You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by Andy Seaborne <an...@apache.org> on 2022/11/02 10:55:49 UTC
Re: shiro.ini configuration to disallow PUT to dataset?
Hi Ryan,
Are you using the "fuseki:service*" style for defining the operations?
The newer
fuseki:endpoint [
# SPARQL Graph Store Protcol (read and write)
fuseki:operation fuseki:gsp_rw ;
fuseki:name "data"
] ;
style allows more precise definition of endpoints.
https://jena.apache.org/documentation/fuseki2/fuseki-configuration.html
:serviceReadWriteGraphStore implicitly adds PUT to the dataset (quads
mode) and "/**=anon" applies.
If you use "fuseki:operation fuseki:gsp_rw" there isn't this side effect.
You can go further with fuseki:allowedUsers on individual
endpoint/operation. shiro.ini does not support that but you'll need
shiro to do user login.
A server without UI and without admin (currently :-) can Fuseki/main can
use the Jetty security handling - no shiro.ini - but that's a completely
separate setup.
Andy
On 31/10/2022 22:36, Shaw, Ryan wrote:
> I am trying to configure fuseki-server so that
>
> * an admin logging in via basic auth can create and update datasets
> * anonymous users can only query datasets
>
>
> My shiro.ini:
>
> [main]
> ssl.enabled = false
> plainMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
> iniRealm.credentialsMatcher = $plainMatcher
>
> [users]
> admin=${ADMIN_PASSWORD}
>
> [roles]
>
> [urls]
> # admin functions open to anyone
> /$/ping = anon
> /$/server = anon
> /$/stats = anon
> /$/stats/* = anon
>
> # and the rest of the admin functions are restricted
> /$/** = authcBasic,user[admin]
>
> # dataset loads and updates are restricted
> /*/data/** = authcBasic,user[admin]
> /*/update/** = authcBasic,user[admin]
>
> # everything else is open to anyone
> /**=anon
>
>
> With this shiro.ini configuration, anonymous users can still PUT to a dataset URL to update it. I want to disallow that. How ?
>
Re: shiro.ini configuration to disallow PUT to dataset?
Posted by "Shaw, Ryan" <ry...@unc.edu>.
> You can also change the template file used when creating the dataset. It is in run/templates/config-tdb2 etc. so you can change it on a per server basis.
OK, great — this is the piece I was missing. Thanks!
Re: shiro.ini configuration to disallow PUT to dataset?
Posted by Andy Seaborne <an...@apache.org>.
On 02/11/2022 16:29, Shaw, Ryan wrote:
> I am using the newer fuseki:endpoint style.
>
> The issue is that when a new dataset is created via the Fuseki UI, the default endpoints that are created include the following two:
>
> fuseki:endpoint [ fuseki:operation fuseki:update ] ;
>
> fuseki:endpoint [ fuseki:operation fuseki:gsp-rw ] ;
So that is the one that matching "/**=anon"
> /*/data/**
Did you want it on that endpoint?
[ fuseki:operation fuseki:gsp-rw ;
fuseki:name "data"
] ;
It will go to the same dataset.
GSP/quads is hard to distinguished because it's signature is the
content-type.
>
> If I understand correcting the former enables SPARQL UPDATE queries and the latter enables PUTting a new graph.
Yes - but they don't have to be operations directly on the dataset. They
can be named services of the dataset which tnen match in shio rules :
/*/data.
>
> These endpoints make it difficult to use shiro.ini to restrict updates, since they use the path of the dataset itself rather than a subpath like /data or /update.
You don't have to do it that way.
>
> I can go in and remove these endpoints by editing the configuration file for the dataset, and that’s what I’ve done to address this issue. But it’s less than ideal, since I can’t just use the UI to create a dataset — I also have to deploy a modified config file, which can be a little fiddly when you’re running Fuseki in a cloud container.
Agreed.
You can also change the template file used when creating the dataset. It
is in run/templates/config-tdb2 etc. so you can change it on a per
server basis.
zip up the modified run with the binary and distribute that.
>
> Since I am using this Fuseki instance in a class to teach students SPARQL, it would be nice to be able to create a dataset in the UI that students can query, without worrying about them deleting or modifying the dataset, and without having a separate sysadmin step of pushing a new config file every time I create a dataset.
>
>> On Nov 2, 2022, at 6:55 AM, Andy Seaborne <an...@apache.org> wrote:
>>
>> Hi Ryan,
>>
>> Are you using the "fuseki:service*" style for defining the operations?
>>
>> The newer
>>
>> fuseki:endpoint [
>> # SPARQL Graph Store Protcol (read and write)
>> fuseki:operation fuseki:gsp_rw ;
>> fuseki:name "data"
>> ] ;
>>
>> style allows more precise definition of endpoints.
>>
>> https://jena.apache.org/documentation/fuseki2/fuseki-configuration.html
>>
>> :serviceReadWriteGraphStore implicitly adds PUT to the dataset (quads mode) and "/**=anon" applies.
