jena-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r1036989 - in /websites/staging/jena/trunk/content: ./ documentation/fuseki2/data-access-control.html
Date Sat, 17 Nov 2018 10:05:06 GMT
Author: buildbot
Date: Sat Nov 17 10:05:06 2018
New Revision: 1036989

Log:
Staging update by buildbot for jena

Added:
    websites/staging/jena/trunk/content/documentation/fuseki2/data-access-control.html
Modified:
    websites/staging/jena/trunk/content/   (props changed)

Propchange: websites/staging/jena/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Sat Nov 17 10:05:06 2018
@@ -1 +1 @@
-1846607
+1846791

Added: websites/staging/jena/trunk/content/documentation/fuseki2/data-access-control.html
==============================================================================
--- websites/staging/jena/trunk/content/documentation/fuseki2/data-access-control.html (added)
+++ websites/staging/jena/trunk/content/documentation/fuseki2/data-access-control.html Sat
Nov 17 10:05:06 2018
@@ -0,0 +1,519 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+<head>
+<!--
+
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE- 2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+
+  <title>Apache Jena - </title>
+  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+  <link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
+  <link href="/css/bootstrap-extension.css" rel="stylesheet" type="text/css">
+  <link href="/css/jena.css" rel="stylesheet" type="text/css">
+  <link rel="shortcut icon" href="/images/favicon.ico" />
+  
+  <script
+        src="https://code.jquery.com/jquery-2.2.4.min.js"
+        integrity="sha256-BbhdlvQf/xTY9gja0Dq3HiwQF8LaCRTXxZKRutelT44="
+        crossorigin="anonymous"></script>
+  <script src="/js/jena-navigation.js" type="text/javascript"></script>
+  <script src="/js/bootstrap.min.js" type="text/javascript"></script>
+  <script src="/js/breadcrumbs.js" type="text/javascript"></script>
+
+  <script src="/js/improve.js" type="text/javascript"></script>
+
+  
+  <!-- Uncomment to enable code coloring <link href="/css/codehilite.css" rel="stylesheet"
type="text/css"> -->
+
+</head>
+
+<body>
+
+
+
+<nav class="navbar navbar-default" role="navigation">
+<div class="container">
+  <div class="navbar-header">
+  
+    <button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-ex1-collapse">
+      <span class="icon-bar"></span>
+      <span class="icon-bar"></span>
+      <span class="icon-bar"></span>
+    </button>
+    <a class="navbar-brand" href="/index.html">
+    <img class="logo-menu" src="/images/jena-logo/jena-logo-notext-small.png" alt="jena
logo">Apache Jena</a>
+  </div>
+ 
+  <div class="collapse navbar-collapse navbar-ex1-collapse">
+    <ul class="nav navbar-nav">
+              <li id="homepage"><a href="/index.html"><span class="glyphicon
glyphicon-home"></span> Home</a></li>
+              <li id="download"><a href="/download/index.cgi"><span class="glyphicon
glyphicon-download-alt"></span> Download</a></li>
+              <li class="dropdown">
+                <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span
class="glyphicon glyphicon-book"></span> Learn <b class="caret"></b></a>
+                <ul class="dropdown-menu">
+                  <li class="dropdown-header">Tutorials</li>
+                  <li><a href="/tutorials/index.html">Overview</a></li>
+                  <li><a href="/tutorials/rdf_api.html">RDF core API tutorial</a></li>
+                  <li><a href="/tutorials/sparql.html">SPARQL tutorial</a></li>
+                  <li><a href="/documentation/query/manipulating_sparql_using_arq.html">Manipulating
SPARQL using ARQ</a></li>
+                  <li><a href="/tutorials/using_jena_with_eclipse.html">Using
Jena with Eclipse</a></li>
+                  <li><a href="/documentation/notes/index.html">How-To's</a></li>
+                  <li class="divider"></li>
+                  <li class="dropdown-header">References</li>
+                  <li><a href="/documentation/index.html">Overview</a></li>
+                  <li><a href="/documentation/javadoc/">Javadoc</a></li>
+                  <li><a href="/documentation/rdf/index.html">RDF API</a></li>
+                  <li><a href="/documentation/io/">RDF I/O</a></li>
+                  <li><a href="/documentation/query/index.html">ARQ (SPARQL)</a></li>
+                  <li><a href="/documentation/rdfconnection/">RDF Connection
- SPARQL API</a></li>
+                  <li><a href="/documentation/hadoop/index.html">Elephas - tools
