You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jena.apache.org by bu...@apache.org on 2018/11/17 10:05:06 UTC
svn commit: r1036989 - in /websites/staging/jena/trunk/content: ./
documentation/fuseki2/data-access-control.html
Author: buildbot
Date: Sat Nov 17 10:05:06 2018
New Revision: 1036989
Log:
Staging update by buildbot for jena
Added:
websites/staging/jena/trunk/content/documentation/fuseki2/data-access-control.html
Modified:
websites/staging/jena/trunk/content/ (props changed)
Propchange: websites/staging/jena/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sat Nov 17 10:05:06 2018
@@ -1 +1 @@
-1846607
+1846791
Added: websites/staging/jena/trunk/content/documentation/fuseki2/data-access-control.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/fuseki2/data-access-control.html (added)
+++ websites/staging/jena/trunk/content/documentation/fuseki2/data-access-control.html Sat Nov 17 10:05:06 2018
@@ -0,0 +1,519 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE- 2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+ <title>Apache Jena - </title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+ <link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
+ <link href="/css/bootstrap-extension.css" rel="stylesheet" type="text/css">
+ <link href="/css/jena.css" rel="stylesheet" type="text/css">
+ <link rel="shortcut icon" href="/images/favicon.ico" />
+
+ <script
+ src="https://code.jquery.com/jquery-2.2.4.min.js"
+ integrity="sha256-BbhdlvQf/xTY9gja0Dq3HiwQF8LaCRTXxZKRutelT44="
+ crossorigin="anonymous"></script>
+ <script src="/js/jena-navigation.js" type="text/javascript"></script>
+ <script src="/js/bootstrap.min.js" type="text/javascript"></script>
+ <script src="/js/breadcrumbs.js" type="text/javascript"></script>
+
+ <script src="/js/improve.js" type="text/javascript"></script>
+
+
+ <!-- Uncomment to enable code coloring <link href="/css/codehilite.css" rel="stylesheet" type="text/css"> -->
+
+</head>
+
+<body>
+
+
+
+<nav class="navbar navbar-default" role="navigation">
+<div class="container">
+ <div class="navbar-header">
+
+ <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-ex1-collapse">
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a class="navbar-brand" href="/index.html">
+ <img class="logo-menu" src="/images/jena-logo/jena-logo-notext-small.png" alt="jena logo">Apache Jena</a>
+ </div>
+
+ <div class="collapse navbar-collapse navbar-ex1-collapse">
+ <ul class="nav navbar-nav">
+ <li id="homepage"><a href="/index.html"><span class="glyphicon glyphicon-home"></span> Home</a></li>
+ <li id="download"><a href="/download/index.cgi"><span class="glyphicon glyphicon-download-alt"></span> Download</a></li>
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-book"></span> Learn <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li class="dropdown-header">Tutorials</li>
+ <li><a href="/tutorials/index.html">Overview</a></li>
+ <li><a href="/tutorials/rdf_api.html">RDF core API tutorial</a></li>
+ <li><a href="/tutorials/sparql.html">SPARQL tutorial</a></li>
+ <li><a href="/documentation/query/manipulating_sparql_using_arq.html">Manipulating SPARQL using ARQ</a></li>
+ <li><a href="/tutorials/using_jena_with_eclipse.html">Using Jena with Eclipse</a></li>
+ <li><a href="/documentation/notes/index.html">How-To's</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">References</li>
+ <li><a href="/documentation/index.html">Overview</a></li>
+ <li><a href="/documentation/javadoc/">Javadoc</a></li>
+ <li><a href="/documentation/rdf/index.html">RDF API</a></li>
+ <li><a href="/documentation/io/">RDF I/O</a></li>
