You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by Trevor Donaldson <tm...@gmail.com> on 2014/12/31 22:56:58 UTC
Upgrading from RDB to TDB want to use Jena Security
Hi,
I am currently in the process of upgrading a Semantic Web application from
RDB to TDB. Yes it is 2014 and yes I agree that the owners of said app
should have upgraded a long time ago. With that out of the way I am asking
for some help. Currently the original developers of this application wrote
a custom assembler to create Adjudicating Graphs which would perform
statement-level security adjudication. That is all well in good but there
are multiple references to Reifier which has been removed in version
2.11.2, not to mention to follow some of the code you would have to be a
semantic guru yourself.
I researched and found that Jena Security now exist. It probably didn't
when these guys first started writing this application. So now my question,
hopefully a simple one, how do I use jena security with reification? I
haven't been able to figure it out and the examples on github aren't quite
exactly what I need. So given the following RDF (reified statement)
_:statement rdf:type rdf:Statement .
_:statement rdf:subject dbr:Ireland .
_:statement rdf:predicate dbo:capital .
_:statement rdf:object dbo:Dublin .
_:statement ex:role "ROLEA", "ROLEB", "ROLEC" .
_:statement rdf:type rdf:Statement .
_:statement rdf:subject dbr:Canada.
_:statement rdf:predicate dbo:capital .
_:statement rdf:object dbo:Ottawa.
_:statement ex:role "ROLEA" .
Case I am trying to solve :
1. User A logs in and runs query with ROLEA
2. User queries for capitals
3. Jena Security filters out the Ireland statement and only returns Ottawa
statement because the user is only in ROLEA. The roles are "ands"
I hope this help. I am a semantic web newbie and I am stuck. Thanks in
advance.
Re: Upgrading from RDB to TDB want to use Jena Security
Posted by Claude Warren <cl...@xenei.com>.
Trevor,
Let me answer your questions in a slightly different order.
First: the difference between a graph and model. Graph is actually the SPI
interface Model is the API interface and is probably the one you are
using. Basically, the Model interface uses Resources (and derived classes)
in Statements. Graphs use Nodes (and derived classes) in Triples. There
are other differences but for purposes of the security framework they are
negligible. I suspect that your code uses the Model API.
Inside the Security framework, we work with Nodes in Triples. So where
your code probably handles Statements the Security API will talk about the
corresponding SecTriple. Your code probably talks about Resources and the
Security API will talk about corresponding SecNode.
Model Graph Security API
Resource Node SecNode
Statement Triple SecTriple
To retrieve the reified statements you will have to construct your
SecurityEvaluator with access to that graph/model that contains the reified
statements. This will be part of how you construct / configure your
SecurityEvaluator.
As for looking the items up, you could construct a SPARQL query and use ARQ
to execute it. When SecurityEvaluator.evaluate( Action.Read,
"urn:graph-name:data-graph", <dbr:Ireland, dbo:capital, dbo:Dublin> ) is
called
<dbr:Ireland, dbo:capital, dbo:Dublin> will be a SecTriple instance. You
can retrieve the subject, predicate and objects as SecNodes. You can
convert those to standard Jena Nodes by reverse engineering the
SecuredItemImpl.convert() method. Or you can probably just use the text
value as you are using URLs. In either case you can construct the SPARQL
query to retrieve the roles that have access to the triple.
The logic behind the access restrictions.
The system has to make 2 assessments and has to handle multiple
configuration options.
The first call is evaluate( READ, graphIRI ). At this point we are
checking that the user can read the graph identified by the IRI. If not
then we are done and the access exception is thrown.
If the user can read the graph then we need to know if the system has any
restrictions on the user reading the triples, so the system makes the
evaluate( READ, graphIRI, SecTriple.ALL ). if the evaluator returns true
then the user can read all the data and we are done. If the evaluator
returns false then we need to determine if the user can read the specific
triple.
At this point the final check is performed for the actual triple in
question.
Graph Access ALL triples Specific Triple
N (done no access)
Y Y (done all access)
Y N N (done no access to triple)
Y N Y (done access to triple)
In some cases (e.g. when returning a list/iterator of matching items) the
list/iterator is filtered as per above. In other cases (e.g. when
attempting to read a specific triple) an access exception is thrown.