for RDF on Hadoop</a></li>
+                  <li><a href="/documentation/query/text-query.html">Text Search</a></li>
+                  <li><a href="/documentation/tdb/index.html">TDB</a></li>
+                  <li><a href="/documentation/sdb/index.html">SDB</a></li>
+                  <li><a href="/documentation/jdbc/index.html">SPARQL over JDBC</a></li>
+                  <li><a href="/documentation/fuseki2/index.html">Fuseki</a></li>
+                  <li><a href="/documentation/permissions/index.html">Permissions</a></li>
+                  <li><a href="/documentation/assembler/index.html">Assembler</a></li>
+                  <li><a href="/documentation/ontology/">Ontology API</a></li>
+                  <li><a href="/documentation/inference/index.html">Inference
API</a></li>
+                  <li><a href="/documentation/tools/index.html">Command-line
tools</a></li>
+                  <li><a href="/documentation/extras/index.html">Extras</a></li>
+                </ul>
+              </li>
+
+              <li class="drop down">
+                <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span
class="glyphicon glyphicon-book"></span> Javadoc <b class="caret"></b></a>
+                <ul class="dropdown-menu">
+                  <li><a href="/documentation/javadoc/jena/">Jena Core</a></li>
+                  <li><a href="/documentation/javadoc/arq/">ARQ</a></li>
+                  <li><a href="/documentation/javadoc/tdb/">TDB</a></li>
+                  <li><a href="/documentation/javadoc/fuseki2/">Fuseki</a></li>
+                  <li><a href="/documentation/javadoc/elephas/">Elephas</a></li>
+                  <li><a href="/documentation/javadoc/text/">Text Search</a></li>
+                  <li><a href="/documentation/javadoc/spatial/">Spatial Search</a></li>
+                  <li><a href="/documentation/javadoc/permissions/">Permissions</a></li>
+                  <li><a href="/documentation/javadoc/jdbc/">JDBC</a></li>
+                  <li><a href="/documentation/javadoc/">All Javadoc</a></li>
+                </ul>
+              </li>
+
+              <li id="ask"><a href="/help_and_support/index.html"><span class="glyphicon
glyphicon-question-sign"></span> Ask</a></li>
+              
+              <li class="dropdown">
+                <a href="#" class="dropdown-toggle" data-toggle="dropdown"><span
class="glyphicon glyphicon-bullhorn"></span> Get involved <b class="caret"></b></a>
+                <ul class="dropdown-menu">
+                  <li><a href="/getting_involved/index.html">Contribute</a></li>
+                  <li><a href="/help_and_support/bugs_and_suggestions.html">Report
a bug</a></li>
+                  <li class="divider"></li>
+                  <li class="dropdown-header">Project</li>
+                  <li><a href="/about_jena/about.html">About Jena</a></li>
+                  <li><a href="/about_jena/roadmap.html">Roadmap</a></li>
+                  <li><a href="/about_jena/architecture.html">Architecture</a></li>
+                  <li><a href="/about_jena/team.html">Project team</a></li>
+                  <li><a href="/about_jena/contributions.html">Related projects</a></li>
+                  <li class="divider"></li>
+                  <li class="dropdown-header">ASF</li>
+                  <li><a href="http://www.apache.org/">Apache Software Foundation</a></li>
+                  <li><a href="http://www.apache.org/licenses/LICENSE-2.0">License</a></li>
+                  <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+                  <li><a href="http://www.apache.org/foundation/sponsorship.html">Become
a Sponsor</a></li>
+                  <li><a href="http://www.apache.org/security/">Security</a></li>
+                </ul>
+              </li>
+
+              <li id="edit"><a href="javascript:improveThisPage(location.href);"
title="Improve this Page (Use username anonymous and empty password)"><span class="glyphicon
glyphicon-pencil"></span> Improve this Page</a></li>   
+    </ul>
+  </div>
+</div>
+</nav>
+
+
+<div class="container">
+    <div class="row">
+    <div class="col-md-12">
+    <div id="breadcrumbs"></div>
+    <h1 class="title"></h1>
+  <style type="text/css">
+/* The following code is added by mdx_elementid.py
+   It was originally lifted from http://subversion.apache.org/style/site.css */
+/*
+ * Hide class="elementid-permalink", except when an enclosing heading
+ * has the :hover property.
