You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jena.apache.org by Ekaterina Danilova <ka...@gmail.com> on 2018/05/11 12:41:26 UTC
Problem with understanding Jena Permissions
Hello!
I have a problem with understanding Jena permissions.
I have an application which creates named graphs, uploads and reads those
through Fuseki. I would like to add some security and create different
access rules for different users etc. As the documentation (
https://jena.apache.org/documentation/permissions/) says, it can be done
with my own Security Evaluator implementation.
What I don't understand is where and how exactly permissions should be
added. Should they be only at Fuseki side? If so, then how can Fuseki
understand to process each model as secured model? If I wish to create
secured model at the side of application, then I have to use this method:
Factory.getInstance( SecurityEvaluator, String, Model );
which requires the SecurityEvaluator at the application side too. But if I
add it there, then there is no sense in having the security evaluator at
Fuseki side.
My problem is that even though I added the permissions jar with my own
SecurityEvaluator (a bit modified ShiroExampleEvaluator) to Fuseki
correctly (with this example
https://jena.apache.org/documentation/permissions/example.html), I cannot
get it to process data through it. Fuseki is not seeing the incoming data
as secured models.
So, in short, the question is - how to set up Fuseki in such way, that it
would see all incoming models as secured models and check the access level
for those?
And if it is impossible, what is the right way to add the permissions?
Re: Problem with understanding Jena Permissions
Posted by Claude Warren <cl...@xenei.com>.
Jena is driven by user contributions. (Andy has a great phrase for this
but I don't recall what it is at the moment). But if users want the
functionality and contribute it then Jena will have it.
Moving the permissions implementation up the stack (to datasets for
example) has been a goal of mine for some time but I have never had the
direct need nor the time to do it. If you have the time and the
inclination I would help you with the development as much as I can.
Claude
On Mon, May 14, 2018 at 8:45 PM, katja.danilova94 <
katja.danilova94@gmail.com> wrote:
> Thanks for guidance, I will do it this way then.
> And the future plan is to create a type of secured dataset in Fuseki so
> that all incoming and outgoing models are secured and checked automatically?
>
>
>
> От: Claude Warren <cl...@xenei.com> Дата: 14.05.18 21:43 (GMT+02:00)
> Кому: users@jena.apache.org Тема: Re: Problem with understanding Jena
> Permissions
> Permissions were originally designed to work outside of Fuseki and still
> does. I often use them to create read only models.
>
> The Fuseki interface was originally intended to secure existing models.
> However, as I mentioned before it should be possible to have the system
> generate secured models on creation in Fuseki, it just hasn't been done
> yet.
>
> Claude
>
>
>
> On Mon, May 14, 2018 at 7:13 PM, Ekaterina Danilova <
> katja.danilova94@gmail.com> wrote:
>
> > Thank you for your reply,
> >
> > One more way might be implementing the SecurityEvaluator at the
> application
> > side and creating secured models there. It should work quite easily, but
> I
> > am not sure it is best solution. Is the Permissions package intended to
> be
> > used only as addition to Fuseki?
> >
> > And if Permissions are originally supposed to be used only with Fuseki,
> > then atm the main way how it is used is like in the example below -
> loading
> > data through Assembler straight into secured model?
> >
> > my:baseModel rdf:type ja:MemoryModel;
> > ja:content [ja:externalContent <file:./example.ttl>]
> > .
> >
> > my:securedModel rdf:type sec:Model ;
> > perm:baseModel my:baseModel ;
> > ja:modelName "https://example.org/securedModel" ;
> > perm:evaluatorImpl my:secEvaluator .
> >
> >
> >
> >
> >
> >
> >
> > 2018-05-11 17:06 GMT+03:00 Claude Warren <cl...@xenei.com>:
> >
> > > The permissions in your example are attached to the model called
> > > my:secModel.
> > >
> > > Basically you have the graph and it you access it with "using" or
> "from"
> > > statements the evaluator will be called.
> > >
> > > It is possible to make the model the default model for fuseki queries
> but
> > > that is not really what you want.
> > >
> > > What you want is the ability to create new models and have them be
> > > recognized as secured models. This has not been implemented. It might
> > be
> > > doable as a secured dataset (not implemented) or it may require other
> > work
> > > to ensure that the models are correctly created as secured models. (not
> > > sure how this would work off the top of my head).
> > >
> > > Claude
> > >
> > > On Fri, May 11, 2018 at 2:59 PM, Ekaterina Danilova <
> > > katja.danilova94@gmail.com> wrote:
> > >
> > > > Hello!
> > > > Yes, I tried to modify the config.ttl accoridng to the guide and it
> > looks
> > > > this way:
> > > >
> > > > PREFIX : <#>
> > > > PREFIX fuseki: <http://jena.apache.org/fuseki#>
> > > > PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
> > > > PREFIX perm: <http://apache.org/jena/permissions/Assembler#>
> > > > PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>
> > > > PREFIX tdb2: <http://jena.apache.org/2016/tdb#>
> > > > PREFIX my: <http://example.org/#>
> > > > PREFIX sec: <http://apache.org/jena/permission/Assembler#Model>
> > > >
> > > > [] perm:loadClass "org.apache.jena.permissions.SecuredAssembler"
> .
> > > > sec:Model rdfs:subClassOf perm:NamedModel .
> > > >
> > > > sec:evaluator rdfs:domain sec:Model ;
> > > > rdfs:range sec:Evaluator .
