insert data:
INSERT INTO GRAPH <http://NewBookStore.com> { ?book ?p ?v }
fails with this error:
SPARQL Update was denied to "brad"
-- 2) attempt to clear data:
sparql clear graph <urn:example:com>;
also fails with error:
Error SR186: No permission to execute procedure DB.DBA.SPARUL_CLEAR with
user ID 127, group ID 127
Which is correct, since "brad" can only select data, but has no update (
read-write ) permissions.
Question is the user you are using, what permissions it has?
Best Regards,
Rumi Kocis
Best,
Gang
On Wed, Feb 4, 2015 at 6:57 AM, Rumi <rtsek...@openlinksw.com
<mailto:rtsek...@openlinksw.com>> wrote:
Hi Gang Fu,
On 04-Feb-15 2:22 AM, Gang Fu wrote:
Hi Rumi,
I have tried to expose a password-protected sparql endpoint,
actually it can be done using vhost_define() function as well,
just add sec=>'digest' and authentication function. But the
vsp_user to expose a password-protected sparql endpoint is still dba.
By default /sparq-auth is protected, so what you can try is :
1. Export /sparq-auth definition from Conductor->Web Application
Server -> Virtual Domains & Directories
2. Change in the generated script /sparql-auth with /sparql.
* Note: the vsp_user is dba, but in the next step you can
change in the authentication function a connection setting so to
use your user.
3. In the authentication function DB.DBA.HP_AUTH_SPARQL_USER
(sparql_io.sql) there is:
Lin: 2935 user_id := connection_get ('SPARQLUserId', 'SPARQL');
Change it respectively so to use your user and execute the
function creation so the change to kick in.
4. Execute from Conductor or iSQL the changed script from step 2.
Please let me know if that worked for you.
Best Regards,
Rumi Kocis
Best,
Gang
On Tue, Feb 3, 2015 at 12:35 PM, Rumi <rtsek...@openlinksw.com
<mailto:rtsek...@openlinksw.com>> wrote:
Hi Gang Fu,
On 03-Feb-15 3:47 PM, Gang Fu wrote:
Hi Rumi,
I looked at the source code of libsrc/Wi/sparql_io.sql for
procedure WS.WS <http://WS.WS>."/!sparql/":
create procedure WS.WS."/!sparql/"(inout pathvarchar, inout
params any, inout lines any)
I am not sure whether the user as "SPARQL" for /sparql
endpoint are set by default here:
user_id :=connection_get ('SPARQLUserId', 'SPARQL');
set_user_id (user_id, 1);
I have tried to grant SPARQL_UPDATE to user "SPARQL", then
the /sparql endpoint is not read-only....
And when I tried to grant another role, I got
The object "SPARQL_LOAD_SERVICE_DATA" does not exist.
But it does not allow me to expose /sparql endpoint using
vsp_user "SPARQL". What I am really interested in is how to
expose sparql endpoint using vsp users other than dba.
Hm, I would say you grant the roles to another vsp user as
this is what you want to achieve is this correct?
As now you granted them to "SPARQL" instead?
Additionally, did you try the steps from the guide
http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VirtSPARQLProtectSQLDigestAuthentication
?
Best Regards,
Rumi Kocis
Best,
Gang
On Tue, Feb 3, 2015 at 8:10 AM, Rumi
<rtsek...@openlinksw.com <mailto:rtsek...@openlinksw.com>>
wrote:
Hi Gang Fu,
On 03-Feb-15 1:15 PM, Gang Fu wrote:
Hi,
I am using function vhost_define() to expose read-only
sparql endpoint through another port (different from
8890) for security concern.
I have two questions:
1) how can I expose a sparql endpoint using account
other than 'dba'. I have tried to using
vsp_user=>'SPARQL', but I got '404 cannot access' error
when I tried the url. I also set the opts->(executable,
'yes'), this option seems to allow any vsp user to have
execute permission, but it still does not work. I also
tried to set user 'SPARQL' to administrator role, but
still cannot work....
Please try the steps from this guide: "Secure SPARQL
Endpoint via SQL Accounts -- usage path digest
authentication"
Link:
http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VirtSPARQLProtectSQLDigestAuthentication
Related:
-- Securing SPARQL endpoints:
http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VirtTipsAndTricksGuideSPARQLEndpoints
-- Securing your SPARQL Endpoint via OAuth:
http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtOAuthSPARQL
-- Securing your SPARQL Endpoint via WebID:
http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSecurityWebID
2) how can I know and configure the user account to use
'/sparql' endpoint by default. The system table
'DB.DBA.HTTP_PATH' only shows that the vsp_user is
'dba', but it does not show the default user of that
endpoint is 'SPARLQ' (ID=106). The documentation says
the user is 'SPARLQ' for both '/sparql' and
'/sparql-graph-crud', but I cannot find any system
table for that. Our system team wants to audit that
information.
The name 'SPARQL' is a constant in the code of SPARQL
web service endpoint pages ( /sparql and /sparql-auth ).
Another name can be used if authentication function sets
connection variable 'SPARQLUserId' to that name, for
ex., placing inside authentication call:
connection_set ('SPARQLUserId', 'SOME_USER_NAME');
What you could try is to grant more roles to the user if
needed, such as:
SPARQL_LOAD_SERVICE_DATA or SPARQL_UPDATE, by granting
directly to the user or, better, to SPARQL_SELECT, since
the endpoint page will require that the user is member
of SPARQL_SELECT group -- that's the minimal practical
permission, however one can grant more permissions.
Best Regards,
Rumi Kocis
Best,
Gang
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel
Website,
sponsored by Intel and developed in partnership with Slashdot
Media, is your
hub for all things parallel software development, from weekly
thought
leadership blogs to news, videos, case studies, tutorials and more.
Take a
look and join the conversation
now.http://goparallel.sourceforge.net/
_______________________________________________
Virtuoso-users mailing list
Virtuoso-users@lists.sourceforge.net
<mailto:Virtuoso-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/virtuoso-users
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Virtuoso-users mailing list
Virtuoso-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/virtuoso-users
