Il 10/03/2015 19:04, Kingsley Idehen ha scritto:
> On 3/10/15 5:17 AM, Nicola Vitucci wrote:
>> Il 09/03/2015 22:02, Kingsley Idehen ha scritto:
>>> >On 3/9/15 4:01 PM, Nicola Vitucci wrote:
>>>> >>Il 09/03/2015 20:18, Kingsley Idehen ha scritto:
>>>>> >>>On 3/9/15 2:47 PM, Nicola Vitucci wrote:
>>>>>> >>>>Il 08/03/2015 00:30, Kingsley Idehen ha scritto:
>>>>>>>> >>>>>>On 3/7/15 2:18 PM, Nicola Vitucci wrote:
>>>>>>>>>> >>>>>>>>Dear all,
>>>>>>>>>> >>>>>>>>
>>>>>>>>>> >>>>>>>>I could not figure out any way to use ACLs to avoid showing
>>>>>>>>>> >>>>>>>>private
>>>>>>>>>> >>>>>>>>graphs when submitting the following query:
>>>>>>>>>> >>>>>>>>
>>>>>>>>>> >>>>>>>>SELECT DISTINCT ?g WHERE {GRAPH ?g {?s ?p ?o}}
>>>>>>>>>> >>>>>>>>
>>>>>>>>>> >>>>>>>>The query should not be changed, so I was hoping to be able
>>>>>>>>>> >>>>>>>>to
>>>>>>>>>> >>>>>>>>do it via
>>>>>>>>>> >>>>>>>>graph-level permissions and/or pragmas. Is it possible to do
>>>>>>>>>> >>>>>>>>this at all?
>>>>>>>>>> >>>>>>>>
>>>>>>>>>> >>>>>>>>Thanks a lot,
>>>>>>>>>> >>>>>>>>
>>>>>>>>>> >>>>>>>>Nicola
>>>>>>>>>> >>>>>>>>
>>>>>>>>>> >>>>>>>>
>>>>>>>> >>>>>>Via SQL Command Line or Conductor UI (HTML based Administrator):
>>>>>>>> >>>>>>
>>>>>>>> >>>>>>-- Add a named graph to the private (protected) graph group
>>>>>>>> >>>>>>
>>>>>>>> >>>>>>DB.DBA.RDF_GRAPH_GROUP_INS
>>>>>>>> >>>>>>('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','{named-graph-iri')
>>>>>>>> >>>>>>
>>>>>>>> >>>>>>;
>>>>>>>> >>>>>>
>>>>>>>> >>>>>>-- To ensure user sql role account 'nobody' doesn't have access
>>>>>>>> >>>>>>to
>>>>>>>> >>>>>>private graphs execute:
>>>>>>>> >>>>>>
>>>>>>>> >>>>>>DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 0, 1);
>>>>>>>> >>>>>>
>>>>>>>> >>>>>>-- To ensure that services running under user/role account
>>>>>>>> >>>>>>'SPARQL'
>>>>>>>> >>>>>>don't have access to private graphs (denoted using 1).
>>>>>>>> >>>>>>
>>>>>>>> >>>>>>DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('SPARQL', 0, 1);
>>>>>>>> >>>>>>
>>>>>>>> >>>>>>Links:
>>>>>>>> >>>>>>
>>>>>>>> >>>>>>[1]http://docs.openlinksw.com/virtuoso/rdfgraphsecurity.html --
>>>>>>>> >>>>>>documentation section on graph level security .
>>>>>>>> >>>>>>
>>>>>>>> >>>>>>
>>>>>> >>>>Hi Kingsley,
>>>>>> >>>>
>>>>>> >>>>try as I might I didn't succeed. I had already tried your proposed
>>>>>> >>>>solution, yet the graph is still showing and RDF_GRAPH_SECURITY_AUDIT
>>>>>> >>>>(0) returns the following:
>>>>>> >>>>
>>>>>> >>>>...
>>>>>> >>>>ERROR NULL NULL 107 SPARQL The "SPARQL"
>>>>>> >>>>user
>>>>>> >>>>should be disabled. Applications should create separate accounts and
>>>>>> >>>>grant SPARQL_SELECT etc., the account "SPARQL" is for system purposes
>>>>>> >>>>only
>>>>>> >>>>ERROR #i8192http://.... 107 SPARQL The "SPARQL"
>>>>>> >>>>user has got some specific permissions. That's strange and
>>>>>> >>>>redundand, at
>>>>>> >>>>best, it may also mislead somebody
>>>>>> >>>>
>>>>>> >>>>Just to be clear, the following query correctly returns no results:
>>>>>> >>>>
>>>>>> >>>>SELECT DISTINCT * WHERE {GRAPH<http://myprivategraph> {?s ?p ?o}}
>>>>>> >>>>LIMIT 10
>>>>>> >>>>
>>>>>> >>>>The problem is when I want to see all the graphs like in my example.