> > > >
> > > > my:secModel a sec:Model ;
> > > > sec:baseModel my:baseModel ;
> > > > perm:modelName "http://example.com/securedModel" ;
> > > > sec:evaluatorImpl my:myEvaluator;
> > > > .
> > > >
> > > > my:myEvaluator a sec:Evaluator ;
> > > > perm:args [
> > > > rdf:_1 my:baseModel ;
> > > > ] ;
> > > > perm:evaluatorClass
> > > > "org.apache.jena.permissions.example.ShiroExampleEvaluator" .
> > > >
> > > > [] rdf:type fuseki:Server ;
> > > > fuseki:services (
> > > > <#service_tdb2>
> > > > //the list of services omitted
> > > >
> > > > And the models are uploaded from the application with :
> > > >
> > > > DatasetAccessor accessor = DatasetAccessorFactory.createHTTP(....);
> > > > accessor.putModel(name, model);
> > > >
> > > > So, with these configurations Fuseki doesn't do anything with the
> > models.
> > > > Am I missing something?
> > > >
> > > > Thank you for help.
> > > >
> > > >
> > > > 2018-05-11 16:11 GMT+03:00 Claude Warren <cl...@xenei.com>:
> > > >
> > > > > You don't say if you have modified the default Fuseki configuration
> > but
> > > > > what you will need to do is to modify the configuration file so
> that
> > > the
> > > > > models that are created using the SecuredAssembler.
> > > > > (
> > > > > http://jena.apache.org/documentation/javadoc/
> > > > permissions/org/apache/jena/
> > > > > permissions/SecuredAssembler.html).
> > > > > This process will hook your security evaluator to the models.
> > > > >
> > > > > Then requests will be filtered automatically. Your security
> > evaluator
> > > > will
> > > > > be called with the name of the model as specified in the
> > > > SecuredAssembler.
> > > > >
> > > > > I don;t think anyone has implemented a mechanism to allow uploading
> > of
> > > > > graphs/models into secure graphs. It probably could be done. If
> you
> > > are
> > > > > interested in attempting such let me know and we can outline how to
> > do
> > > > it.
> > > > >
> > > > > Claude
> > > > >
> > > > > On Fri, May 11, 2018 at 1:41 PM, Ekaterina Danilova <
> > > > > katja.danilova94@gmail.com> wrote:
> > > > >
> > > > > > Hello!
> > > > > > I have a problem with understanding Jena permissions.
> > > > > >
> > > > > > I have an application which creates named graphs, uploads and
> reads
> > > > those
> > > > > > through Fuseki. I would like to add some security and create
> > > different
> > > > > > access rules for different users etc. As the documentation (
> > > > > > https://jena.apache.org/documentation/permissions/) says, it can
> > be
> > > > done
> > > > > > with my own Security Evaluator implementation.
> > > > > >
> > > > > > What I don't understand is where and how exactly permissions
> should
> > > be
> > > > > > added. Should they be only at Fuseki side? If so, then how can
> > Fuseki
> > > > > > understand to process each model as secured model? If I wish to
> > > create
> > > > > > secured model at the side of application, then I have to use this
> > > > method:
> > > > > > Factory.getInstance( SecurityEvaluator, String, Model );
> > > > > > which requires the SecurityEvaluator at the application side too.
> > But
> > > > if
> > > > > I
> > > > > > add it there, then there is no sense in having the security
> > evaluator
> > > > at
> > > > > > Fuseki side.
> > > > > >
> > > > > > My problem is that even though I added the permissions jar with
> my
> > > own
> > > > > > SecurityEvaluator (a bit modified ShiroExampleEvaluator) to
> Fuseki
> > > > > > correctly (with this example
> > > > > > https://jena.apache.org/documentation/permissions/example.html),
> I
> > > > > cannot
> > > > > > get it to process data through it. Fuseki is not seeing the
> > incoming
> > > > data
> > > > > > as secured models.
> > > > > >
> > > > > > So, in short, the question is - how to set up Fuseki in such way,
> > > that
> > > > it
> > > > > > would see all incoming models as secured models and check the
> > access
> > > > > level
> > > > > > for those?
> > > > > > And if it is impossible, what is the right way to add the
> > > permissions?
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > I like: Like Like - The likeliest place on the web
> > > > > <http://like-like.xenei.com>
> > > > > LinkedIn: http://www.linkedin.com/in/claudewarren
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > I like: Like Like - The likeliest place on the web
> > > <http://like-like.xenei.com>
> > > LinkedIn: http://www.linkedin.com/in/claudewarren
> > >
> >
>
>
>
> --
> I like: Like Like - The likeliest place on the web
> <http://like-like.xenei.com>
> LinkedIn: http://www.linkedin.com/in/claudewarren
>
--
I like: Like Like - The likeliest place on the web
<http://like-like.xenei.com>
LinkedIn: http://www.linkedin.com/in/claudewarren
Re: Problem with understanding Jena Permissions
Posted by "katja.danilova94" <ka...@gmail.com>.
Thanks for guidance, I will do it this way then.
And the future plan is to create a type of secured dataset in Fuseki so that all incoming and outgoing models are secured and checked automatically?
От: Claude Warren <cl...@xenei.com> Дата: 14.05.18 21:43 (GMT+02:00) Кому: users@jena.apache.org Тема: Re: Problem with understanding Jena Permissions
Permissions were originally designed to work outside of Fuseki and still
does. I often use them to create read only models.
