You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@jena.apache.org by "Shaw, Ryan" <ry...@unc.edu> on 2022/10/31 22:36:17 UTC

shiro.ini configuration to disallow PUT to dataset?

I am trying to configure fuseki-server so that

* an admin logging in via basic auth can create and update datasets
* anonymous users can only query datasets


My shiro.ini:

[main]
ssl.enabled = false
plainMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
iniRealm.credentialsMatcher = $plainMatcher

[users]
admin=${ADMIN_PASSWORD}

[roles]

[urls]
# admin functions open to anyone
/$/ping     = anon
/$/server   = anon
/$/stats    = anon
/$/stats/*  = anon

# and the rest of the admin functions are restricted
/$/** = authcBasic,user[admin]

# dataset loads and updates are restricted
/*/data/**   = authcBasic,user[admin]
/*/update/** = authcBasic,user[admin]

# everything else is open to anyone
/**=anon


With this shiro.ini configuration, anonymous users can still PUT to a dataset URL to update it. I want to disallow that. How ?

Re: shiro.ini configuration to disallow PUT to dataset?

Posted by "Shaw, Ryan" <ry...@unc.edu>.

> You can also change the template file used when creating the dataset. It is in run/templates/config-tdb2 etc. so you can change it on a per server basis.

OK, great — this is the piece I was missing. Thanks!

Re: shiro.ini configuration to disallow PUT to dataset?

Posted by Andy Seaborne <an...@apache.org>.


On 02/11/2022 16:29, Shaw, Ryan wrote:
> I am using the newer fuseki:endpoint style.
> 
> The issue is that when a new dataset is created via the Fuseki UI, the default endpoints that are created include the following two:
> 
> fuseki:endpoint  [ fuseki:operation  fuseki:update ] ;
> 
> fuseki:endpoint  [ fuseki:operation  fuseki:gsp-rw ] ;


So that is the one that matching "/**=anon"

 > /*/data/**

Did you want it on that endpoint?

    [ fuseki:operation  fuseki:gsp-rw ;
      fuseki:name "data"
    ] ;

It will go to the same dataset.

GSP/quads is hard to distinguished because it's signature is the 
content-type.

> 
> If I understand correcting the former enables SPARQL UPDATE queries and the latter enables PUTting a new graph.

Yes - but they don't have to be operations directly on the dataset. They 
can be named services of the dataset which tnen match in shio rules : 
/*/data.

> 
> These endpoints make it difficult to use shiro.ini to restrict updates, since they use the path of the dataset itself rather than a subpath like /data or /update.

You don't have to do it that way.

> 
> I can go in and remove these endpoints by editing the configuration file for the dataset, and that’s what I’ve done to address this issue. But it’s less than ideal, since I can’t just use the UI to create a dataset — I also have to deploy a modified config file, which can be a little fiddly when you’re running Fuseki in a cloud container.

Agreed.

You can also change the template file used when creating the dataset. It 
is in run/templates/config-tdb2 etc. so you can change it on a per 
server basis.

zip up the modified run with the binary and distribute that.

> 
> Since I am using this Fuseki instance in a class to teach students SPARQL, it would be nice to be able to create a dataset in the UI that students can query, without worrying about them deleting or modifying the dataset, and without having a separate sysadmin step of pushing a new config file every time I create a dataset.
> 
>> On Nov 2, 2022, at 6:55 AM, Andy Seaborne <an...@apache.org> wrote:
>>
>> Hi Ryan,
>>
>> Are you using the "fuseki:service*" style for defining the operations?
>>
>> The newer
>>
>>     fuseki:endpoint [
>>         # SPARQL Graph Store Protcol (read and write)
>>         fuseki:operation fuseki:gsp_rw ;
>>         fuseki:name "data"
>>     ] ;
>>
>> style allows more precise definition of endpoints.
>>
>> https://jena.apache.org/documentation/fuseki2/fuseki-configuration.html
>>
>> :serviceReadWriteGraphStore implicitly adds PUT to the dataset (quads mode) and "/**=anon" applies.
>>
>> If you use "fuseki:operation fuseki:gsp_rw" there isn't this side effect.
>>
>> You can go further with fuseki:allowedUsers on individual endpoint/operation. shiro.ini does not support that but you'll need shiro to do user login.
>>
>> A server without UI and without admin (currently :-) can Fuseki/main can use the Jetty security handling - no shiro.ini - but that's a completely separate setup.
>>
>>     Andy
>>
>> On 31/10/2022 22:36, Shaw, Ryan wrote:
>>> I am trying to configure fuseki-server so that
>>> * an admin logging in via basic auth can create and update datasets
>>> * anonymous users can only query datasets
>>> My shiro.ini:
>>> [main]
>>> ssl.enabled = false
>>> plainMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
>>> iniRealm.credentialsMatcher = $plainMatcher
>>> [users]
>>> admin=${ADMIN_PASSWORD}
>>> [roles]
>>> [urls]
>>> # admin functions open to anyone
>>> /$/ping     = anon
>>> /$/server   = anon
>>> /$/stats    = anon
>>> /$/stats/*  = anon
>>> # and the rest of the admin functions are restricted
>>> /$/** = authcBasic,user[admin]
>>> # dataset loads and updates are restricted
>>> /*/data/**   = authcBasic,user[admin]
>>> /*/update/** = authcBasic,user[admin]
>>> # everything else is open to anyone
>>> /**=anon
>>> With this shiro.ini configuration, anonymous users can still PUT to a dataset URL to update it. I want to disallow that. How ?
>

Re: shiro.ini configuration to disallow PUT to dataset?

