You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by Jonathan MERCIER <jo...@microbiome.studio> on 2023/01/17 15:20:38 UTC
How to get a Role base access per graph or dataset with an AD/LDAP
Dear community,
After some investigations on Apache Shiro, it seems that it is not
possible (without to write some java code) to perform a LDAP group/
Role mapping.
So I would like to know if one of above solution could works:
1. Use a keycloack server as IAM service and forward role to shiro/jena
(JWT or other) ?
2. Develop and deploy an Apache Shiro server as IAM service (for all
our applications) which imply to communicate remotely with Jena to get
a JWT with corresponding role
3. others solution ?
Thanks a lot for your help, we are trying do do ou best to get a full
understanding how to use jena in our side.
Best regards
Re: How to get a Role base access per graph or dataset with an AD/LDAP
Posted by Andy Seaborne <an...@apache.org>.
On 18/01/2023 14:20, Jonathan MERCIER wrote:
>>> 3. others solution ?
>>
>> One option is do the authn in a reverse proxy in front to Fuseki. Set
>> it up so Fuseki will only receive traffic from the reverse proxy.
>>
>> There is more stuff out there for httpd or nginx.
>>
> To my understanding this would imply at least 2 mechanism to
> authenticate one to get acces to our ontological database another one
> for others services.
I don't think so. httpd, nginx would provide the security principle to
Fuseki. Fuskei is trusting the reverse proxy which is why you have to
ensure that Fuseki only talks to the reverse proxy. Usual API gateway
setup.
----
There a yet another option, depending on the form of Fuseki you are using.
Fuseki ("fuseki-server.jar" in the download; jena-fuseki-fulljar in the
build) is running Jetty.
You can provide the Jetty configuration using "--jetty-config=FILE"
(which inconsistently is "--jetty=" in Fuseki main (no UI - currently))
https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html#og-jaas-configuration
It seems that Jetty can be configured to use LDAP if your add JAAS then
use the LdapLoginModule
https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html#og-jaas-loginmodules
https://www.eclipse.org/jetty/javadoc/jetty-10/org/eclipse/jetty/jaas/spi/LdapLoginModule.html
I haven't used this myself so this is only from some web searching.
I don't know if Fuseki as released includes the right Jetty code - it
might need adding some Jetty jars to the classpath (the script has details).
----
If they works, or just looks plausible, could you report back?
Andy
Re: How to get a Role base access per graph or dataset with an AD/LDAP
Posted by Nicholas Car <ni...@kurrawong.net>.
Not sure it's at the level you are after but our Olis tool is an API that sits in front of any SPARQL endpoint, like Fuseki, and brokers access per Named Graph within a single Dataset/Repository based on users and roles. So User X might only be able to query Graphs Y & Z. If they query Graph A, they get a 403 Forbidden response from Olis and the query is not sent to Fuseki.
The users & roles and their mapping to graphs are all stored in RDF in an admin graph and cached by the API. You can generate the users & roles from external sources like LDAP etc.
Nick
Sent with Proton Mail secure email.
------- Original Message -------
On Thursday, January 19th, 2023 at 00:20, Jonathan MERCIER <jo...@microbiome.studio> wrote:
> Thanks a lot Andy for all your time is really appreciated, and hope
> that this works could others organization on this topics
>
> > If anyone has suggestions for a more out-of-the-box, open source,
> > solution, please do say so.
>
> Regarding how GraphDB do this part it is per repository (aka for Jena
> per dataset) they are a web forms:
> - With many inputs to make the corresponding between AD/LDAP groups and
> role:
> as example a minimalis forms which do:
> role admin: jena_admin_group
> role editor: jena_editor_group
> role reader: jena_reader_group
>
> would be a good start:
> A more sophisticated version would be to get an interface (web view) to
> make custom role and to retrieve theme on this form from a list.
>
> > > So I would like to know if one of above solution could works:
> > > 1. Use a keycloack server as IAM service and forward role to
> > > shiro/jena (JWT or other) ?
> >
> > That's an option.