The Fuseki interface was originally intended to secure existing models.
However, as I mentioned before it should be possible to have the system
generate secured models on creation in Fuseki, it just hasn't been done yet.
Claude
On Mon, May 14, 2018 at 7:13 PM, Ekaterina Danilova <
katja.danilova94@gmail.com> wrote:
> Thank you for your reply,
>
> One more way might be implementing the SecurityEvaluator at the application
> side and creating secured models there. It should work quite easily, but I
> am not sure it is best solution. Is the Permissions package intended to be
> used only as addition to Fuseki?
>
> And if Permissions are originally supposed to be used only with Fuseki,
> then atm the main way how it is used is like in the example below - loading
> data through Assembler straight into secured model?
>
> my:baseModel rdf:type ja:MemoryModel;
> ja:content [ja:externalContent <file:./example.ttl>]
> .
>
> my:securedModel rdf:type sec:Model ;
> perm:baseModel my:baseModel ;
> ja:modelName "https://example.org/securedModel" ;
> perm:evaluatorImpl my:secEvaluator .
>
>
>
>
>
>
>
> 2018-05-11 17:06 GMT+03:00 Claude Warren <cl...@xenei.com>:
>
> > The permissions in your example are attached to the model called
> > my:secModel.
> >
> > Basically you have the graph and it you access it with "using" or "from"
> > statements the evaluator will be called.
> >
> > It is possible to make the model the default model for fuseki queries but
> > that is not really what you want.
> >
> > What you want is the ability to create new models and have them be
> > recognized as secured models. This has not been implemented. It might
> be
> > doable as a secured dataset (not implemented) or it may require other
> work
> > to ensure that the models are correctly created as secured models. (not
> > sure how this would work off the top of my head).
> >
> > Claude
> >
> > On Fri, May 11, 2018 at 2:59 PM, Ekaterina Danilova <
> > katja.danilova94@gmail.com> wrote:
> >
> > > Hello!
> > > Yes, I tried to modify the config.ttl accoridng to the guide and it
> looks
> > > this way:
> > >
> > > PREFIX : <#>
> > > PREFIX fuseki: <http://jena.apache.org/fuseki#>
> > > PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
> > > PREFIX perm: <http://apache.org/jena/permissions/Assembler#>
> > > PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>
> > > PREFIX tdb2: <http://jena.apache.org/2016/tdb#>
> > > PREFIX my: <http://example.org/#>
> > > PREFIX sec: <http://apache.org/jena/permission/Assembler#Model>
> > >
> > > [] perm:loadClass "org.apache.jena.permissions.SecuredAssembler" .
> > > sec:Model rdfs:subClassOf perm:NamedModel .
> > >
> > > sec:evaluator rdfs:domain sec:Model ;
> > > rdfs:range sec:Evaluator .
> > >
> > > my:secModel a sec:Model ;
> > > sec:baseModel my:baseModel ;
> > > perm:modelName "http://example.com/securedModel" ;
> > > sec:evaluatorImpl my:myEvaluator;
> > > .
> > >
> > > my:myEvaluator a sec:Evaluator ;
> > > perm:args [
> > > rdf:_1 my:baseModel ;
> > > ] ;
> > > perm:evaluatorClass
> > > "org.apache.jena.permissions.example.ShiroExampleEvaluator" .
> > >
> > > [] rdf:type fuseki:Server ;
> > > fuseki:services (
> > > <#service_tdb2>
> > > //the list of services omitted
> > >
> > > And the models are uploaded from the application with :
> > >
> > > DatasetAccessor accessor = DatasetAccessorFactory.createHTTP(....);
> > > accessor.putModel(name, model);
> > >
> > > So, with these configurations Fuseki doesn't do anything with the
> models.
> > > Am I missing something?
> > >
> > > Thank you for help.
> > >
> > >
> > > 2018-05-11 16:11 GMT+03:00 Claude Warren <cl...@xenei.com>:
> > >
> > > > You don't say if you have modified the default Fuseki configuration
> but
> > > > what you will need to do is to modify the configuration file so that
> > the
> > > > models that are created using the SecuredAssembler.
> > > > (
> > > > http://jena.apache.org/documentation/javadoc/
> > > permissions/org/apache/jena/
> > > > permissions/SecuredAssembler.html).
> > > > This process will hook your security evaluator to the models.
> > > >
> > > > Then requests will be filtered automatically. Your security
> evaluator
> > > will
> > > > be called with the name of the model as specified in the
> > > SecuredAssembler.
> > > >
> > > > I don;t think anyone has implemented a mechanism to allow uploading
> of
> > > > graphs/models into secure graphs. It probably could be done. If you
> > are
> > > > interested in attempting such let me know and we can outline how to
> do
> > > it.
> > > >
> > > > Claude
> > > >
> > > > On Fri, May 11, 2018 at 1:41 PM, Ekaterina Danilova <
> > > > katja.danilova94@gmail.com> wrote:
> > > >
> > > > > Hello!
> > > > > I have a problem with understanding Jena permissions.
> > > > >
> > > > > I have an application which creates named graphs, uploads and reads
> > > those
> > > > > through Fuseki. I would like to add some security and create
> > different
> > > > > access rules for different users etc. As the documentation (
> > > > > https://jena.apache.org/documentation/permissions/) says, it can
> be
> > > done
> > > > > with my own Security Evaluator implementation.