+ <li><a href="/documentation/query/index.html">ARQ (SPARQL)</a></li>
+ <li><a href="/documentation/rdfconnection/">RDF Connection - SPARQL API</a></li>
+ <li><a href="/documentation/hadoop/index.html">Elephas - tools for RDF on Hadoop</a></li>
+ <li><a href="/documentation/query/text-query.html">Text Search</a></li>
+ <li><a href="/documentation/tdb/index.html">TDB</a></li>
+ <li><a href="/documentation/sdb/index.html">SDB</a></li>
+ <li><a href="/documentation/jdbc/index.html">SPARQL over JDBC</a></li>
+ <li><a href="/documentation/fuseki2/index.html">Fuseki</a></li>
+ <li><a href="/documentation/permissions/index.html">Permissions</a></li>
+ <li><a href="/documentation/assembler/index.html">Assembler</a></li>
+ <li><a href="/documentation/ontology/">Ontology API</a></li>
+ <li><a href="/documentation/inference/index.html">Inference API</a></li>
+ <li><a href="/documentation/tools/index.html">Command-line tools</a></li>
+ <li><a href="/documentation/extras/index.html">Extras</a></li>
+ </ul>
+ </li>
+
+ <li class="drop down">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-book"></span> Javadoc <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/documentation/javadoc/jena/">Jena Core</a></li>
+ <li><a href="/documentation/javadoc/arq/">ARQ</a></li>
+ <li><a href="/documentation/javadoc/tdb/">TDB</a></li>
+ <li><a href="/documentation/javadoc/fuseki2/">Fuseki</a></li>
+ <li><a href="/documentation/javadoc/elephas/">Elephas</a></li>
+ <li><a href="/documentation/javadoc/text/">Text Search</a></li>
+ <li><a href="/documentation/javadoc/spatial/">Spatial Search</a></li>
+ <li><a href="/documentation/javadoc/permissions/">Permissions</a></li>
+ <li><a href="/documentation/javadoc/jdbc/">JDBC</a></li>
+ <li><a href="/documentation/javadoc/">All Javadoc</a></li>
+ </ul>
+ </li>
+
+ <li id="ask"><a href="/help_and_support/index.html"><span class="glyphicon glyphicon-question-sign"></span> Ask</a></li>
+
+ <li class="dropdown">
+ <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span class="glyphicon glyphicon-bullhorn"></span> Get involved <b class="caret"></b></a>
+ <ul class="dropdown-menu">
+ <li><a href="/getting_involved/index.html">Contribute</a></li>
+ <li><a href="/help_and_support/bugs_and_suggestions.html">Report a bug</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">Project</li>
+ <li><a href="/about_jena/about.html">About Jena</a></li>
+ <li><a href="/about_jena/roadmap.html">Roadmap</a></li>
+ <li><a href="/about_jena/architecture.html">Architecture</a></li>
+ <li><a href="/about_jena/team.html">Project team</a></li>
+ <li><a href="/about_jena/contributions.html">Related projects</a></li>
+ <li class="divider"></li>
+ <li class="dropdown-header">ASF</li>
+ <li><a href="http://www.apache.org/">Apache Software Foundation</a></li>
+ <li><a href="http://www.apache.org/licenses/LICENSE-2.0">License</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ </li>
+
+ <li id="edit"><a href="javascript:improveThisPage(location.href);" title="Improve this Page (Use username anonymous and empty password)"><span class="glyphicon glyphicon-pencil"></span> Improve this Page</a></li>
+ </ul>
+ </div>
+</div>
+</nav>
+
+
+<div class="container">
+ <div class="row">
+ <div class="col-md-12">
+ <div id="breadcrumbs"></div>
+ <h1 class="title"></h1>
+ <style type="text/css">
+/* The following code is added by mdx_elementid.py
+ It was originally lifted from http://subversion.apache.org/style/site.css */
+/*
+ * Hide class="elementid-permalink", except when an enclosing heading
+ * has the :hover property.