+ */
+.headerlink, .elementid-permalink {
+  visibility: hidden;
+}
+h2:hover > .headerlink, h3:hover > .headerlink, h1:hover > .headerlink, h6:hover
> .headerlink, h4:hover > .headerlink, h5:hover > .headerlink, dt:hover > .elementid-permalink
{ visibility: visible }</style>
+<h2 id="data-access-control">Data Access Control.<a class="headerlink" href="#data-access-control"
title="Permanent link">&para;</a></h2>
+<p>Fuseki can provide access control at the level of the server, on datasets,
+on endpoints and also at the graph level within a dataset. It also
+provides native https to protect data in-flight.</p>
+<p><a href="http://jena.apache.org/documentation/fuseki2/fuseki-main.html">Fuseki
Main</a>
+provides some common patterns of authentication.</p>
+<p>Fuseki Full (Fuseki with the UI) can be used when
+<a href="http://jena.apache.org/documentation/fuseki2/fuseki-run.html#fuseki-web-application">run
in a web application server such as Tomcat</a>
+to provide authentication of the user.</p>
+<p>Graph level Data Access Control provides control over the visibility of
+graphs within a dataset, and including the union graph of a dataset and
+the default graph. Currently, Graph level access control only applies to
+read-only datasets.</p>
+<p>See "<a href="fuseki-security">Fuseki Security</a>" for configuring
security over
+the whole of the Fuseki UI.</p>
+<h2 id="contents">Contents<a class="headerlink" href="#contents" title="Permanent
link">&para;</a></h2>
+<ul>
+<li><a href="#https">HTTPS</a></li>
+<li><a href="#authentication">Authentication</a></li>
+<li><a href="#acl">Access control lists</a></li>
+<li><a href="#graph-acl">Graph level access control</a></li>
+<li><a href="#jetty-configuration">Configuring Jetty directly</a></li>
+<li><a href="#embedded-setup">Confuguring Fuseki in Java code</a></li>
+</ul>
+<h2 id="https">HTTPS<a class="headerlink" href="#https" title="Permanent link">&para;</a></h2>
+<p>This section applies to Fuseki Main.
+Https support is configured from the fuseki server command line.</p>
+<table class="table">
+<thead>
+<tr>
+<th>Argument</th>
+<th></th>
+<th></th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>--https=&lt;i&gt;SETUP&lt;/i&gt;</code></td>
+<td>Name of file for certificate details.</td>
+<td></td>
+</tr>
+<tr>
+<td><code>--httpsPort=&lt;i&gt;PORT&lt;/i&gt;</code></td>
+<td>The port for https</td>
+<td>Default: 3043</td>
+</tr>
+</tbody>
+</table>
+<p>The <code>--https</code> argument names a file in JSON which includes
the name of
+the certificate file and password for the certificate.</p>
+<div class="codehilite"><pre>{ &quot;cert&quot;: <span class="nt">&lt;i&gt;</span>KEYSTORE<span
class="nt">&lt;/i&gt;</span> , &quot;passwd&quot;: <span class="nt">&lt;i&gt;</span>SECRET<span
class="nt">&lt;/i&gt;</span> }
+</pre></div>
+
+
+<p>This file must be protected by file access settings so that it can only
+be read by the userid running the server.  One way is to put the
+keystore certificate and the certificate details file in the same
+directory, then making the directory secure.</p>
+<h3 id="self-signed-certificates">Self-signed certificates<a class="headerlink"
href="#self-signed-certificates" title="Permanent link">&para;</a></h3>
+<p>A self-signed certificate provides an encrypted link to the server and
+stops some attacks. What it does not do is gaurantee the identity of the
+host name of the Fuseki server to the client system.</p>
+<p>A self-signed certificate can be generated with:</p>
+<div class="codehilite"><pre><span class="n">keytool</span> <span