> > > > >
> > > > > What I don't understand is where and how exactly permissions should
> > be
> > > > > added. Should they be only at Fuseki side? If so, then how can
> Fuseki
> > > > > understand to process each model as secured model? If I wish to
> > create
> > > > > secured model at the side of application, then I have to use this
> > > method:
> > > > > Factory.getInstance( SecurityEvaluator, String, Model );
> > > > > which requires the SecurityEvaluator at the application side too.
> But
> > > if
> > > > I
> > > > > add it there, then there is no sense in having the security
> evaluator
> > > at
> > > > > Fuseki side.
> > > > >
> > > > > My problem is that even though I added the permissions jar with my
> > own
> > > > > SecurityEvaluator (a bit modified ShiroExampleEvaluator) to Fuseki
> > > > > correctly (with this example
> > > > > https://jena.apache.org/documentation/permissions/example.html), I
> > > > cannot
> > > > > get it to process data through it. Fuseki is not seeing the
> incoming
> > > data
> > > > > as secured models.
> > > > >
> > > > > So, in short, the question is - how to set up Fuseki in such way,
> > that
> > > it
> > > > > would see all incoming models as secured models and check the
> access
> > > > level
> > > > > for those?
> > > > > And if it is impossible, what is the right way to add the
> > permissions?
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > I like: Like Like - The likeliest place on the web
> > > > <http://like-like.xenei.com>
> > > > LinkedIn: http://www.linkedin.com/in/claudewarren
> > > >
> > >
> >
> >
> >
> > --
> > I like: Like Like - The likeliest place on the web
> > <http://like-like.xenei.com>
> > LinkedIn: http://www.linkedin.com/in/claudewarren
> >
>
--
I like: Like Like - The likeliest place on the web
<http://like-like.xenei.com>
LinkedIn: http://www.linkedin.com/in/claudewarren
Re: Problem with understanding Jena Permissions
Posted by Claude Warren <cl...@xenei.com>.
Permissions were originally designed to work outside of Fuseki and still
does. I often use them to create read only models.
The Fuseki interface was originally intended to secure existing models.
However, as I mentioned before it should be possible to have the system
generate secured models on creation in Fuseki, it just hasn't been done yet.
Claude
On Mon, May 14, 2018 at 7:13 PM, Ekaterina Danilova <
katja.danilova94@gmail.com> wrote:
> Thank you for your reply,
>
> One more way might be implementing the SecurityEvaluator at the application
> side and creating secured models there. It should work quite easily, but I
> am not sure it is best solution. Is the Permissions package intended to be
> used only as addition to Fuseki?
>
> And if Permissions are originally supposed to be used only with Fuseki,
> then atm the main way how it is used is like in the example below - loading
> data through Assembler straight into secured model?
>
> my:baseModel rdf:type ja:MemoryModel;
> ja:content [ja:externalContent <file:./example.ttl>]
> .
>
> my:securedModel rdf:type sec:Model ;
> perm:baseModel my:baseModel ;
> ja:modelName "https://example.org/securedModel" ;
> perm:evaluatorImpl my:secEvaluator .
>
>
>
>
>
>
>
> 2018-05-11 17:06 GMT+03:00 Claude Warren <cl...@xenei.com>:
>
> > The permissions in your example are attached to the model called
> > my:secModel.
> >
> > Basically you have the graph and it you access it with "using" or "from"
> > statements the evaluator will be called.
> >
> > It is possible to make the model the default model for fuseki queries but
> > that is not really what you want.
> >
> > What you want is the ability to create new models and have them be
> > recognized as secured models. This has not been implemented. It might
> be
> > doable as a secured dataset (not implemented) or it may require other
> work
> > to ensure that the models are correctly created as secured models. (not
> > sure how this would work off the top of my head).
> >
> > Claude
> >
> > On Fri, May 11, 2018 at 2:59 PM, Ekaterina Danilova <
> > katja.danilova94@gmail.com> wrote:
> >
> > > Hello!
> > > Yes, I tried to modify the config.ttl accoridng to the guide and it
> looks
> > > this way:
> > >
> > > PREFIX : <#>
> > > PREFIX fuseki: <http://jena.apache.org/fuseki#>
> > > PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
> > > PREFIX perm: <http://apache.org/jena/permissions/Assembler#>
> > > PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>
> > > PREFIX tdb2: <http://jena.apache.org/2016/tdb#>
> > > PREFIX my: <http://example.org/#>
> > > PREFIX sec: <http://apache.org/jena/permission/Assembler#Model>
> > >
> > > [] perm:loadClass "org.apache.jena.permissions.SecuredAssembler" .
> > > sec:Model rdfs:subClassOf perm:NamedModel .
> > >
> > > sec:evaluator rdfs:domain sec:Model ;
> > > rdfs:range sec:Evaluator .
> > >
> > > my:secModel a sec:Model ;
> > > sec:baseModel my:baseModel ;
> > > perm:modelName "http://example.com/securedModel" ;
> > > sec:evaluatorImpl my:myEvaluator;
> > > .
> > >
> > > my:myEvaluator a sec:Evaluator ;
> > > perm:args [
> > > rdf:_1 my:baseModel ;
> > > ] ;
> > > perm:evaluatorClass
> > > "org.apache.jena.permissions.example.ShiroExampleEvaluator" .