The above table covers reading triples. Writing, deleting and updating
have some other options dealing with nodes that will be created and such.
Claude
Claude
On Fri, Jan 2, 2015 at 2:22 AM, Trevor Donaldson <tm...@gmail.com>
wrote:
> Claude,
>
> First off, thanks for your response. I truly appreciate it. I would give an
> example but the code that I am working with is on my work machine. Your
> assumption about having a mechanism to retrieve users roles is valid. Your
> assumption about having a way to attach roles to triples as they go into
> the triple store is also true. Essentially what happens is I have
> datasourceA and datasourceB. When data is inserted into the triple store we
> attach the roles as a reified statement (Apologies for my semantic web
> vocab but I am still a newbie).
> So for example we get user address from one datasourceA so we create a
> triple
>
> subject : http://myApp/username/JoeBlow
> predicate : pr:userName
> object : "Joe Blow"
>
> Then we take that triple and create a reified statement with roles (ROLEA,
> ROLEB, ROLEC). I tried what you said which is set "Second the method
> SecurityEvaluator.evaluate( Action.Read, "urn:graph-name:data-graph",
> SecTriple.ANY ) will be called. The SecurityEvaluator should return "false"
> to indicate that that there are restrictions on some triples in the data
> graph."
>
> The part I am struggling with is this portion of your comment. "Finally the
> method SecurityEvaluator.evaluate( Action.Read,
> "urn:graph-name:data-graph", <dbr:Ireland, dbo:capital, dbo:Dublin> ) will
> be called. The evaluator should then look up the rdf:Statement that covers
> the <dbr:Ireland, dbo:capital, dbo:Dublin> triple, retrieve the roles that
> have access, compare those with the roles that the user has and if there is
> an intersection return "true" otherwise return "false"."
>
> Inside of the SecurityEvaluator, how do I get to the reifiedstatements
> role? Question two, if I return false from evaluate(Resource r)
> <
> https://github.com/apache/jena/blob/master/jena-security/src/example/org/apache/jena/security/example/ExampleEvaluator.java#L64
> >,
> that was returning false for the entire model. So essentially what was
> happening for me is, if user can't see one triple they can't see any
> triples. Plus my other question is what is difference between Graph and
> Model. Ok, thanks so much for your help.
>
> On Thu, Jan 1, 2015 at 7:49 PM, Claude Warren <cl...@xenei.com> wrote:
>
> > Trevor,
> >
> > I saw your question on stackoverflow
> >
> http://stackoverflow.com/questions/27706124/jena-security-with-reification
> > and answered it there. I would have answered here first had I seen this
> > first.
> >
> > But it is possible and I provided what I hope is a detailed explanation
> of
> > how to do what you want to do.
> >
> > Claude
> >
> > On Wed, Dec 31, 2014 at 9:56 PM, Trevor Donaldson <tm...@gmail.com>
> > wrote:
> >
> > > Hi,
> > >
> > > I am currently in the process of upgrading a Semantic Web application
> > from
> > > RDB to TDB. Yes it is 2014 and yes I agree that the owners of said app
> > > should have upgraded a long time ago. With that out of the way I am
> > asking
> > > for some help. Currently the original developers of this application
> > wrote
> > > a custom assembler to create Adjudicating Graphs which would perform
> > > statement-level security adjudication. That is all well in good but
> there
> > > are multiple references to Reifier which has been removed in version
> > > 2.11.2, not to mention to follow some of the code you would have to be
> a
> > > semantic guru yourself.
> > >
> > > I researched and found that Jena Security now exist. It probably didn't
> > > when these guys first started writing this application. So now my
> > question,
> > > hopefully a simple one, how do I use jena security with reification? I
> > > haven't been able to figure it out and the examples on github aren't
> > quite
> > > exactly what I need. So given the following RDF (reified statement)
> > >
> > > _:statement rdf:type rdf:Statement .
> > > _:statement rdf:subject dbr:Ireland .