+ */
+.headerlink, .elementid-permalink {
+ visibility: hidden;
+}
+h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover > .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink { visibility: visible }</style>
+<h2 id="data-access-control">Data Access Control.<a class="headerlink" href="#data-access-control" title="Permanent link">¶</a></h2>
+<p>Fuseki can provide access control at the level of the server, on datasets,
+on endpoints and also at the graph level within a dataset. It also
+provides native https to protect data in-flight.</p>
+<p><a href="http://jena.apache.org/documentation/fuseki2/fuseki-main.html">Fuseki Main</a>
+provides some common patterns of authentication.</p>
+<p>Fuseki Full (Fuseki with the UI) can be used when
+<a href="http://jena.apache.org/documentation/fuseki2/fuseki-run.html#fuseki-web-application">run in a web application server such as Tomcat</a>
+to provide authentication of the user.</p>
+<p>Graph level Data Access Control provides control over the visibility of
+graphs within a dataset, and including the union graph of a dataset and
+the default graph. Currently, Graph level access control only applies to
+read-only datasets.</p>
+<p>See "<a href="fuseki-security">Fuseki Security</a>" for configuring security over
+the whole of the Fuseki UI.</p>
+<h2 id="contents">Contents<a class="headerlink" href="#contents" title="Permanent link">¶</a></h2>
+<ul>
+<li><a href="#https">HTTPS</a></li>
+<li><a href="#authentication">Authentication</a></li>
+<li><a href="#acl">Access control lists</a></li>
+<li><a href="#graph-acl">Graph level access control</a></li>
+<li><a href="#jetty-configuration">Configuring Jetty directly</a></li>
+<li><a href="#embedded-setup">Confuguring Fuseki in Java code</a></li>
+</ul>
+<h2 id="https">HTTPS<a class="headerlink" href="#https" title="Permanent link">¶</a></h2>
+<p>This section applies to Fuseki Main.
+Https support is configured from the fuseki server command line.</p>
+<table class="table">
+<thead>
+<tr>
+<th>Argument</th>
+<th></th>
+<th></th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>--https=<i>SETUP</i></code></td>
+<td>Name of file for certificate details.</td>
+<td></td>
+</tr>
+<tr>
+<td><code>--httpsPort=<i>PORT</i></code></td>
+<td>The port for https</td>
+<td>Default: 3043</td>
+</tr>
+</tbody>
+</table>
+<p>The <code>--https</code> argument names a file in JSON which includes the name of
+the certificate file and password for the certificate.</p>
+<div class="codehilite"><pre>{ "cert": <span class="nt"><i></span>KEYSTORE<span class="nt"></i></span> , "passwd": <span class="nt"><i></span>SECRET<span class="nt"></i></span> }
+</pre></div>
+
+
+<p>This file must be protected by file access settings so that it can only
+be read by the userid running the server. One way is to put the
+keystore certificate and the certificate details file in the same
+directory, then making the directory secure.</p>
+<h3 id="self-signed-certificates">Self-signed certificates<a class="headerlink" href="#self-signed-certificates" title="Permanent link">¶</a></h3>
+<p>A self-signed certificate provides an encrypted link to the server and
+stops some attacks. What it does not do is gaurantee the identity of the
+host name of the Fuseki server to the client system.</p>
+<p>A self-signed certificate can be generated with:</p>
+<div class="codehilite"><pre><span class="n">keytool</span> <span class="o">-</span><span class="n">keystore</span> <span class="n">keystore</span> <span class="o">-</span><span class="n">alias</span> <span class="n">jetty</span> <span class="o">-</span><span class="n">genkey</span> <span class="o">-</span><span class="n">keyalg</span> <span class="n">RSA</span>
+</pre></div>
+
+
+<p>For information on creating a certificate, see the Jetty documentation
+for <a href="http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#generating-key-pairs-and-certificates">generating certificates</a>.</p>
+<h2 id="authentication">Authentication<a class="headerlink" href="#authentication" title="Permanent link">¶</a></h2>
+<p>This section applies to Fuskei Main.</p>
+<p><a href="https://en.wikipedia.org/wiki/Authentication">Authentication</a>,
+is establishing the identity of the principal (user or program) accessing the
+system. Fuseki Main provides users/password setup and HTTP authentication,
+<a href="https://en.wikipedia.org/wiki/Digest_access_authentication">digest</a> or
+<a href="https://en.wikipedia.org/wiki/Basic_access_authentication">basic</a>).</p>
+<p>These should be <a href="#https">used with HTTPS</a>.</p>
+<table class="table">
+<thead>
+<tr>
+<th>Argument</th>
+<th></th>
+<th></th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>--auth=</code></td>
+<td>"basic" or "digest"</td>
+<td>Default is "digest"</td>
+</tr>
+</tbody>
+</table>
+<p>These can also be given in the server configuration file:</p>
+<div class="codehilite"><pre><span class="err"><</span>#server> rdf:type fuseki:Server ;
+ fuseki:passwd "<span class="nt"><i></span>password_file<span class="nt"></i></span>" ;
+ fuseki:auth "<span class="nt"><i></span>digest<span class="nt"></i></span>" ;
+ ...