> > >
> > > [] rdf:type fuseki:Server ;
> > > fuseki:services (
> > > <#service_tdb2>
> > > //the list of services omitted
> > >
> > > And the models are uploaded from the application with :
> > >
> > > DatasetAccessor accessor = DatasetAccessorFactory.createHTTP(....);
> > > accessor.putModel(name, model);
> > >
> > > So, with these configurations Fuseki doesn't do anything with the
> models.
> > > Am I missing something?
> > >
> > > Thank you for help.
> > >
> > >
> > > 2018-05-11 16:11 GMT+03:00 Claude Warren <cl...@xenei.com>:
> > >
> > > > You don't say if you have modified the default Fuseki configuration
> but
> > > > what you will need to do is to modify the configuration file so that
> > the
> > > > models that are created using the SecuredAssembler.
> > > > (
> > > > http://jena.apache.org/documentation/javadoc/
> > > permissions/org/apache/jena/
> > > > permissions/SecuredAssembler.html).
> > > > This process will hook your security evaluator to the models.
> > > >
> > > > Then requests will be filtered automatically. Your security
> evaluator
> > > will
> > > > be called with the name of the model as specified in the
> > > SecuredAssembler.
> > > >
> > > > I don;t think anyone has implemented a mechanism to allow uploading
> of
> > > > graphs/models into secure graphs. It probably could be done. If you
> > are
> > > > interested in attempting such let me know and we can outline how to
> do
> > > it.
> > > >
> > > > Claude
> > > >
> > > > On Fri, May 11, 2018 at 1:41 PM, Ekaterina Danilova <
> > > > katja.danilova94@gmail.com> wrote:
> > > >
> > > > > Hello!
> > > > > I have a problem with understanding Jena permissions.
> > > > >
> > > > > I have an application which creates named graphs, uploads and reads
> > > those
> > > > > through Fuseki. I would like to add some security and create
> > different
> > > > > access rules for different users etc. As the documentation (
> > > > > https://jena.apache.org/documentation/permissions/) says, it can
> be
> > > done
> > > > > with my own Security Evaluator implementation.
> > > > >
> > > > > What I don't understand is where and how exactly permissions should
> > be
> > > > > added. Should they be only at Fuseki side? If so, then how can
> Fuseki
> > > > > understand to process each model as secured model? If I wish to
> > create
> > > > > secured model at the side of application, then I have to use this
> > > method:
> > > > > Factory.getInstance( SecurityEvaluator, String, Model );
> > > > > which requires the SecurityEvaluator at the application side too.
> But
> > > if
> > > > I
> > > > > add it there, then there is no sense in having the security
> evaluator
> > > at
> > > > > Fuseki side.
> > > > >
> > > > > My problem is that even though I added the permissions jar with my
> > own
> > > > > SecurityEvaluator (a bit modified ShiroExampleEvaluator) to Fuseki
> > > > > correctly (with this example
> > > > > https://jena.apache.org/documentation/permissions/example.html), I
> > > > cannot
> > > > > get it to process data through it. Fuseki is not seeing the
> incoming
> > > data
> > > > > as secured models.
> > > > >
> > > > > So, in short, the question is - how to set up Fuseki in such way,
> > that
> > > it
> > > > > would see all incoming models as secured models and check the
> access
> > > > level
> > > > > for those?
> > > > > And if it is impossible, what is the right way to add the
> > permissions?
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > I like: Like Like - The likeliest place on the web
> > > > <http://like-like.xenei.com>
> > > > LinkedIn: http://www.linkedin.com/in/claudewarren
> > > >
> > >
> >
> >
> >
> > --
> > I like: Like Like - The likeliest place on the web
> > <http://like-like.xenei.com>
> > LinkedIn: http://www.linkedin.com/in/claudewarren
> >
>
--
I like: Like Like - The likeliest place on the web
<http://like-like.xenei.com>
LinkedIn: http://www.linkedin.com/in/claudewarren
Re: Problem with understanding Jena Permissions
Posted by Ekaterina Danilova <ka...@gmail.com>.
Thank you for your reply,
One more way might be implementing the SecurityEvaluator at the application
side and creating secured models there. It should work quite easily, but I
am not sure it is best solution. Is the Permissions package intended to be
used only as addition to Fuseki?
And if Permissions are originally supposed to be used only with Fuseki,
then atm the main way how it is used is like in the example below - loading
data through Assembler straight into secured model?
my:baseModel rdf:type ja:MemoryModel;
ja:content [ja:externalContent <file:./example.ttl>]
.
my:securedModel rdf:type sec:Model ;
perm:baseModel my:baseModel ;
ja:modelName "https://example.org/securedModel" ;
perm:evaluatorImpl my:secEvaluator .
2018-05-11 17:06 GMT+03:00 Claude Warren <cl...@xenei.com>:
> The permissions in your example are attached to the model called
> my:secModel.
>
> Basically you have the graph and it you access it with "using" or "from"
> statements the evaluator will be called.
>
> It is possible to make the model the default model for fuseki queries but
> that is not really what you want.
>
> What you want is the ability to create new models and have them be
> recognized as secured models. This has not been implemented. It might be
> doable as a secured dataset (not implemented) or it may require other work
> to ensure that the models are correctly created as secured models. (not
> sure how this would work off the top of my head).
>
> Claude
>
> On Fri, May 11, 2018 at 2:59 PM, Ekaterina Danilova <
> katja.danilova94@gmail.com> wrote:
>
> > Hello!
