On 3/9/15 2:47 PM, Nicola Vitucci wrote:
If the acl system is configured right, and performing properly, given the named graph identified by IRI <urn:some:private:named:graph>, all queries will excluded RDF statements from the private named graph.Il 08/03/2015 00:30, Kingsley Idehen ha scritto:>On 3/7/15 2:18 PM, Nicola Vitucci wrote:>>Dear all, >> >>I could not figure out any way to use ACLs to avoid showing private >>graphs when submitting the following query: >> >>SELECT DISTINCT ?g WHERE {GRAPH ?g {?s ?p ?o}} >> >>The query should not be changed, so I was hoping to be able to do it via >>graph-level permissions and/or pragmas. Is it possible to do this at all? >> >>Thanks a lot, >> >>Nicola >> >>>Via SQL Command Line or Conductor UI (HTML based Administrator): > >-- Add a named graph to the private (protected) graph group > >DB.DBA.RDF_GRAPH_GROUP_INS >('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','{named-graph-iri') >; > >-- To ensure user sql role account 'nobody' doesn't have access to >private graphs execute: > >DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 0, 1); > >-- To ensure that services running under user/role account 'SPARQL' >don't have access to private graphs (denoted using 1). > >DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('SPARQL', 0, 1); > >Links: > >[1]http://docs.openlinksw.com/virtuoso/rdfgraphsecurity.html -- >documentation section on graph level security . > >Hi Kingsley,try as I might I didn't succeed. I had already tried your proposed solution, yet the graph is still showing and RDF_GRAPH_SECURITY_AUDIT (0) returns the following: ... ERROR NULL NULL 107 SPARQL The "SPARQL" user should be disabled. Applications should create separate accounts and grant SPARQL_SELECT etc., the account "SPARQL" is for system purposes only ERROR #i8192http://.... 107 SPARQL The "SPARQL" user has got some specific permissions. That's strange and redundand, at best, it may also mislead somebody Just to be clear, the following query correctly returns no results: SELECT DISTINCT * WHERE {GRAPH<http://myprivategraph> {?s ?p ?o}} LIMIT 10 The problem is when I want to see all the graphs like in my example. Shouldn't the private graphs be hidden or do I misunderstand the use of ACLs in this case? Thanks, Nicola
Under what identity are you performing the query that still includes private named graphs? I assume you aren't doing that as user "dba", right? I also assume that private named graph access has been disabled for user/role "SPARQL" ?
-- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog 1: http://kidehen.blogspot.com Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen Twitter Profile: https://twitter.com/kidehen Google+ Profile: https://plus.google.com/+KingsleyIdehen/about LinkedIn Profile: http://www.linkedin.com/in/kidehen Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Virtuoso-users mailing list Virtuoso-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/virtuoso-users
