How to get a Role base access per graph or dataset with an AD/LDAP

[Jonathan MERCIER <jo...@microbiome.studio>]

Dear community,

After some investigations on Apache Shiro, it seems that it is not 
possible (without to write some java code) to perform a  LDAP group/ 
Role mapping.
So I would like to know if one of above solution could works:
1. Use a keycloack server as IAM service and forward role to shiro/jena 
(JWT or other) ?
2. Develop and deploy an Apache Shiro server as IAM service (for all 
our applications) which imply to communicate remotely with Jena to get 
a JWT with corresponding role
3. others solution ?

Thanks a lot for your help, we are trying do do ou best to get a full 
understanding how to use jena in our side.

Best regards

Re: How to get a Role base access per graph or dataset with an AD/LDAP

[Andy Seaborne <an...@apache.org>]

On 18/01/2023 14:20, Jonathan MERCIER wrote:
>>> 3. others solution ?
>>
>> One option is do the authn in a reverse proxy in front to Fuseki. Set 
>> it up so Fuseki will only receive traffic from the reverse proxy.
>>
>> There is more stuff out there for httpd or nginx.
>>
> To my understanding this would imply at least 2 mechanism to 
> authenticate one to get acces to our ontological database another one 
> for others services.

I don't think so. httpd, nginx would provide the security principle to 
Fuseki. Fuskei is trusting the reverse proxy which is why you have to 
ensure that Fuseki only talks to the reverse proxy.  Usual API gateway 
setup.

----

There a yet another option, depending on the form of Fuseki you are using.

Fuseki ("fuseki-server.jar" in the download; jena-fuseki-fulljar in the 
build) is running Jetty.

You can provide the Jetty configuration using "--jetty-config=FILE" 
(which inconsistently is "--jetty=" in Fuseki main (no UI - currently))

https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html#og-jaas-configuration

It seems that Jetty can be configured to use LDAP if your add JAAS then 
use the LdapLoginModule

https://www.eclipse.org/jetty/documentation/jetty-10/operations-guide/index.html#og-jaas-loginmodules

https://www.eclipse.org/jetty/javadoc/jetty-10/org/eclipse/jetty/jaas/spi/LdapLoginModule.html

I haven't used this myself so this is only from some web searching.

I don't know if Fuseki as released includes the right Jetty code - it 
might need adding some Jetty jars to the classpath (the script has details).

----

If they works, or just looks plausible, could you report back?

     Andy

Re: How to get a Role base access per graph or dataset with an AD/LDAP

[Nicholas Car <ni...@kurrawong.net>]

Not sure it's at the level you are after but our Olis tool is an API that sits in front of any SPARQL endpoint, like Fuseki, and brokers access per Named Graph within a single Dataset/Repository based on users and roles. So User X might only be able to query Graphs Y & Z. If they query Graph A, they get a 403 Forbidden response from Olis and the query is not sent to Fuseki.

The users & roles and their mapping to graphs are all stored in RDF in an admin graph and cached by the API. You can generate the users & roles from external sources like LDAP etc.

Nick


Sent with Proton Mail secure email.

------- Original Message -------
On Thursday, January 19th, 2023 at 00:20, Jonathan MERCIER <jo...@microbiome.studio> wrote:


> Thanks a lot Andy for all your time is really appreciated, and hope
> that this works could others organization on this topics
> 
> > If anyone has suggestions for a more out-of-the-box, open source,
> > solution, please do say so.
> 
> Regarding how GraphDB do this part it is per repository (aka for Jena
> per dataset) they are a web forms:
> - With many inputs to make the corresponding between AD/LDAP groups and
> role:
> as example a minimalis forms which do:
> role admin: jena_admin_group
> role editor: jena_editor_group
> role reader: jena_reader_group
> 
> would be a good start:
> A more sophisticated version would be to get an interface (web view) to
> make custom role and to retrieve theme on this form from a list.
> 
> > > So I would like to know if one of above solution could works:
> > > 1. Use a keycloack server as IAM service and forward role to
> > > shiro/jena (JWT or other) ?
> > 
> > That's an option.
> 
> Yes Indeed I ask the question to the Shiro community but It seems I
> have to write some Java code in order to bet able to use the bearer
> token provided by keycloak.
> So maybe a webview which allow to do this without writing code would be
> great.
> At this point it is not clear to me I have to get the fuseki source
> code and to modify a part of the authentication.
> 
> > > 3. others solution ?
> > 
> > One option is do the authn in a reverse proxy in front to Fuseki. Set
> > it up so Fuseki will only receive traffic from the reverse proxy.
> > 
> > There is more stuff out there for httpd or nginx.
> 
> To my understanding this would imply at least 2 mechanism to
> authenticate one to get acces to our ontological database another one
> for others services.
> 
> > It is quicker to ask questions than answer them.
> 
> 
> Yes, i agree with that and I am really happy to see your answer.
> Thanks a lot for your time and all the works done in Jena
> 