>>
>> If you use "fuseki:operation fuseki:gsp_rw" there isn't this side effect.
>>
>> You can go further with fuseki:allowedUsers on individual endpoint/operation. shiro.ini does not support that but you'll need shiro to do user login.
>>
>> A server without UI and without admin (currently :-) can Fuseki/main can use the Jetty security handling - no shiro.ini - but that's a completely separate setup.
>>
>> Andy
>>
>> On 31/10/2022 22:36, Shaw, Ryan wrote:
>>> I am trying to configure fuseki-server so that
>>> * an admin logging in via basic auth can create and update datasets
>>> * anonymous users can only query datasets
>>> My shiro.ini:
>>> [main]
>>> ssl.enabled = false
>>> plainMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
>>> iniRealm.credentialsMatcher = $plainMatcher
>>> [users]
>>> admin=${ADMIN_PASSWORD}
>>> [roles]
>>> [urls]
>>> # admin functions open to anyone
>>> /$/ping = anon
>>> /$/server = anon
>>> /$/stats = anon
>>> /$/stats/* = anon
>>> # and the rest of the admin functions are restricted
>>> /$/** = authcBasic,user[admin]
>>> # dataset loads and updates are restricted
>>> /*/data/** = authcBasic,user[admin]
>>> /*/update/** = authcBasic,user[admin]
>>> # everything else is open to anyone
>>> /**=anon
>>> With this shiro.ini configuration, anonymous users can still PUT to a dataset URL to update it. I want to disallow that. How ?
>
Re: shiro.ini configuration to disallow PUT to dataset?
Posted by "Shaw, Ryan" <ry...@unc.edu>.
I am using the newer fuseki:endpoint style.
The issue is that when a new dataset is created via the Fuseki UI, the default endpoints that are created include the following two:
fuseki:endpoint [ fuseki:operation fuseki:update ] ;
fuseki:endpoint [ fuseki:operation fuseki:gsp-rw ] ;
If I understand correcting the former enables SPARQL UPDATE queries and the latter enables PUTting a new graph.
These endpoints make it difficult to use shiro.ini to restrict updates, since they use the path of the dataset itself rather than a subpath like /data or /update.
I can go in and remove these endpoints by editing the configuration file for the dataset, and that’s what I’ve done to address this issue. But it’s less than ideal, since I can’t just use the UI to create a dataset — I also have to deploy a modified config file, which can be a little fiddly when you’re running Fuseki in a cloud container.
Since I am using this Fuseki instance in a class to teach students SPARQL, it would be nice to be able to create a dataset in the UI that students can query, without worrying about them deleting or modifying the dataset, and without having a separate sysadmin step of pushing a new config file every time I create a dataset.
> On Nov 2, 2022, at 6:55 AM, Andy Seaborne <an...@apache.org> wrote:
>
> Hi Ryan,
>
> Are you using the "fuseki:service*" style for defining the operations?
>
> The newer
>
> fuseki:endpoint [
> # SPARQL Graph Store Protcol (read and write)
> fuseki:operation fuseki:gsp_rw ;
> fuseki:name "data"
> ] ;
>
> style allows more precise definition of endpoints.
>
> https://jena.apache.org/documentation/fuseki2/fuseki-configuration.html
>
> :serviceReadWriteGraphStore implicitly adds PUT to the dataset (quads mode) and "/**=anon" applies.
>
> If you use "fuseki:operation fuseki:gsp_rw" there isn't this side effect.
>
> You can go further with fuseki:allowedUsers on individual endpoint/operation. shiro.ini does not support that but you'll need shiro to do user login.
>
> A server without UI and without admin (currently :-) can Fuseki/main can use the Jetty security handling - no shiro.ini - but that's a completely separate setup.
>
> Andy
>
> On 31/10/2022 22:36, Shaw, Ryan wrote:
>> I am trying to configure fuseki-server so that
>> * an admin logging in via basic auth can create and update datasets
>> * anonymous users can only query datasets
>> My shiro.ini:
>> [main]
>> ssl.enabled = false
>> plainMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
>> iniRealm.credentialsMatcher = $plainMatcher
>> [users]
>> admin=${ADMIN_PASSWORD}
>> [roles]
>> [urls]
>> # admin functions open to anyone
>> /$/ping = anon
>> /$/server = anon
>> /$/stats = anon
>> /$/stats/* = anon
>> # and the rest of the admin functions are restricted
>> /$/** = authcBasic,user[admin]
>> # dataset loads and updates are restricted
>> /*/data/** = authcBasic,user[admin]
>> /*/update/** = authcBasic,user[admin]
>> # everything else is open to anyone
>> /**=anon
>> With this shiro.ini configuration, anonymous users can still PUT to a dataset URL to update it. I want to disallow that. How ?