Hi Rumi,
I totally understand your point. My quesiton is about the 'vsp_user' or
called 'vsp_host' used to expose the sparql endpoint. Our system security
team has concern about the 'vsp_user', they are not sure what is used for,
and how to configure it. Basically, they are not familiar with 'vsp'. I
cannot explain well to them, and they want to audit the user permission for
/sparql endpoint. I have explained that the default user for /sparql
endpoint is 'SPARLQ' and it is read-only. But there is no way to audit
that, if later some configuration is changed, they want to know whether the
endpoint is still read-only...
I found the system table 'http_path' tells you the 'vsp_host' for 'lpath',
but not the user and user role...
Best,
Gang
On Thu, Feb 5, 2015 at 10:17 AM, Rumi <rtsek...@openlinksw.com> wrote:
> Hi Gang Fu,
>
>
> On 05-Feb-15 3:03 PM, Gang Fu wrote:
>
> Hi Rumi,
>
> Using vhost_define() through isql we can achieve the same thing:
> DB.DBA.VHOST_DEFINE (
> lhost=><ip:port>,
> vhost=><name>,
> lpath=>'/sparql',
> ppath=>'/!sparql/',
> is_dav=>1,
> vsp_user=>'dba',
> ses_vars=>0,
> sec=>'digest',
> auth_fn=>'DB.DBA.HP_AUTH_SPARQL_USER',
> realm=>'SPARQL',
> opts=>vector('noinherit', 1, 'exec_as_get', 1),
> is_default_host=>0
> );
>
>
> It is password protected, but it is read+write ,even though I have:
> 'exec_as_get', 1
>
>
>
> Right, so to me is not clear exactly what you want to do in this case,
> with what user are you using to log in? It seems your user has read+write
> permissions,
> i.e you need to try to log in as user with read permissions only: a simple
> scenario that demonstrates this:
>
> 1) Create 2 users, one can update, the other can only perform select:
>
> SQL> DB.DBA.USER_CREATE ('ana', 'ana');
> Done. -- 0 msec.
> SQL> DB.DBA.USER_CREATE ('brad', 'brad');
> Done. -- 0 msec.
> Done. -- 16 msec.
> SQL> GRANT SPARQL_UPDATE to "ana";
> Done. -- 0 msec.
> SQL> GRANT SPARQL_SELECT to "brad";
> Done. -- 0 msec.
>
> So "ana" can update, "brad" can only select.
> 2) Then from the default /sparql-auth endpoint, if I log in as brad and:
>
> -- 1) attempt to insert data:
> INSERT INTO GRAPH <http://NewBookStore.com> <http://NewBookStore.com> {
> ?book ?p ?v }
> fails with this error:
> SPARQL Update was denied to "brad"
>
> -- 2) attempt to clear data:
> sparql clear graph <urn:example:com>;
> also fails with error:
>
> Error SR186: No permission to execute procedure DB.DBA.SPARUL_CLEAR with
> user ID 127, group ID 127
>
> Which is correct, since "brad" can only select data, but has no update (
> read-write ) permissions.
>
> Question is the user you are using, what permissions it has?
>
>
>
> Best Regards,
> Rumi Kocis
>
>
>
> Best,
> Gang
>
>
> On Wed, Feb 4, 2015 at 6:57 AM, Rumi <rtsek...@openlinksw.com> wrote:
>
>> Hi Gang Fu,
>>
>> On 04-Feb-15 2:22 AM, Gang Fu wrote:
>>
>> Hi Rumi,
>>
>> I have tried to expose a password-protected sparql endpoint, actually
>> it can be done using vhost_define() function as well, just add
>> sec=>'digest' and authentication function. But the vsp_user to expose a
>> password-protected sparql endpoint is still dba.
>>
>>
>> By default /sparq-auth is protected, so what you can try is :
>>
>> 1. Export /sparq-auth definition from Conductor->Web Application Server
>> -> Virtual Domains & Directories
>> 2. Change in the generated script /sparql-auth with /sparql.
>> * Note: the vsp_user is dba, but in the next step you can change in
>> the authentication function a connection setting so to use your user.
>> 3. In the authentication function DB.DBA.HP_AUTH_SPARQL_USER
>> (sparql_io.sql) there is:
>> Lin: 2935 user_id := connection_get ('SPARQLUserId', 'SPARQL');
>> Change it respectively so to use your user and execute the function
>> creation so the change to kick in.
>> 4. Execute from Conductor or iSQL the changed script from step 2.
>>
>> Please let me know if that worked for you.