+</pre></div>
+
+
+<p>The format of the password file is:</p>
+<div class="codehilite"><pre><span class="n">username</span><span class="o">:</span> <span class="n">password</span>
+</pre></div>
+
+
+<p>and passwords can be stored in hash or obfuscated form. </p>
+<p><a href="http://www.eclipse.org/jetty/documentation/current/configuring-security.html#hash-login-service">Password file format</a>.</p>
+<p>If different authentication is required, the full facilities of
+<a href="http://www.eclipse.org/jetty/documentation/current/configuring-security.html">Eclipse Jetty configuration</a>
+are available.</p>
+<h3 id="using-curl">Using <code>curl</code><a class="headerlink" href="#using-curl" title="Permanent link">¶</a></h3>
+<p>See the <a href="https://curl.haxx.se/docs/manpage.html">curl documentation</a> for full
+details. This section is a breif summary of some relevant options:</p>
+<table class="table">
+<thead>
+<tr>
+<th>curl argument</th>
+<th>Value</th>
+<th>--</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>-n</code>, <code>--netrc</code></td>
+<td></td>
+<td>Take passwords from <code>.netrc</code> (<code>_netrc</code> on windows)</td>
+</tr>
+<tr>
+<td><code>--user=</code></td>
+<td><code>user:password</code></td>
+<td>Set the uses and password (visible to all on the local machine)</td>
+</tr>
+<tr>
+<td><code>--anyauth</code></td>
+<td></td>
+<td>Use server nominated authentication scheme</td>
+</tr>
+<tr>
+<td><code>--basic</code></td>
+<td></td>
+<td>Use HTTP basic auth</td>
+</tr>
+<tr>
+<td><code>--digest</code></td>
+<td></td>
+<td>Use HTTP digest auth</td>
+</tr>
+<tr>
+<td><code>-k</code>, <code>--insecure</code></td>
+<td></td>
+<td>Don't check HTTPS certifcate. This allows for self-signed or expired, certificates or ones with the wrong host name.</td>
+</tr>
+</tbody>
+</table>
+<h3 id="using-wget">Using <code>wget</code><a class="headerlink" href="#using-wget" title="Permanent link">¶</a></h3>
+<p>See the <a href="https://www.gnu.org/software/wget/manual/wget.html">wget documentation</a> for full
+details. This section is a breif summary of some relevant options:</p>
+<table class="table">
+<thead>
+<tr>
+<th>wget argument</th>
+<th>Value</th>
+<th>--</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>--http-user</td>
+<td>user</td>
+<td>Set the user.</td>
+</tr>
+<tr>
+<td>--http-password</td>
+<td>password</td>
+<td>Set the password (visible to all on the local machine)</td>
+</tr>
+<tr>
+<td></td>
+<td></td>
+<td><code>wget</code> uses users/password from <code>.wgetrc</code> or <code>.netrc</code> by default.</td>
+</tr>
+<tr>
+<td><code>--no-check-certificate</code></td>
+<td></td>
+<td>Don't check HTTPS certifcate. This allows for self-signed or expired, certificates or ones with the wrong host name.</td>
+</tr>
+</tbody>
+</table>
+<h2 id="acl">Access Control Lists<a class="headerlink" href="#acl" title="Permanent link">¶</a></h2>
+<p>ACLs can be applied to the server as a whole, to a dataset, to endpoints, and to
+graphs within a dataset. This section covers server, dataset and endpoint access control
+lists. Graph-level access control is <a href="#graph-acl">covered below</a>.</p>
+<p>Access control lists (ACL) as part of the server configuration file.</p>
+<div class="codehilite"><pre><span class="n">fuseki</span> <span class="o">--</span><span class="n">conf</span> <span class="n">assembler</span><span class="p">.</span><span class="n">ttl</span> <span class="p">...</span>
+</pre></div>
+
+
+<p>ACLs are provided by the <code>ja:allowedUsers</code> property </p>
+<h3 id="format-of-jaallowedusers">Format of <code>ja:allowedUsers</code><a class="headerlink" href="#format-of-jaallowedusers" title="Permanent link">¶</a></h3>
+<p>The list of users allowed access can be an RDF list or repeated use of
+the property or a mixture. The different seting are combined into one ACL.</p>
+<div class="codehilite"><pre> <span class="n">fuseki</span><span class="p">:</span><span class="n">allowedUsers</span> "<span class="n">user1</span>"<span class="p">,</span> "<span class="n">user2</span>"<span class="p">,</span> "<span class="n">user3</span>"<span class="p">;</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">allowedUsers</span> "<span class="n">user3</span>"<span class="p">;</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">allowedUsers</span> <span class="p">(</span> "<span class="n">user1</span>" "<span class="n">user2</span>" "<span class="n">user3</span>"<span class="p">)</span> <span class="p">;</span>
+</pre></div>
+
+
+<p>There is a special user name "*" which means "any authenticated user".</p>
+<div class="codehilite"><pre><span class="n">fuseki</span><span class="o">:</span><span class="n">allowedUsers</span> <span class="s2">"*"</span> <span class="o">;</span>
+</pre></div>
+
+
+<h3 id="server-acl">Server Level ACLs<a class="headerlink" href="#server-acl" title="Permanent link">¶</a></h3>
+<div class="codehilite"><pre><span class="err"><</span>#server> rdf:type fuseki:Server ;
+ <span class="nt"><i></span>fuseki:allowedUsers "user1", "user2", "user3";<span class="nt"></i></span>
+ ...