Posted by "Shaw, Ryan" <ry...@unc.edu>.

I am using the newer fuseki:endpoint style.

The issue is that when a new dataset is created via the Fuseki UI, the default endpoints that are created include the following two:

fuseki:endpoint  [ fuseki:operation  fuseki:update ] ;

fuseki:endpoint  [ fuseki:operation  fuseki:gsp-rw ] ;

If I understand correcting the former enables SPARQL UPDATE queries and the latter enables PUTting a new graph.

These endpoints make it difficult to use shiro.ini to restrict updates, since they use the path of the dataset itself rather than a subpath like /data or /update.

I can go in and remove these endpoints by editing the configuration file for the dataset, and that’s what I’ve done to address this issue. But it’s less than ideal, since I can’t just use the UI to create a dataset — I also have to deploy a modified config file, which can be a little fiddly when you’re running Fuseki in a cloud container.

Since I am using this Fuseki instance in a class to teach students SPARQL, it would be nice to be able to create a dataset in the UI that students can query, without worrying about them deleting or modifying the dataset, and without having a separate sysadmin step of pushing a new config file every time I create a dataset.

> On Nov 2, 2022, at 6:55 AM, Andy Seaborne <an...@apache.org> wrote:
> 
> Hi Ryan,
> 
> Are you using the "fuseki:service*" style for defining the operations?
> 
> The newer
> 
>    fuseki:endpoint [
>        # SPARQL Graph Store Protcol (read and write)
>        fuseki:operation fuseki:gsp_rw ;
>        fuseki:name "data"
>    ] ;
> 
> style allows more precise definition of endpoints.
> 
> https://jena.apache.org/documentation/fuseki2/fuseki-configuration.html
> 
> :serviceReadWriteGraphStore implicitly adds PUT to the dataset (quads mode) and "/**=anon" applies.
> 
> If you use "fuseki:operation fuseki:gsp_rw" there isn't this side effect.
> 
> You can go further with fuseki:allowedUsers on individual endpoint/operation. shiro.ini does not support that but you'll need shiro to do user login.
> 
> A server without UI and without admin (currently :-) can Fuseki/main can use the Jetty security handling - no shiro.ini - but that's a completely separate setup.
> 
>    Andy
> 
> On 31/10/2022 22:36, Shaw, Ryan wrote:
>> I am trying to configure fuseki-server so that
>> * an admin logging in via basic auth can create and update datasets
>> * anonymous users can only query datasets
>> My shiro.ini:
>> [main]
>> ssl.enabled = false
>> plainMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
>> iniRealm.credentialsMatcher = $plainMatcher
>> [users]
>> admin=${ADMIN_PASSWORD}
>> [roles]
>> [urls]
>> # admin functions open to anyone
>> /$/ping     = anon
>> /$/server   = anon
>> /$/stats    = anon
>> /$/stats/*  = anon
>> # and the rest of the admin functions are restricted
>> /$/** = authcBasic,user[admin]
>> # dataset loads and updates are restricted
>> /*/data/**   = authcBasic,user[admin]
>> /*/update/** = authcBasic,user[admin]
>> # everything else is open to anyone
>> /**=anon
>> With this shiro.ini configuration, anonymous users can still PUT to a dataset URL to update it. I want to disallow that. How ?

Re: shiro.ini configuration to disallow PUT to dataset?

Posted by Andy Seaborne <an...@apache.org>.

Hi Ryan,

Are you using the "fuseki:service*" style for defining the operations?

The newer

     fuseki:endpoint [
         # SPARQL Graph Store Protcol (read and write)
         fuseki:operation fuseki:gsp_rw ;
         fuseki:name "data"
     ] ;

style allows more precise definition of endpoints.

https://jena.apache.org/documentation/fuseki2/fuseki-configuration.html

:serviceReadWriteGraphStore implicitly adds PUT to the dataset (quads 
mode) and "/**=anon" applies.

If you use "fuseki:operation fuseki:gsp_rw" there isn't this side effect.

You can go further with fuseki:allowedUsers on individual 
endpoint/operation. shiro.ini does not support that but you'll need 
shiro to do user login.

A server without UI and without admin (currently :-) can Fuseki/main can 
use the Jetty security handling - no shiro.ini - but that's a completely 
separate setup.

     Andy

On 31/10/2022 22:36, Shaw, Ryan wrote:
> I am trying to configure fuseki-server so that
> 
> * an admin logging in via basic auth can create and update datasets
> * anonymous users can only query datasets
> 
> 
> My shiro.ini:
> 
> [main]
> ssl.enabled = false
> plainMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
> iniRealm.credentialsMatcher = $plainMatcher
> 
> [users]
> admin=${ADMIN_PASSWORD}
> 
> [roles]
> 
> [urls]
> # admin functions open to anyone
> /$/ping     = anon
> /$/server   = anon
> /$/stats    = anon
> /$/stats/*  = anon
> 
> # and the rest of the admin functions are restricted
> /$/** = authcBasic,user[admin]
> 
> # dataset loads and updates are restricted
> /*/data/**   = authcBasic,user[admin]
> /*/update/** = authcBasic,user[admin]
> 
> # everything else is open to anyone
> /**=anon
> 
> 
> With this shiro.ini configuration, anonymous users can still PUT to a dataset URL to update it. I want to disallow that. How ?
>