Re: How to get a Role base access per graph or dataset with an AD/LDAP

[Jonathan MERCIER <jo...@microbiome.studio>]

Thanks a lot Andy for all your time is really appreciated, and hope 
that this works could others organization on this topics

> If anyone has suggestions for a more out-of-the-box, open source, 
> solution, please do say so.
Regarding how GraphDB do this part it is per repository (aka for Jena 
per dataset) they are a web forms:
- With many inputs to make the corresponding between AD/LDAP groups and 
role:
as example a minimalis forms which do:
role admin: jena_admin_group
role editor: jena_editor_group
role reader: jena_reader_group

would be a good start:
A more sophisticated version would be to get an interface (web view) to 
make custom role and to retrieve theme on this form from a list.

> 
>> So I would like to know if one of above solution could works:
>> 1. Use a keycloack server as IAM service and forward role to 
>> shiro/jena (JWT or other) ?
> 
> That's an option.
Yes Indeed I ask the question to the Shiro community but It seems I 
have to write some Java code in order to bet able to use the bearer 
token provided by keycloak.
So maybe a webview which allow to do this without writing code would be 
great.
At this point it is not clear to me I have to get the fuseki source 
code and to modify a part of the authentication.
>> 3. others solution ?
> 
> One option is do the authn in a reverse proxy in front to Fuseki. Set 
> it up so Fuseki will only receive traffic from the reverse proxy.
> 
> There is more stuff out there for httpd or nginx.
> 
To my understanding this would imply at least 2 mechanism to 
authenticate one to get acces to our ontological database another one 
for others services.

> 
> It is quicker to ask questions than answer them.

Yes, i agree with that and I am really happy to see your answer.
Thanks a lot for your time and all the works done in Jena

Re: How to get a Role base access per graph or dataset with an AD/LDAP

[Andy Seaborne <an...@apache.org>]

On 17/01/2023 15:20, Jonathan MERCIER wrote:
> Dear community,

It would be good to hear from others as to what they do for authentication.

> After some investigations on Apache Shiro, it seems that it is not 
> possible (without to write some java code) to perform a  LDAP group/ 
> Role mapping.

Indeed - Shiro is framework and needs customization for authentication. 
My (limited) experience is that every deployment has to adapt somehow to 
the local authentications services. The communication protocols may be 
sort of standard, the details (e.g. schemas for users) are not.

If anyone has suggestions for a more out-of-the-box, open source, 
solution, please do say so.

> So I would like to know if one of above solution could works:
> 1. Use a keycloack server as IAM service and forward role to shiro/jena 
> (JWT or other) ?

That's an option.

> 2. Develop and deploy an Apache Shiro server as IAM service (for all our 
> applications) which imply to communicate remotely with Jena to get a JWT 
> with corresponding role

There's a AuthBearerFilter but it is for Fuseki/main. £job use it as the 
basis for AWS/Cognito token handling (e.g. the AWS specific headers).

> 3. others solution ?

One option is do the authn in a reverse proxy in front to Fuseki. Set it 
up so Fuseki will only receive traffic from the reverse proxy.

There is more stuff out there for httpd or nginx.

> 
> Thanks a lot for your help, we are trying do do ou best to get a full 
> understanding how to use jena in our side.

Thanks for saying that.

It is quicker to ask questions than answer them.

> 
> Best regards
> 
> 

	Andy