> > Yes, I tried to modify the config.ttl accoridng to the guide and it looks
> > this way:
> >
> > PREFIX : <#>
> > PREFIX fuseki: <http://jena.apache.org/fuseki#>
> > PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
> > PREFIX perm: <http://apache.org/jena/permissions/Assembler#>
> > PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>
> > PREFIX tdb2: <http://jena.apache.org/2016/tdb#>
> > PREFIX my: <http://example.org/#>
> > PREFIX sec: <http://apache.org/jena/permission/Assembler#Model>
> >
> > [] perm:loadClass "org.apache.jena.permissions.SecuredAssembler" .
> > sec:Model rdfs:subClassOf perm:NamedModel .
> >
> > sec:evaluator rdfs:domain sec:Model ;
> > rdfs:range sec:Evaluator .
> >
> > my:secModel a sec:Model ;
> > sec:baseModel my:baseModel ;
> > perm:modelName "http://example.com/securedModel" ;
> > sec:evaluatorImpl my:myEvaluator;
> > .
> >
> > my:myEvaluator a sec:Evaluator ;
> > perm:args [
> > rdf:_1 my:baseModel ;
> > ] ;
> > perm:evaluatorClass
> > "org.apache.jena.permissions.example.ShiroExampleEvaluator" .
> >
> > [] rdf:type fuseki:Server ;
> > fuseki:services (
> > <#service_tdb2>
> > //the list of services omitted
> >
> > And the models are uploaded from the application with :
> >
> > DatasetAccessor accessor = DatasetAccessorFactory.createHTTP(....);
> > accessor.putModel(name, model);
> >
> > So, with these configurations Fuseki doesn't do anything with the models.
> > Am I missing something?
> >
> > Thank you for help.
> >
> >
> > 2018-05-11 16:11 GMT+03:00 Claude Warren <cl...@xenei.com>:
> >
> > > You don't say if you have modified the default Fuseki configuration but
> > > what you will need to do is to modify the configuration file so that
> the
> > > models that are created using the SecuredAssembler.
> > > (
> > > http://jena.apache.org/documentation/javadoc/
> > permissions/org/apache/jena/
> > > permissions/SecuredAssembler.html).
> > > This process will hook your security evaluator to the models.
> > >
> > > Then requests will be filtered automatically. Your security evaluator
> > will
> > > be called with the name of the model as specified in the
> > SecuredAssembler.
> > >
> > > I don;t think anyone has implemented a mechanism to allow uploading of
> > > graphs/models into secure graphs. It probably could be done. If you
> are
> > > interested in attempting such let me know and we can outline how to do
> > it.
> > >
> > > Claude
> > >
> > > On Fri, May 11, 2018 at 1:41 PM, Ekaterina Danilova <
> > > katja.danilova94@gmail.com> wrote:
> > >
> > > > Hello!
> > > > I have a problem with understanding Jena permissions.
> > > >
> > > > I have an application which creates named graphs, uploads and reads
> > those
> > > > through Fuseki. I would like to add some security and create
> different
> > > > access rules for different users etc. As the documentation (
> > > > https://jena.apache.org/documentation/permissions/) says, it can be
> > done
> > > > with my own Security Evaluator implementation.
> > > >
> > > > What I don't understand is where and how exactly permissions should
> be
> > > > added. Should they be only at Fuseki side? If so, then how can Fuseki
> > > > understand to process each model as secured model? If I wish to
> create
> > > > secured model at the side of application, then I have to use this
> > method:
> > > > Factory.getInstance( SecurityEvaluator, String, Model );
> > > > which requires the SecurityEvaluator at the application side too. But
> > if
> > > I
> > > > add it there, then there is no sense in having the security evaluator
> > at
> > > > Fuseki side.
> > > >
> > > > My problem is that even though I added the permissions jar with my
> own
> > > > SecurityEvaluator (a bit modified ShiroExampleEvaluator) to Fuseki
> > > > correctly (with this example
> > > > https://jena.apache.org/documentation/permissions/example.html), I
> > > cannot
> > > > get it to process data through it. Fuseki is not seeing the incoming
> > data
> > > > as secured models.
> > > >
> > > > So, in short, the question is - how to set up Fuseki in such way,
> that
> > it
> > > > would see all incoming models as secured models and check the access
> > > level
> > > > for those?
> > > > And if it is impossible, what is the right way to add the
> permissions?
> > > >
> > >
> > >
> > >
> > > --
> > > I like: Like Like - The likeliest place on the web
> > > <http://like-like.xenei.com>
> > > LinkedIn: http://www.linkedin.com/in/claudewarren
> > >
> >
>
>
>
> --
> I like: Like Like - The likeliest place on the web
> <http://like-like.xenei.com>
> LinkedIn: http://www.linkedin.com/in/claudewarren
>
Re: Problem with understanding Jena Permissions
Posted by Claude Warren <cl...@xenei.com>.
The permissions in your example are attached to the model called
my:secModel.
Basically you have the graph and it you access it with "using" or "from"
statements the evaluator will be called.
It is possible to make the model the default model for fuseki queries but
that is not really what you want.
What you want is the ability to create new models and have them be
recognized as secured models. This has not been implemented. It might be
doable as a secured dataset (not implemented) or it may require other work
to ensure that the models are correctly created as secured models. (not
sure how this would work off the top of my head).