>
> Yes Indeed I ask the question to the Shiro community but It seems I
> have to write some Java code in order to bet able to use the bearer
> token provided by keycloak.
> So maybe a webview which allow to do this without writing code would be
> great.
> At this point it is not clear to me I have to get the fuseki source
> code and to modify a part of the authentication.
>
> > > 3. others solution ?
> >
> > One option is do the authn in a reverse proxy in front to Fuseki. Set
> > it up so Fuseki will only receive traffic from the reverse proxy.
> >
> > There is more stuff out there for httpd or nginx.
>
> To my understanding this would imply at least 2 mechanism to
> authenticate one to get acces to our ontological database another one
> for others services.
>
> > It is quicker to ask questions than answer them.
>
>
> Yes, i agree with that and I am really happy to see your answer.
> Thanks a lot for your time and all the works done in Jena
>
Re: How to get a Role base access per graph or dataset with an AD/LDAP
Posted by Jonathan MERCIER <jo...@microbiome.studio>.
Thanks a lot Andy for all your time is really appreciated, and hope
that this works could others organization on this topics
> If anyone has suggestions for a more out-of-the-box, open source,
> solution, please do say so.
Regarding how GraphDB do this part it is per repository (aka for Jena
per dataset) they are a web forms:
- With many inputs to make the corresponding between AD/LDAP groups and
role:
as example a minimalis forms which do:
role admin: jena_admin_group
role editor: jena_editor_group
role reader: jena_reader_group
would be a good start:
A more sophisticated version would be to get an interface (web view) to
make custom role and to retrieve theme on this form from a list.
>
>> So I would like to know if one of above solution could works:
>> 1. Use a keycloack server as IAM service and forward role to
>> shiro/jena (JWT or other) ?
>
> That's an option.
Yes Indeed I ask the question to the Shiro community but It seems I
have to write some Java code in order to bet able to use the bearer
token provided by keycloak.
So maybe a webview which allow to do this without writing code would be
great.
At this point it is not clear to me I have to get the fuseki source
code and to modify a part of the authentication.
>> 3. others solution ?
>
> One option is do the authn in a reverse proxy in front to Fuseki. Set
> it up so Fuseki will only receive traffic from the reverse proxy.
>
> There is more stuff out there for httpd or nginx.
>
To my understanding this would imply at least 2 mechanism to
authenticate one to get acces to our ontological database another one
for others services.
>
> It is quicker to ask questions than answer them.
Yes, i agree with that and I am really happy to see your answer.
Thanks a lot for your time and all the works done in Jena
Re: How to get a Role base access per graph or dataset with an AD/LDAP
Posted by Andy Seaborne <an...@apache.org>.
On 17/01/2023 15:20, Jonathan MERCIER wrote:
> Dear community,
It would be good to hear from others as to what they do for authentication.
> After some investigations on Apache Shiro, it seems that it is not
> possible (without to write some java code) to perform a LDAP group/
> Role mapping.
Indeed - Shiro is framework and needs customization for authentication.
My (limited) experience is that every deployment has to adapt somehow to
the local authentications services. The communication protocols may be
sort of standard, the details (e.g. schemas for users) are not.
If anyone has suggestions for a more out-of-the-box, open source,
solution, please do say so.
> So I would like to know if one of above solution could works:
> 1. Use a keycloack server as IAM service and forward role to shiro/jena
> (JWT or other) ?
That's an option.
> 2. Develop and deploy an Apache Shiro server as IAM service (for all our
> applications) which imply to communicate remotely with Jena to get a JWT
> with corresponding role
There's a AuthBearerFilter but it is for Fuseki/main. £job use it as the
basis for AWS/Cognito token handling (e.g. the AWS specific headers).
> 3. others solution ?
One option is do the authn in a reverse proxy in front to Fuseki. Set it
up so Fuseki will only receive traffic from the reverse proxy.
There is more stuff out there for httpd or nginx.
>
> Thanks a lot for your help, we are trying do do ou best to get a full
> understanding how to use jena in our side.
Thanks for saying that.
It is quicker to ask questions than answer them.
>
> Best regards
>
>
Andy