class="o">-</span><span class="n">keystore</span> <span class="n">keystore</span>
<span class="o">-</span><span class="n">alias</span> <span class="n">jetty</span>
<span class="o">-</span><span class="n">genkey</span> <span class="o">-</span><span
class="n">keyalg</span> <span class="n">RSA</span>
+</pre></div>
+
+
+<p>For information on creating a certificate, see the Jetty documentation
+for <a href="http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#generating-key-pairs-and-certificates">generating
certificates</a>.</p>
+<h2 id="authentication">Authentication<a class="headerlink" href="#authentication"
title="Permanent link">&para;</a></h2>
+<p>This section applies to Fuskei Main.</p>
+<p><a href="https://en.wikipedia.org/wiki/Authentication">Authentication</a>,
+is establishing the identity of the principal (user or program) accessing the
+system. Fuseki Main provides users/password setup and HTTP authentication,
+<a href="https://en.wikipedia.org/wiki/Digest_access_authentication">digest</a>
or 
+<a href="https://en.wikipedia.org/wiki/Basic_access_authentication">basic</a>).</p>
+<p>These should be <a href="#https">used with HTTPS</a>.</p>
+<table class="table">
+<thead>
+<tr>
+<th>Argument</th>
+<th></th>
+<th></th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>--auth=</code></td>
+<td>"basic" or "digest"</td>
+<td>Default is "digest"</td>
+</tr>
+</tbody>
+</table>
+<p>These can also be given in the server configuration file:</p>
+<div class="codehilite"><pre><span class="err">&lt;</span>#server&gt;
rdf:type fuseki:Server ;
+    fuseki:passwd  &quot;<span class="nt">&lt;i&gt;</span>password_file<span
class="nt">&lt;/i&gt;</span>&quot; ;
+    fuseki:auth    &quot;<span class="nt">&lt;i&gt;</span>digest<span
class="nt">&lt;/i&gt;</span>&quot; ;
+    ...
+</pre></div>
+
+
+<p>The format of the password file is:</p>
+<div class="codehilite"><pre><span class="n">username</span><span
class="o">:</span> <span class="n">password</span>
+</pre></div>
+
+
+<p>and passwords can be stored in hash or obfuscated form. </p>
+<p><a href="http://www.eclipse.org/jetty/documentation/current/configuring-security.html#hash-login-service">Password
file format</a>.</p>
+<p>If different authentication is required, the full facilities of 
+<a href="http://www.eclipse.org/jetty/documentation/current/configuring-security.html">Eclipse
Jetty configuration</a>
+are available.</p>
+<h3 id="using-curl">Using <code>curl</code><a class="headerlink" href="#using-curl"
title="Permanent link">&para;</a></h3>
+<p>See the <a href="https://curl.haxx.se/docs/manpage.html">curl documentation</a>
for full
+details.  This section is a breif summary of some relevant options:</p>
+<table class="table">
+<thead>
+<tr>
+<th>curl argument</th>
+<th>Value</th>
+<th>--</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td><code>-n</code>, <code>--netrc</code></td>
+<td></td>
+<td>Take passwords from <code>.netrc</code> (<code>_netrc</code>
on windows)</td>
+</tr>
+<tr>
+<td><code>--user=</code></td>
+<td><code>user:password</code></td>
+<td>Set the uses and password (visible to all on the local machine)</td>
+</tr>
+<tr>
+<td><code>--anyauth</code></td>
+<td></td>
+<td>Use server nominated authentication scheme</td>
+</tr>
+<tr>
+<td><code>--basic</code></td>
+<td></td>
+<td>Use HTTP basic auth</td>
+</tr>
+<tr>
+<td><code>--digest</code></td>
+<td></td>
+<td>Use HTTP digest auth</td>
+</tr>
+<tr>
+<td><code>-k</code>, <code>--insecure</code></td>
+<td></td>
+<td>Don't check HTTPS certifcate. This allows for self-signed or expired, certificates
