Re: [Virtuoso-users] ACLs and all-graphs query

Kingsley Idehen Mon, 09 Mar 2015 14:03:24 -0700

On 3/9/15 4:01 PM, Nicola Vitucci wrote:

Il 09/03/2015 20:18, Kingsley Idehen ha scritto:

On 3/9/15 2:47 PM, Nicola Vitucci wrote:

Il 08/03/2015 00:30, Kingsley Idehen ha scritto:

On 3/7/15 2:18 PM, Nicola Vitucci wrote:

Dear all,


I could not figure out any way to use ACLs to avoid showing private
graphs when submitting the following query:

SELECT DISTINCT ?g WHERE {GRAPH ?g {?s ?p ?o}}

The query should not be changed, so I was hoping to be able to do it via
graph-level permissions and/or pragmas. Is it possible to do this at all?

Thanks a lot,

Nicola

Via SQL Command Line or Conductor UI (HTML based Administrator):

-- Add a named graph to the private (protected) graph group

DB.DBA.RDF_GRAPH_GROUP_INS
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','{named-graph-iri')
;

-- To ensure user sql role account  'nobody' doesn't have access to
private graphs execute:

DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 0, 1);

-- To ensure that services running under user/role account 'SPARQL'
don't have access to private graphs (denoted using 1).

DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('SPARQL', 0, 1);

Links:

[1]http://docs.openlinksw.com/virtuoso/rdfgraphsecurity.html  --
documentation section on graph level security .

Hi Kingsley,

try as I might I didn't succeed. I had already tried your proposed
solution, yet the graph is still showing and RDF_GRAPH_SECURITY_AUDIT
(0) returns the following:

...
ERROR    NULL          NULL     107         SPARQL   The "SPARQL" user
should be disabled. Applications should create separate accounts and
grant SPARQL_SELECT etc., the account "SPARQL" is for system purposes
only
ERROR    #i8192http://....  107         SPARQL   The "SPARQL"
user has got some specific permissions. That's strange and redundand, at
best, it may also mislead somebody

Just to be clear, the following query correctly returns no results:

SELECT DISTINCT * WHERE {GRAPH<http://myprivategraph>  {?s ?p ?o}}
LIMIT 10

The problem is when I want to see all the graphs like in my example.
Shouldn't the private graphs be hidden or do I misunderstand the use of
ACLs in this case?

Thanks,

Nicola

If the acl system is configured right, and performing properly, given
the named graph identified by IRI <urn:some:private:named:graph>, all
queries will excluded RDF statements from the private named graph.

Under what identity are you performing the query that still includes
private named graphs? I assume you aren't doing that as user "dba",
right? I also assume that private named graph access has been disabled
for user/role "SPARQL" ?

I disabled the access for 'SPARQL' this way:
DB.DBA.RDF_GRAPH_GROUP_INS
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs',
'http://my.private.graph')
DB.DBA.RDF_GRAPH_USER_PERMS_SET
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs', 'SPARQL', 0)

I am running the query with this command:

curl --data-urlencode query="SELECT DISTINCT ?g WHERE {GRAPH ?g {?s ?p
?o}}" localhost:8890/sparql

so I suppose the identity is actually SPARQL?


Yes.

And in this case you are seeing triples from the private named graph in your query solution?


Kingsley

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Virtuoso-users mailing list
Virtuoso-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/virtuoso-users



--
Regards,

Kingsley Idehen 
Founder & CEO
OpenLink Software
Company Web: http://www.openlinksw.com
Personal Weblog 1: http://kidehen.blogspot.com
Personal Weblog 2: http://www.openlinksw.com/blog/~kidehen
Twitter Profile: https://twitter.com/kidehen
Google+ Profile: https://plus.google.com/+KingsleyIdehen/about
LinkedIn Profile: http://www.linkedin.com/in/kidehen
Personal WebID: http://kingsley.idehen.net/dataspace/person/kidehen#this

smime.p7s
Description: S/MIME Cryptographic Signature

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Virtuoso-users mailing list
Virtuoso-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/virtuoso-users

Re: [Virtuoso-users] ACLs and all-graphs query

Reply via email to