+ fuseki:services ( ... ) ;
+ ...
+ .
+</pre></div>
+
+
+<p>A useful pattern is:</p>
+<div class="codehilite"><pre><span class="err"><</span>#server> rdf:type fuseki:Server ;
+ <span class="nt"><i></span>fuseki:allowedUsers "*";<span class="nt"></i></span>
+ ...
+ fuseki:services ( ... ) ;
+ ...
+ .
+</pre></div>
+
+
+<p>whcih requires all access to authenticated and the allowed users are
+those in the password file.</p>
+<h3 id="dataset-acl">Dataset Level<a class="headerlink" href="#dataset-acl" title="Permanent link">¶</a></h3>
+<p>When there is an access control list on the <code>fuseki:Service</code>, it applies
+to all requests to the endpoints of the server. </p>
+<p>Any server-wide "allowedUsers" configuration also applies and both
+levels must allow the user access.</p>
+<div class="codehilite"><pre><span class="err"><</span>#service_auth> rdf:type fuseki:Service ;
+ rdfs:label "ACL controlled dataset" ;
+ fuseki:name "db-acl" ;
+
+ <span class="nt"><i></span>fuseki:allowedUsers "user1", "user3";<span class="nt"></i></span>
+
+ ## Chocie of operations.
+ fuseki:serviceQuery "query" ;
+ fuseki:serviceQuery "sparql" ;
+ fuseki:serviceReadGraphStore "get" ;
+
+ fuseki:serviceUpdate "update" ;
+ fuseki:serviceUpload "upload" ;
+ fuseki:serviceReadWriteGraphStore "data" ;
+
+ fuseki:dataset <span class="err"><</span>#base_dataset>;
+ .
+</pre></div>
+
+
+<h3 id="endpoint-acl">Endpoint Level<a class="headerlink" href="#endpoint-acl" title="Permanent link">¶</a></h3>
+<p>An access control list can be applied to an individual endpoint.