Claude
On Fri, May 11, 2018 at 2:59 PM, Ekaterina Danilova <
katja.danilova94@gmail.com> wrote:
> Hello!
> Yes, I tried to modify the config.ttl accoridng to the guide and it looks
> this way:
>
> PREFIX : <#>
> PREFIX fuseki: <http://jena.apache.org/fuseki#>
> PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
> PREFIX perm: <http://apache.org/jena/permissions/Assembler#>
> PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>
> PREFIX tdb2: <http://jena.apache.org/2016/tdb#>
> PREFIX my: <http://example.org/#>
> PREFIX sec: <http://apache.org/jena/permission/Assembler#Model>
>
> [] perm:loadClass "org.apache.jena.permissions.SecuredAssembler" .
> sec:Model rdfs:subClassOf perm:NamedModel .
>
> sec:evaluator rdfs:domain sec:Model ;
> rdfs:range sec:Evaluator .
>
> my:secModel a sec:Model ;
> sec:baseModel my:baseModel ;
> perm:modelName "http://example.com/securedModel" ;
> sec:evaluatorImpl my:myEvaluator;
> .
>
> my:myEvaluator a sec:Evaluator ;
> perm:args [
> rdf:_1 my:baseModel ;
> ] ;
> perm:evaluatorClass
> "org.apache.jena.permissions.example.ShiroExampleEvaluator" .
>
> [] rdf:type fuseki:Server ;
> fuseki:services (
> <#service_tdb2>
> //the list of services omitted
>
> And the models are uploaded from the application with :
>
> DatasetAccessor accessor = DatasetAccessorFactory.createHTTP(....);
> accessor.putModel(name, model);
>
> So, with these configurations Fuseki doesn't do anything with the models.
> Am I missing something?
>
> Thank you for help.
>
>
> 2018-05-11 16:11 GMT+03:00 Claude Warren <cl...@xenei.com>:
>
> > You don't say if you have modified the default Fuseki configuration but
> > what you will need to do is to modify the configuration file so that the
> > models that are created using the SecuredAssembler.
> > (
> > http://jena.apache.org/documentation/javadoc/
> permissions/org/apache/jena/
> > permissions/SecuredAssembler.html).
> > This process will hook your security evaluator to the models.
> >
> > Then requests will be filtered automatically. Your security evaluator
> will
> > be called with the name of the model as specified in the
> SecuredAssembler.
> >
> > I don;t think anyone has implemented a mechanism to allow uploading of
> > graphs/models into secure graphs. It probably could be done. If you are
> > interested in attempting such let me know and we can outline how to do
> it.
> >
> > Claude
> >
> > On Fri, May 11, 2018 at 1:41 PM, Ekaterina Danilova <
> > katja.danilova94@gmail.com> wrote:
> >
> > > Hello!
> > > I have a problem with understanding Jena permissions.
> > >
> > > I have an application which creates named graphs, uploads and reads
> those
> > > through Fuseki. I would like to add some security and create different
> > > access rules for different users etc. As the documentation (
> > > https://jena.apache.org/documentation/permissions/) says, it can be
> done
> > > with my own Security Evaluator implementation.
> > >
> > > What I don't understand is where and how exactly permissions should be
> > > added. Should they be only at Fuseki side? If so, then how can Fuseki
> > > understand to process each model as secured model? If I wish to create
> > > secured model at the side of application, then I have to use this
> method:
> > > Factory.getInstance( SecurityEvaluator, String, Model );
> > > which requires the SecurityEvaluator at the application side too. But
> if
> > I
> > > add it there, then there is no sense in having the security evaluator
> at
> > > Fuseki side.
> > >
> > > My problem is that even though I added the permissions jar with my own
> > > SecurityEvaluator (a bit modified ShiroExampleEvaluator) to Fuseki
> > > correctly (with this example
> > > https://jena.apache.org/documentation/permissions/example.html), I
> > cannot
> > > get it to process data through it. Fuseki is not seeing the incoming
> data
> > > as secured models.
> > >
> > > So, in short, the question is - how to set up Fuseki in such way, that
> it
> > > would see all incoming models as secured models and check the access
> > level
> > > for those?
> > > And if it is impossible, what is the right way to add the permissions?
> > >
> >
> >
> >
> > --
> > I like: Like Like - The likeliest place on the web
> > <http://like-like.xenei.com>
> > LinkedIn: http://www.linkedin.com/in/claudewarren
> >
>
--
I like: Like Like - The likeliest place on the web
<http://like-like.xenei.com>
LinkedIn: http://www.linkedin.com/in/claudewarren
Re: Problem with understanding Jena Permissions
Posted by Ekaterina Danilova <ka...@gmail.com>.
Hello!
Yes, I tried to modify the config.ttl accoridng to the guide and it looks
this way:
PREFIX : <#>
PREFIX fuseki: <http://jena.apache.org/fuseki#>
PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
PREFIX perm: <http://apache.org/jena/permissions/Assembler#>
PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#>
PREFIX tdb2: <http://jena.apache.org/2016/tdb#>
PREFIX my: <http://example.org/#>
PREFIX sec: <http://apache.org/jena/permission/Assembler#Model>
[] perm:loadClass "org.apache.jena.permissions.SecuredAssembler" .
sec:Model rdfs:subClassOf perm:NamedModel .
sec:evaluator rdfs:domain sec:Model ;
rdfs:range sec:Evaluator .
my:secModel a sec:Model ;
sec:baseModel my:baseModel ;
perm:modelName "http://example.com/securedModel" ;
sec:evaluatorImpl my:myEvaluator;
.
my:myEvaluator a sec:Evaluator ;
perm:args [
rdf:_1 my:baseModel ;
] ;
perm:evaluatorClass
"org.apache.jena.permissions.example.ShiroExampleEvaluator" .