or ones with the wrong host name.</td>
+</tr>
+</tbody>
+</table>
+<h3 id="using-wget">Using <code>wget</code><a class="headerlink" href="#using-wget"
title="Permanent link">&para;</a></h3>
+<p>See the <a href="https://www.gnu.org/software/wget/manual/wget.html">wget
documentation</a> for full
+details.  This section is a breif summary of some relevant options:</p>
+<table class="table">
+<thead>
+<tr>
+<th>wget argument</th>
+<th>Value</th>
+<th>--</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td>--http-user</td>
+<td>user</td>
+<td>Set the user.</td>
+</tr>
+<tr>
+<td>--http-password</td>
+<td>password</td>
+<td>Set the password (visible to all on the local machine)</td>
+</tr>
+<tr>
+<td></td>
+<td></td>
+<td><code>wget</code> uses users/password from <code>.wgetrc</code>
or <code>.netrc</code> by default.</td>
+</tr>
+<tr>
+<td><code>--no-check-certificate</code></td>
+<td></td>
+<td>Don't check HTTPS certifcate. This allows for self-signed or expired, certificates
or ones with the wrong host name.</td>
+</tr>
+</tbody>
+</table>
+<h2 id="acl">Access Control Lists<a class="headerlink" href="#acl" title="Permanent
link">&para;</a></h2>
+<p>ACLs can be applied to the server as a whole, to a dataset, to endpoints, and to
+graphs within a dataset. This section covers server, dataset and endpoint access control
+lists. Graph-level access control is <a href="#graph-acl">covered below</a>.</p>
+<p>Access control lists (ACL) as part of the server configuration file.</p>
+<div class="codehilite"><pre><span class="n">fuseki</span> <span
class="o">--</span><span class="n">conf</span> <span class="n">assembler</span><span
class="p">.</span><span class="n">ttl</span> <span class="p">...</span>
+</pre></div>
+
+
+<p>ACLs are provided by the <code>ja:allowedUsers</code> property </p>
+<h3 id="format-of-jaallowedusers">Format of <code>ja:allowedUsers</code><a
class="headerlink" href="#format-of-jaallowedusers" title="Permanent link">&para;</a></h3>
+<p>The list of users allowed access can be an RDF list or repeated use of
+the property or a mixture. The different seting are combined into one ACL.</p>
+<div class="codehilite"><pre> <span class="n">fuseki</span><span
class="p">:</span><span class="n">allowedUsers</span>    &quot;<span
class="n">user1</span>&quot;<span class="p">,</span> &quot;<span
class="n">user2</span>&quot;<span class="p">,</span> &quot;<span
class="n">user3</span>&quot;<span class="p">;</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">allowedUsers</span>
   &quot;<span class="n">user3</span>&quot;<span class="p">;</span>
+ <span class="n">fuseki</span><span class="p">:</span><span class="n">allowedUsers</span>
   <span class="p">(</span> &quot;<span class="n">user1</span>&quot;
&quot;<span class="n">user2</span>&quot; &quot;<span class="n">user3</span>&quot;<span
class="p">)</span> <span class="p">;</span>
+</pre></div>
+
+
+<p>There is a special user name "*" which means "any authenticated user".</p>
+<div class="codehilite"><pre><span class="n">fuseki</span><span
class="o">:</span><span class="n">allowedUsers</span>  <span class="s2">&quot;*&quot;</span>
<span class="o">;</span>
+</pre></div>
+
+
+<h3 id="server-acl">Server Level ACLs<a class="headerlink" href="#server-acl" title="Permanent
link">&para;</a></h3>
+<div class="codehilite"><pre><span class="err">&lt;</span>#server&gt;
rdf:type fuseki:Server ;
+   <span class="nt">&lt;i&gt;</span>fuseki:allowedUsers    &quot;user1&quot;,
&quot;user2&quot;, &quot;user3&quot;;<span class="nt">&lt;/i&gt;</span>
+   ...
+   fuseki:services ( ... ) ;
+   ...
+   .