> > > _:statement rdf:predicate dbo:capital .
> > > _:statement rdf:object dbo:Dublin .
> > > _:statement ex:role "ROLEA", "ROLEB", "ROLEC" .
> > >
> > > _:statement rdf:type rdf:Statement .
> > > _:statement rdf:subject dbr:Canada.
> > > _:statement rdf:predicate dbo:capital .
> > > _:statement rdf:object dbo:Ottawa.
> > > _:statement ex:role "ROLEA" .
> > >
> > >
> > > Case I am trying to solve :
> > > 1. User A logs in and runs query with ROLEA
> > > 2. User queries for capitals
> > > 3. Jena Security filters out the Ireland statement and only returns
> > Ottawa
> > > statement because the user is only in ROLEA. The roles are "ands"
> > >
> > > I hope this help. I am a semantic web newbie and I am stuck. Thanks in
> > > advance.
> > >
> >
> >
> >
> > --
> > I like: Like Like - The likeliest place on the web
> > <http://like-like.xenei.com>
> > LinkedIn: http://www.linkedin.com/in/claudewarren
> >
>
--
I like: Like Like - The likeliest place on the web
<http://like-like.xenei.com>
LinkedIn: http://www.linkedin.com/in/claudewarren
Re: Upgrading from RDB to TDB want to use Jena Security
Posted by Trevor Donaldson <tm...@gmail.com>.
Claude,
First off, thanks for your response. I truly appreciate it. I would give an
example but the code that I am working with is on my work machine. Your
assumption about having a mechanism to retrieve users roles is valid. Your
assumption about having a way to attach roles to triples as they go into
the triple store is also true. Essentially what happens is I have
datasourceA and datasourceB. When data is inserted into the triple store we
attach the roles as a reified statement (Apologies for my semantic web
vocab but I am still a newbie).
So for example we get user address from one datasourceA so we create a
triple
subject : http://myApp/username/JoeBlow
predicate : pr:userName
object : "Joe Blow"
Then we take that triple and create a reified statement with roles (ROLEA,
ROLEB, ROLEC). I tried what you said which is set "Second the method
SecurityEvaluator.evaluate( Action.Read, "urn:graph-name:data-graph",
SecTriple.ANY ) will be called. The SecurityEvaluator should return "false"
to indicate that that there are restrictions on some triples in the data
graph."
The part I am struggling with is this portion of your comment. "Finally the
method SecurityEvaluator.evaluate( Action.Read,
"urn:graph-name:data-graph", <dbr:Ireland, dbo:capital, dbo:Dublin> ) will
be called. The evaluator should then look up the rdf:Statement that covers
the <dbr:Ireland, dbo:capital, dbo:Dublin> triple, retrieve the roles that
have access, compare those with the roles that the user has and if there is
an intersection return "true" otherwise return "false"."
Inside of the SecurityEvaluator, how do I get to the reifiedstatements
role? Question two, if I return false from evaluate(Resource r)
<https://github.com/apache/jena/blob/master/jena-security/src/example/org/apache/jena/security/example/ExampleEvaluator.java#L64>,
that was returning false for the entire model. So essentially what was
happening for me is, if user can't see one triple they can't see any
triples. Plus my other question is what is difference between Graph and
Model. Ok, thanks so much for your help.
On Thu, Jan 1, 2015 at 7:49 PM, Claude Warren <cl...@xenei.com> wrote:
> Trevor,
>
> I saw your question on stackoverflow
> http://stackoverflow.com/questions/27706124/jena-security-with-reification
> and answered it there. I would have answered here first had I seen this
> first.
>
> But it is possible and I provided what I hope is a detailed explanation of
> how to do what you want to do.
>
> Claude
>
> On Wed, Dec 31, 2014 at 9:56 PM, Trevor Donaldson <tm...@gmail.com>
> wrote:
>
> > Hi,
> >
> > I am currently in the process of upgrading a Semantic Web application
> from
> > RDB to TDB. Yes it is 2014 and yes I agree that the owners of said app
> > should have upgraded a long time ago. With that out of the way I am
> asking
> > for some help. Currently the original developers of this application
> wrote
> > a custom assembler to create Adjudicating Graphs which would perform
> > statement-level security adjudication. That is all well in good but there
> > are multiple references to Reifier which has been removed in version
> > 2.11.2, not to mention to follow some of the code you would have to be a
> > semantic guru yourself.