+Again, any other "allowedUsers" configuration, service-wide, or
+server-wide) also applies.</p>
+<div class="codehilite"><pre> <span class="n">fuseki</span><span class="p">:</span><span class="n">serviceQuery</span> <span class="p">[</span> <span class="n">fuseki</span><span class="p">:</span><span class="n">name</span> "<span class="n">query</span> <span class="p">;</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">allowedUsers</span> "<span class="n">user1</span>"<span class="p">,</span> "<span class="n">user2</span>"<span class="p">]</span> <span class="p">;</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">serviceUpdate</span> <span class="p">[</span> <span class="n">fuseki</span><span class="p">:</span><span class="n">name</span> "<span class="n">update</span> <span class="p">;</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">allowedUsers</span> "<span class="n">user1</span>"<span class="p">]</span> <span class="p">;</span>
+</pre></div>
+
+
+<p>Only <em>user1</em> can use SPARQL udpate both <em>user1</em> and
+<em>user2</em> can use SPARQl query.</p>
+<h2 id="graph-acl">Graph Level<a class="headerlink" href="#graph-acl" title="Permanent link">¶</a></h2>
+<p>Graph level access control is defined using a specific dataset
+implmentation for the service.</p>
+<div class="codehilite"><pre><span class="o"><</span>#<span class="n">access_dataset</span><span class="o">></span> <span class="n">rdf</span><span class="p">:</span><span class="n">type</span> <span class="n">access</span><span class="p">:</span><span class="n">AccessControlledDataset</span> <span class="p">;</span>
+ <span class="n">access</span><span class="p">:</span><span class="n">registry</span> <span class="p">...</span> <span class="p">;</span>
+ <span class="n">access</span><span class="p">:</span><span class="n">dataset</span> <span class="p">...</span> <span class="p">;</span>
+ <span class="p">.</span>
+</pre></div>
+
+
+<p>ACLs are defined in a <a href="#graph-security-registry">Graph Security Registry</a> which lists the
+users and graph URIs.</p>
+<div class="codehilite"><pre><span class="o"><</span>#<span class="n">service_tdb2</span><span class="o">></span> <span class="n">rdf</span><span class="p">:</span><span class="n">type</span> <span class="n">fuseki</span><span class="p">:</span><span class="n">Service</span> <span class="p">;</span>
+ <span class="n">rdfs</span><span class="p">:</span><span class="n">label</span> "<span class="n">Graph</span><span class="o">-</span><span class="n">level</span> <span class="n">access</span> <span class="n">controlled</span> <span class="n">dataset</span>" <span class="p">;</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">name</span> "<span class="n">db</span><span class="o">-</span><span class="n">graph</span><span class="o">-</span><span class="n">acl</span>" <span class="p">;</span>
+ ## <span class="n">Read</span><span class="o">-</span><span class="n">only</span> <span class="n">operations</span><span class="p">.</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">serviceQuery</span> "<span class="n">query</span>" <span class="p">;</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">serviceQuery</span> "<span class="n">sparql</span>" <span class="p">;</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">serviceReadGraphStore</span> "<span class="n">get</span>" <span class="p">;</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">dataset</span> <span class="o"><</span>#<span class="n">access_dataset</span><span class="o">></span><span class="p">;</span>
+ <span class="p">.</span>
+
+<span class="o"><</span>#<span class="n">access_dataset</span><span class="o">></span> <span class="n">rdf</span><span class="p">:</span><span class="n">type</span> <span class="n">access</span><span class="p">:</span><span class="n">AccessControlledDataset</span> <span class="p">;</span>
+ <span class="n">access</span><span class="p">:</span><span class="n">registry</span> <span class="o"><</span>#<span class="n">securityRegistry</span><span class="o">></span> <span class="p">;</span>
+ <span class="n">access</span><span class="p">:</span><span class="n">dataset</span> <span class="o"><</span>#<span class="n">tdb_dataset_shared</span><span class="o">></span> <span class="p">;</span>
+ <span class="p">.</span>
+
+<span class="o"><</span>#<span class="n">tdb_dataset_shared</span><span class="o">></span> <span class="n">rdf</span><span class="p">:</span><span class="n">type</span> <span class="n">tdb</span><span class="p">:</span><span class="n">DatasetTDB</span> <span class="p">;</span>
+ <span class="p">.</span> <span class="p">.</span> <span class="p">.</span>
+</pre></div>
+
+
+<p>All dataset stroage types are supported.</p>
+<h3 id="graph-security-registry">Graph Security Registry<a class="headerlink" href="#graph-security-registry" title="Permanent link">¶</a></h3>
+<p>The Graph Security Registry is defined as a number of access entries in
+either a list format "(user graph1 graph2 ...)" or as RDF properties
+<code>access:user</code> and <code>access:graphs</code>. The property <code>access:graphs</code> has graph URI or a