>>
>>
>> Best Regards,
>> Rumi Kocis
>>
>>
>> Best,
>> Gang
>>
>> On Tue, Feb 3, 2015 at 12:35 PM, Rumi <rtsek...@openlinksw.com> wrote:
>>
>>> Hi Gang Fu,
>>>
>>> On 03-Feb-15 3:47 PM, Gang Fu wrote:
>>>
>>> Hi Rumi,
>>>
>>> I looked at the source code of libsrc/Wi/sparql_io.sql for procedure
>>> WS.WS."/!sparql/":
>>> create procedure WS.WS."/!sparql/" (inout path varchar, inout params
>>> any, inout lines any)
>>>
>>> I am not sure whether the user as "SPARQL" for /sparql endpoint are
>>> set by default here:
>>> user_id := connection_get ('SPARQLUserId', 'SPARQL');
>>> set_user_id (user_id, 1);
>>>
>>>
>>> I have tried to grant SPARQL_UPDATE to user "SPARQL", then the /sparql
>>> endpoint is not read-only....
>>> And when I tried to grant another role, I got
>>> The object "SPARQL_LOAD_SERVICE_DATA" does not exist.
>>>
>>> But it does not allow me to expose /sparql endpoint using vsp_user
>>> "SPARQL". What I am really interested in is how to expose sparql endpoint
>>> using vsp users other than dba.
>>>
>>>
>>> Hm, I would say you grant the roles to another vsp user as this is what
>>> you want to achieve is this correct?
>>> As now you granted them to "SPARQL" instead?
>>> Additionally, did you try the steps from the guide
>>> http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VirtSPARQLProtectSQLDigestAuthentication
>>> ?
>>>
>>>
>>> Best Regards,
>>> Rumi Kocis
>>>
>>>
>>> Best,
>>> Gang
>>>
>>> On Tue, Feb 3, 2015 at 8:10 AM, Rumi <rtsek...@openlinksw.com> wrote:
>>>
>>>> Hi Gang Fu,
>>>>
>>>> On 03-Feb-15 1:15 PM, Gang Fu wrote:
>>>>
>>>> Hi,
>>>>
>>>> I am using function vhost_define() to expose read-only sparql endpoint
>>>> through another port (different from 8890) for security concern.
>>>>
>>>> I have two questions:
>>>> 1) how can I expose a sparql endpoint using account other than 'dba'.
>>>> I have tried to using vsp_user=>'SPARQL', but I got '404 cannot access'
>>>> error when I tried the url. I also set the opts->(executable, 'yes'), this
>>>> option seems to allow any vsp user to have execute permission, but it still
>>>> does not work. I also tried to set user 'SPARQL' to administrator role, but
>>>> still cannot work....
>>>>
>>>>
>>>> Please try the steps from this guide: "Secure SPARQL Endpoint via SQL
>>>> Accounts -- usage path digest authentication"
>>>>
>>>> Link:
>>>> http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VirtSPARQLProtectSQLDigestAuthentication
>>>>
>>>> Related:
>>>> -- Securing SPARQL endpoints:
>>>> http://virtuoso.openlinksw.com/dataspace/doc/dav/wiki/Main/VirtTipsAndTricksGuideSPARQLEndpoints
>>>> -- Securing your SPARQL Endpoint via OAuth:
>>>> http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtOAuthSPARQL
>>>> -- Securing your SPARQL Endpoint via WebID:
>>>> http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/VirtSPARQLSecurityWebID
>>>>
>>>>
>>>> 2) how can I know and configure the user account to use '/sparql'
>>>> endpoint by default. The system table 'DB.DBA.HTTP_PATH' only shows that
>>>> the vsp_user is 'dba', but it does not show the default user of that
>>>> endpoint is 'SPARLQ' (ID=106). The documentation says the user is 'SPARLQ'
>>>> for both '/sparql' and '/sparql-graph-crud', but I cannot find any system
>>>> table for that. Our system team wants to audit that information.
>>>>
>>>>
>>>> The name 'SPARQL' is a constant in the code of SPARQL web service
>>>> endpoint pages ( /sparql and /sparql-auth ).
>>>> Another name can be used if authentication function sets connection
>>>> variable 'SPARQLUserId' to that name, for ex., placing inside
>>>> authentication call:
>>>>
>>>> connection_set ('SPARQLUserId', 'SOME_USER_NAME');
>>>>
>>>>
>>>> What you could try is to grant more roles to the user if needed, such
>>>> as:
>>>> SPARQL_LOAD_SERVICE_DATA or SPARQL_UPDATE, by granting directly to the
>>>> user or, better, to SPARQL_SELECT, since the endpoint page will require
>>>> that the user is member of SPARQL_SELECT group -- that's the minimal
>>>> practical permission, however one can grant more permissions.
>>>>
>>>>
>>>> Best Regards,
>>>> Rumi Kocis
>>>>
>>>>
>>>> Best,
>>>> Gang
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Dive into the World of Parallel Programming. The Go Parallel Website,
>>>> sponsored by Intel and developed in partnership with Slashdot Media, is
>>>> your
>>>> hub for all things parallel software development, from weekly thought
>>>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>>>> look and join the conversation now. http://goparallel.sourceforge.net/
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Virtuoso-users mailing
>>>> listVirtuoso-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/virtuoso-users
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Virtuoso-users mailing list
Virtuoso-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/virtuoso-users