+</pre></div>
+
+
+<p>A useful pattern is:</p>
+<div class="codehilite"><pre><span class="err">&lt;</span>#server&gt;
rdf:type fuseki:Server ;
+   <span class="nt">&lt;i&gt;</span>fuseki:allowedUsers    &quot;*&quot;;<span
class="nt">&lt;/i&gt;</span>
+   ...
+   fuseki:services ( ... ) ;
+   ...
+   .
+</pre></div>
+
+
+<p>whcih requires all access to authenticated and the allowed users are
+those in the password file.</p>
+<h3 id="dataset-acl">Dataset Level<a class="headerlink" href="#dataset-acl" title="Permanent
link">&para;</a></h3>
+<p>When there is an access control list on the <code>fuseki:Service</code>,
it applies
+to all requests to the endpoints of the server. </p>
+<p>Any server-wide "allowedUsers" configuration also applies and both
+levels must allow the user access.</p>
+<div class="codehilite"><pre><span class="err">&lt;</span>#service_auth&gt;
rdf:type fuseki:Service ;
+    rdfs:label                      &quot;ACL controlled dataset&quot; ;
+    fuseki:name                     &quot;db-acl&quot; ;
+
+    <span class="nt">&lt;i&gt;</span>fuseki:allowedUsers            
&quot;user1&quot;, &quot;user3&quot;;<span class="nt">&lt;/i&gt;</span>
+
+    ## Chocie of operations.
+    fuseki:serviceQuery             &quot;query&quot; ;
+    fuseki:serviceQuery             &quot;sparql&quot; ;
+    fuseki:serviceReadGraphStore    &quot;get&quot; ;
+
+    fuseki:serviceUpdate            &quot;update&quot; ;
+    fuseki:serviceUpload            &quot;upload&quot; ;
+    fuseki:serviceReadWriteGraphStore &quot;data&quot; ;
+
+    fuseki:dataset                  <span class="err">&lt;</span>#base_dataset&gt;;
+    .
+</pre></div>
+
+
+<h3 id="endpoint-acl">Endpoint Level<a class="headerlink" href="#endpoint-acl" title="Permanent
link">&para;</a></h3>
+<p>An access control list can be applied to an individual endpoint.
+Again, any  other "allowedUsers" configuration, service-wide, or
+server-wide) also applies.</p>
+<div class="codehilite"><pre>    <span class="n">fuseki</span><span
class="p">:</span><span class="n">serviceQuery</span>  <span class="p">[</span>
<span class="n">fuseki</span><span class="p">:</span><span class="n">name</span>
&quot;<span class="n">query</span> <span class="p">;</span>
+                           <span class="n">fuseki</span><span class="p">:</span><span
class="n">allowedUsers</span> &quot;<span class="n">user1</span>&quot;<span
class="p">,</span> &quot;<span class="n">user2</span>&quot;<span
class="p">]</span> <span class="p">;</span>
+    <span class="n">fuseki</span><span class="p">:</span><span
class="n">serviceUpdate</span> <span class="p">[</span> <span class="n">fuseki</span><span
class="p">:</span><span class="n">name</span> &quot;<span class="n">update</span>
<span class="p">;</span>
+                           <span class="n">fuseki</span><span class="p">:</span><span
class="n">allowedUsers</span> &quot;<span class="n">user1</span>&quot;<span
class="p">]</span> <span class="p">;</span>
+</pre></div>
+
+
+<p>Only <em>user1</em> can use SPARQL udpate both <em>user1</em>
and
+<em>user2</em> can use SPARQl query.</p>
+<h2 id="graph-acl">Graph Level<a class="headerlink" href="#graph-acl" title="Permanent
link">&para;</a></h2>
+<p>Graph level access control is defined using a specific dataset
+implmentation for the service.</p>
+<div class="codehilite"><pre><span class="o">&lt;</span>#<span
class="n">access_dataset</span><span class="o">&gt;</span>  <span
class="n">rdf</span><span class="p">:</span><span class="n">type</span>
<span class="n">access</span><span class="p">:</span><span class="n">AccessControlledDataset</span>
<span class="p">;</span>
+    <span class="n">access</span><span class="p">:</span><span
class="n">registry</span>   <span class="p">...</span> <span class="p">;</span>