> >
> > I researched and found that Jena Security now exist. It probably didn't
> > when these guys first started writing this application. So now my
> question,
> > hopefully a simple one, how do I use jena security with reification? I
> > haven't been able to figure it out and the examples on github aren't
> quite
> > exactly what I need. So given the following RDF (reified statement)
> >
> > _:statement rdf:type rdf:Statement .
> > _:statement rdf:subject dbr:Ireland .
> > _:statement rdf:predicate dbo:capital .
> > _:statement rdf:object dbo:Dublin .
> > _:statement ex:role "ROLEA", "ROLEB", "ROLEC" .
> >
> > _:statement rdf:type rdf:Statement .
> > _:statement rdf:subject dbr:Canada.
> > _:statement rdf:predicate dbo:capital .
> > _:statement rdf:object dbo:Ottawa.
> > _:statement ex:role "ROLEA" .
> >
> >
> > Case I am trying to solve :
> > 1. User A logs in and runs query with ROLEA
> > 2. User queries for capitals
> > 3. Jena Security filters out the Ireland statement and only returns
> Ottawa
> > statement because the user is only in ROLEA. The roles are "ands"
> >
> > I hope this help. I am a semantic web newbie and I am stuck. Thanks in
> > advance.
> >
>
>
>
> --
> I like: Like Like - The likeliest place on the web
> <http://like-like.xenei.com>
> LinkedIn: http://www.linkedin.com/in/claudewarren
>
Re: Upgrading from RDB to TDB want to use Jena Security
Posted by Claude Warren <cl...@xenei.com>.
Trevor,
I saw your question on stackoverflow
http://stackoverflow.com/questions/27706124/jena-security-with-reification
and answered it there. I would have answered here first had I seen this
first.
But it is possible and I provided what I hope is a detailed explanation of
how to do what you want to do.
Claude
On Wed, Dec 31, 2014 at 9:56 PM, Trevor Donaldson <tm...@gmail.com>
wrote:
> Hi,
>
> I am currently in the process of upgrading a Semantic Web application from
> RDB to TDB. Yes it is 2014 and yes I agree that the owners of said app
> should have upgraded a long time ago. With that out of the way I am asking
> for some help. Currently the original developers of this application wrote
> a custom assembler to create Adjudicating Graphs which would perform
> statement-level security adjudication. That is all well in good but there
> are multiple references to Reifier which has been removed in version
> 2.11.2, not to mention to follow some of the code you would have to be a
> semantic guru yourself.
>
> I researched and found that Jena Security now exist. It probably didn't
> when these guys first started writing this application. So now my question,
> hopefully a simple one, how do I use jena security with reification? I
> haven't been able to figure it out and the examples on github aren't quite
> exactly what I need. So given the following RDF (reified statement)
>
> _:statement rdf:type rdf:Statement .
> _:statement rdf:subject dbr:Ireland .
> _:statement rdf:predicate dbo:capital .
> _:statement rdf:object dbo:Dublin .
> _:statement ex:role "ROLEA", "ROLEB", "ROLEC" .
>
> _:statement rdf:type rdf:Statement .
> _:statement rdf:subject dbr:Canada.
> _:statement rdf:predicate dbo:capital .
> _:statement rdf:object dbo:Ottawa.
> _:statement ex:role "ROLEA" .
>
>
> Case I am trying to solve :
> 1. User A logs in and runs query with ROLEA
> 2. User queries for capitals
> 3. Jena Security filters out the Ireland statement and only returns Ottawa
> statement because the user is only in ROLEA. The roles are "ands"
>
> I hope this help. I am a semantic web newbie and I am stuck. Thanks in
> advance.
>
--
I like: Like Like - The likeliest place on the web
<http://like-like.xenei.com>
LinkedIn: http://www.linkedin.com/in/claudewarren