+list of URIs as its object.</p>
+<div class="codehilite"><pre><span class="o"><</span>#<span class="n">securityRegistry</span><span class="o">></span> <span class="n">rdf</span><span class="p">:</span><span class="n">type</span> <span class="n">access</span><span class="p">:</span><span class="n">SecurityRegistry</span> <span class="p">;</span>
+ <span class="n">access</span><span class="p">:</span><span class="n">entry</span> <span class="p">(</span> "<span class="n">user1</span>" <span class="o"><</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">host</span><span class="o">/</span><span class="n">graphname1</span><span class="o">></span> <span class="o"><</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">host</span><span class="o">/</span><span class="n">graphname2</span><span class="o">></span> <span class="p">)</span> <span class="p">;</span>
+ <span class="n">access</span><span class="p">:</span><span class="n">entry</span> <span class="p">(</span> "<span class="n">user1</span>" <span class="o"><</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">host</span><span class="o">/</span><span class="n">graphname3</span><span class="o">></span> <span class="p">)</span> <span class="p">;</span>
+
+ <span class="n">access</span><span class="p">:</span><span class="n">entry</span> <span class="p">(</span> "<span class="n">user1</span>" <span class="o"><</span><span class="n">urn</span><span class="p">:</span><span class="n">x</span><span class="o">-</span><span class="n">arq</span><span class="p">:</span><span class="n">DefaultGraph</span><span class="o">></span> <span class="p">)</span> <span class="p">;</span>
+
+ <span class="n">access</span><span class="p">:</span><span class="n">entry</span> <span class="p">(</span> "<span class="n">user2</span>" <span class="o"><</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">host</span><span class="o">/</span><span class="n">graphname9</span><span class="o">></span> <span class="p">)</span> <span class="p">;</span>
+ <span class="n">access</span><span class="p">:</span><span class="n">entry</span> <span class="p">[</span> <span class="n">access</span><span class="p">:</span><span class="n">user</span> "<span class="n">user3</span>" <span class="p">;</span> <span class="n">access</span><span class="p">:</span><span class="n">graphs</span> <span class="p">(</span> <span class="o"><</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">host</span><span class="o">/</span><span class="n">graphname3</span><span class="o">></span> <span class="o"><</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">host</span><span class="o">/</span><span class="n">graphname4</span><span class="o">></span> <span class="p">)</span> <span class="p">]</span> <span class="p">;</span>
+ <span class="n">access</span><span class="p">:</span><span class="n">entry</span> <span class="p">[</span> <span class="n">access</span><span class="p">:</span><span class="n">user</span> "<span class="n">user3</span>" <span class="p">;</span> <span class="n">access</span><span class="p">:</span><span class="n">graphs</span> <span class="o"><</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">host</span><span class="o">/</span><span class="n">graphname5</span><span class="o">></span> <span class="p">]</span> <span class="p">;</span>
+ <span class="n">access</span><span class="p">:</span><span class="n">entry</span> <span class="p">[</span> <span class="n">access</span><span class="p">:</span><span class="n">user</span> "<span class="n">userZ</span>" <span class="p">;</span> <span class="n">access</span><span class="p">:</span><span class="n">graphs</span> <span class="o"><</span><span class="n">http</span><span class="p">:</span><span class="o">//</span><span class="n">host</span><span class="o">/</span><span class="n">graphnameZ</span><span class="o">></span> <span class="p">]</span> <span class="p">;</span>
+ <span class="p">.</span>
+</pre></div>
+
+
+<h2 id="jetty-configuration">Jetty Configuration<a class="headerlink" href="#jetty-configuration" title="Permanent link">¶</a></h2>
+<p>For authentication configuration not covered by Fuseki configuration,
+the deployed server can be run using a Jetty comnfiguration.</p>
+<p>Server command line: <tt>--jetty=<i>jetty.xml</i></tt>.</p>
+<p><a href="https://www.eclipse.org/jetty/documentation/current/jetty-xml-config.html">Documentation for
+<code>jetty.xml</code></a>.</p>
+ </div>
+</div>
+
+</div><!--/.container -->
+
+ <footer class="footer">
+ <div class="container">
+ <p>Copyright © 2011–2018 The Apache Software Foundation, Licensed under
+ the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
+ </p>
+ <p>
+ Apache Jena, Jena, the Apache Jena project logo,
+ Apache and the Apache feather logos are trademarks of The Apache Software Foundation.
+ </p>
+ </div>
+ </footer>
+
+ <!-- for marking links as active in the navbar-menu -->
+ <script type="text/javascript">
+ var link = $('a[href="' + this.location.pathname + '"]');
+ if (link != undefined)
+ link.parents('li,ul').addClass('active');
+ </script>
+
+</body>
+</html>