Il 09/03/2015 20:18, Kingsley Idehen ha scritto:
> On 3/9/15 2:47 PM, Nicola Vitucci wrote:
>> Il 08/03/2015 00:30, Kingsley Idehen ha scritto:
>>> >On 3/7/15 2:18 PM, Nicola Vitucci wrote:
>>>> >>Dear all,
>>>> >>
>>>> >>I could not figure out any way to use ACLs to avoid showing private
>>>> >>graphs when submitting the following query:
>>>> >>
>>>> >>SELECT DISTINCT ?g WHERE {GRAPH ?g {?s ?p ?o}}
>>>> >>
>>>> >>The query should not be changed, so I was hoping to be able to do it via
>>>> >>graph-level permissions and/or pragmas. Is it possible to do this at all?
>>>> >>
>>>> >>Thanks a lot,
>>>> >>
>>>> >>Nicola
>>>> >>
>>>> >>
>>> >Via SQL Command Line or Conductor UI (HTML based Administrator):
>>> >
>>> >-- Add a named graph to the private (protected) graph group
>>> >
>>> >DB.DBA.RDF_GRAPH_GROUP_INS
>>> >('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','{named-graph-iri')
>>> >;
>>> >
>>> >-- To ensure user sql role account 'nobody' doesn't have access to
>>> >private graphs execute:
>>> >
>>> >DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 0, 1);
>>> >
>>> >-- To ensure that services running under user/role account 'SPARQL'
>>> >don't have access to private graphs (denoted using 1).
>>> >
>>> >DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('SPARQL', 0, 1);
>>> >
>>> >Links:
>>> >
>>> >[1]http://docs.openlinksw.com/virtuoso/rdfgraphsecurity.html --
>>> >documentation section on graph level security .
>>> >
>>> >
>> Hi Kingsley,
>>
>> try as I might I didn't succeed. I had already tried your proposed
>> solution, yet the graph is still showing and RDF_GRAPH_SECURITY_AUDIT
>> (0) returns the following:
>>
>> ...
>> ERROR NULL NULL 107 SPARQL The "SPARQL" user
>> should be disabled. Applications should create separate accounts and
>> grant SPARQL_SELECT etc., the account "SPARQL" is for system purposes
>> only
>> ERROR #i8192http://.... 107 SPARQL The "SPARQL"
>> user has got some specific permissions. That's strange and redundand, at
>> best, it may also mislead somebody
>>
>> Just to be clear, the following query correctly returns no results:
>>
>> SELECT DISTINCT * WHERE {GRAPH<http://myprivategraph> {?s ?p ?o}}
>> LIMIT 10
>>
>> The problem is when I want to see all the graphs like in my example.
>> Shouldn't the private graphs be hidden or do I misunderstand the use of
>> ACLs in this case?
>>
>> Thanks,
>>
>> Nicola
> If the acl system is configured right, and performing properly, given
> the named graph identified by IRI <urn:some:private:named:graph>, all
> queries will excluded RDF statements from the private named graph.
>
> Under what identity are you performing the query that still includes
> private named graphs? I assume you aren't doing that as user "dba",
> right? I also assume that private named graph access has been disabled
> for user/role "SPARQL" ?
>
>
I disabled the access for 'SPARQL' this way:
DB.DBA.RDF_GRAPH_GROUP_INS
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs',
'http://my.private.graph')
DB.DBA.RDF_GRAPH_USER_PERMS_SET
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs', 'SPARQL', 0)
I am running the query with this command:
curl --data-urlencode query="SELECT DISTINCT ?g WHERE {GRAPH ?g {?s ?p
?o}}" localhost:8890/sparql
so I suppose the identity is actually SPARQL?
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Virtuoso-users mailing list
Virtuoso-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/virtuoso-users