>>>>>> >>>>Shouldn't the private graphs be hidden or do I misunderstand the use
>>>>>> >>>>of
>>>>>> >>>>ACLs in this case?
>>>>>> >>>>
>>>>>> >>>>Thanks,
>>>>>> >>>>
>>>>>> >>>>Nicola
>>>>> >>>If the acl system is configured right, and performing properly, given
>>>>> >>>the named graph identified by IRI <urn:some:private:named:graph>, all
>>>>> >>>queries will excluded RDF statements from the private named graph.
>>>>> >>>
>>>>> >>>Under what identity are you performing the query that still includes
>>>>> >>>private named graphs? I assume you aren't doing that as user "dba",
>>>>> >>>right? I also assume that private named graph access has been disabled
>>>>> >>>for user/role "SPARQL" ?
>>>>> >>>
>>>>> >>>
>>>> >>I disabled the access for 'SPARQL' this way:
>>>> >>DB.DBA.RDF_GRAPH_GROUP_INS
>>>> >>('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs',
>>>> >>'http://my.private.graph')
>>>> >>DB.DBA.RDF_GRAPH_USER_PERMS_SET
>>>> >>('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs', 'SPARQL', 0)
>>>> >>
>>>> >>I am running the query with this command:
>>>> >>
>>>> >>curl --data-urlencode query="SELECT DISTINCT ?g WHERE {GRAPH ?g {?s ?p
>>>> >>?o}}" localhost:8890/sparql
>>>> >>
>>>> >>so I suppose the identity is actually SPARQL?
>>> >
>>> >Yes.
>>> >
>>> >And in this case you are seeing triples from the private named graph in
>>> >your query solution?
>>> >
>>> >Kingsley
>> With the mentioned query I can see the graph itself:
>>
>> <sparql xmlns="http://www.w3.org/2005/sparql-results#";
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>> xsi:schemaLocation="http://www.w3.org/2001/sw/DataAccess/rf1/result2.xsd";>
>>
>> <head>
>> <variable name="g"/>
>> </head>
>> <results distinct="false" ordered="true">
>> <result>
>> <binding
>> name="g"><uri>http://www.openlinksw.com/schemas/virtrdf#</uri></binding>
>> </result>
>> <result>
>> <binding name="g"><uri>http://www.w3.org/ns/ldp#</uri></binding>
>> </result>
>> <result>
>> <binding name="g"><uri>http://localhost:8890/sparql</uri></binding>
>> </result>
>> <result>
>> <binding name="g"><uri>http://localhost:8890/DAV/</uri></binding>
>> </result>
>> <result>
>> <binding name="g"><uri>http://www.w3.org/2002/07/owl#</uri></binding>
>> </result>
>> <result>
>> <binding name="g"><uri>http://my.private.graph</uri></binding>
>> </result>
>> </results>
>> </sparql>
>>
>> I would expect it not to be shown. Am I correct?
>
> Do you see any triples from the private named graph ? Let's start there.
>
As I said, with the following request I get no triples:
##################
curl --data-urlencode query="SELECT DISTINCT * WHERE {GRAPH
<http://my.private.graph> {?s ?p ?o}} LIMIT 10" localhost:8890/sparql
<sparql xmlns="http://www.w3.org/2005/sparql-results#";
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:schemaLocation="http://www.w3.org/2001/sw/DataAccess/rf1/result2.xsd";>
<head>
<variable name="s"/>
<variable name="p"/>
<variable name="o"/>
</head>
<results distinct="false" ordered="true">
</results>
</sparql>
##################
So asking for triples in a private graph correctly yields no results. To
be even more sure, I removed again the graph from the
virtrdf:PrivateGraphs group using this:
DB.DBA.RDF_GRAPH_GROUP_DEL
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs',
'http://my.private.graph')
and now the preceding query correctly yields 10 results.
What I also find strange is the output of this:
##################
SELECT id_to_iri(GU.RGU_GRAPH_IID), SU.U_NAME, GU.RGU_PERMISSIONS FROM
DB.DBA.RDF_GRAPH_USER AS GU JOIN SYS_USERS AS SU ON GU.RGU_USER_ID = SU.U_ID
id_to_iri U_NAME
RGU_PERMISSIONS
LONG VARCHAR VARCHAR NOT NULL
INTEGER NOT NULL
____________________________________
iri_id_0_with_no_name_entry dba 1023
http://www.... dba 1023
http://www.... nobody 0
iri_id_0_with_no_name_entry nobody 7
http://www.... SPARQL 0
##################
where, besides nobody's permission set to 7 by myself with
"DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 7, 0)", the strange thing
is that the IRI in rows 2, 3 and 5 is not the IRI of the private graph
but the IRI of an apparently random subject appearing (not only) in the
private graph. Maybe you can suggest other checks I can perform to try
and understand what is not working properly?
Thanks,
Nicola
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Virtuoso-users mailing list
Virtuoso-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/virtuoso-users