[] rdf:type fuseki:Server ;
fuseki:services (
<#service_tdb2>
//the list of services omitted
And the models are uploaded from the application with :
DatasetAccessor accessor = DatasetAccessorFactory.createHTTP(....);
accessor.putModel(name, model);
So, with these configurations Fuseki doesn't do anything with the models.
Am I missing something?
Thank you for help.
2018-05-11 16:11 GMT+03:00 Claude Warren <cl...@xenei.com>:
> You don't say if you have modified the default Fuseki configuration but
> what you will need to do is to modify the configuration file so that the
> models that are created using the SecuredAssembler.
> (
> http://jena.apache.org/documentation/javadoc/permissions/org/apache/jena/
> permissions/SecuredAssembler.html).
> This process will hook your security evaluator to the models.
>
> Then requests will be filtered automatically. Your security evaluator will
> be called with the name of the model as specified in the SecuredAssembler.
>
> I don;t think anyone has implemented a mechanism to allow uploading of
> graphs/models into secure graphs. It probably could be done. If you are
> interested in attempting such let me know and we can outline how to do it.
>
> Claude
>
> On Fri, May 11, 2018 at 1:41 PM, Ekaterina Danilova <
> katja.danilova94@gmail.com> wrote:
>
> > Hello!
> > I have a problem with understanding Jena permissions.
> >
> > I have an application which creates named graphs, uploads and reads those
> > through Fuseki. I would like to add some security and create different
> > access rules for different users etc. As the documentation (
> > https://jena.apache.org/documentation/permissions/) says, it can be done
> > with my own Security Evaluator implementation.
> >
> > What I don't understand is where and how exactly permissions should be
> > added. Should they be only at Fuseki side? If so, then how can Fuseki
> > understand to process each model as secured model? If I wish to create
> > secured model at the side of application, then I have to use this method:
> > Factory.getInstance( SecurityEvaluator, String, Model );
> > which requires the SecurityEvaluator at the application side too. But if
> I
> > add it there, then there is no sense in having the security evaluator at
> > Fuseki side.
> >
> > My problem is that even though I added the permissions jar with my own
> > SecurityEvaluator (a bit modified ShiroExampleEvaluator) to Fuseki
> > correctly (with this example
> > https://jena.apache.org/documentation/permissions/example.html), I
> cannot
> > get it to process data through it. Fuseki is not seeing the incoming data
> > as secured models.
> >
> > So, in short, the question is - how to set up Fuseki in such way, that it
> > would see all incoming models as secured models and check the access
> level
> > for those?
> > And if it is impossible, what is the right way to add the permissions?
> >
>
>
>
> --
> I like: Like Like - The likeliest place on the web
> <http://like-like.xenei.com>
> LinkedIn: http://www.linkedin.com/in/claudewarren
>
Re: Problem with understanding Jena Permissions
Posted by Claude Warren <cl...@xenei.com>.
You don't say if you have modified the default Fuseki configuration but
what you will need to do is to modify the configuration file so that the
models that are created using the SecuredAssembler.
(
http://jena.apache.org/documentation/javadoc/permissions/org/apache/jena/permissions/SecuredAssembler.html).
This process will hook your security evaluator to the models.
Then requests will be filtered automatically. Your security evaluator will
be called with the name of the model as specified in the SecuredAssembler.
I don;t think anyone has implemented a mechanism to allow uploading of
graphs/models into secure graphs. It probably could be done. If you are
interested in attempting such let me know and we can outline how to do it.
Claude
On Fri, May 11, 2018 at 1:41 PM, Ekaterina Danilova <
katja.danilova94@gmail.com> wrote:
> Hello!
> I have a problem with understanding Jena permissions.
>
> I have an application which creates named graphs, uploads and reads those
> through Fuseki. I would like to add some security and create different
> access rules for different users etc. As the documentation (
> https://jena.apache.org/documentation/permissions/) says, it can be done
> with my own Security Evaluator implementation.
>
> What I don't understand is where and how exactly permissions should be
> added. Should they be only at Fuseki side? If so, then how can Fuseki
> understand to process each model as secured model? If I wish to create
> secured model at the side of application, then I have to use this method:
> Factory.getInstance( SecurityEvaluator, String, Model );
> which requires the SecurityEvaluator at the application side too. But if I
> add it there, then there is no sense in having the security evaluator at
> Fuseki side.
>
> My problem is that even though I added the permissions jar with my own
> SecurityEvaluator (a bit modified ShiroExampleEvaluator) to Fuseki
> correctly (with this example
> https://jena.apache.org/documentation/permissions/example.html), I cannot
> get it to process data through it. Fuseki is not seeing the incoming data
> as secured models.
>
> So, in short, the question is - how to set up Fuseki in such way, that it
> would see all incoming models as secured models and check the access level
> for those?
> And if it is impossible, what is the right way to add the permissions?
>
--
I like: Like Like - The likeliest place on the web
<http://like-like.xenei.com>
LinkedIn: http://www.linkedin.com/in/claudewarren