+    <span class="n">access</span><span class="p">:</span><span
class="n">dataset</span>    <span class="p">...</span> <span class="p">;</span>
+    <span class="p">.</span>
+</pre></div>
+
+
+<p>ACLs are defined in a <a href="#graph-security-registry">Graph Security Registry</a>
which lists the
+users and graph URIs.</p>
+<div class="codehilite"><pre><span class="o">&lt;</span>#<span
class="n">service_tdb2</span><span class="o">&gt;</span> <span
class="n">rdf</span><span class="p">:</span><span class="n">type</span>
<span class="n">fuseki</span><span class="p">:</span><span class="n">Service</span>
<span class="p">;</span>
+    <span class="n">rdfs</span><span class="p">:</span><span class="n">label</span>
                     &quot;<span class="n">Graph</span><span class="o">-</span><span
class="n">level</span> <span class="n">access</span> <span class="n">controlled</span>
<span class="n">dataset</span>&quot; <span class="p">;</span>
+    <span class="n">fuseki</span><span class="p">:</span><span
class="n">name</span>                     &quot;<span class="n">db</span><span
class="o">-</span><span class="n">graph</span><span class="o">-</span><span
class="n">acl</span>&quot; <span class="p">;</span>
+    ## <span class="n">Read</span><span class="o">-</span><span
class="n">only</span> <span class="n">operations</span><span class="p">.</span>
+    <span class="n">fuseki</span><span class="p">:</span><span
class="n">serviceQuery</span>             &quot;<span class="n">query</span>&quot;
<span class="p">;</span>
+    <span class="n">fuseki</span><span class="p">:</span><span
class="n">serviceQuery</span>             &quot;<span class="n">sparql</span>&quot;
<span class="p">;</span>
+    <span class="n">fuseki</span><span class="p">:</span><span
class="n">serviceReadGraphStore</span>    &quot;<span class="n">get</span>&quot;
<span class="p">;</span>
+    <span class="n">fuseki</span><span class="p">:</span><span
class="n">dataset</span>                  <span class="o">&lt;</span>#<span
class="n">access_dataset</span><span class="o">&gt;</span><span
class="p">;</span>
+    <span class="p">.</span>
+
+<span class="o">&lt;</span>#<span class="n">access_dataset</span><span
class="o">&gt;</span>  <span class="n">rdf</span><span class="p">:</span><span
class="n">type</span> <span class="n">access</span><span class="p">:</span><span
class="n">AccessControlledDataset</span> <span class="p">;</span>
+    <span class="n">access</span><span class="p">:</span><span
class="n">registry</span>   <span class="o">&lt;</span>#<span
class="n">securityRegistry</span><span class="o">&gt;</span> <span
class="p">;</span>
+    <span class="n">access</span><span class="p">:</span><span
class="n">dataset</span>    <span class="o">&lt;</span>#<span
class="n">tdb_dataset_shared</span><span class="o">&gt;</span> <span
class="p">;</span>
+    <span class="p">.</span>
+
+<span class="o">&lt;</span>#<span class="n">tdb_dataset_shared</span><span
class="o">&gt;</span> <span class="n">rdf</span><span class="p">:</span><span
class="n">type</span> <span class="n">tdb</span><span class="p">:</span><span
class="n">DatasetTDB</span> <span class="p">;</span>
+    <span class="p">.</span> <span class="p">.</span> <span class="p">.</span>
+</pre></div>
+
+
+<p>All dataset stroage types are supported.</p>
+<h3 id="graph-security-registry">Graph Security Registry<a class="headerlink" href="#graph-security-registry"
title="Permanent link">&para;</a></h3>
+<p>The Graph Security Registry is defined as a number of access entries in
+either a list format "(user graph1 graph2 ...)" or as RDF properties
+<code>access:user</code> and <code>access:graphs</code>. The property
<code>access:graphs</code> has graph URI or a
+list of URIs as its object.</p>
+<div class="codehilite"><pre><span class="o">&lt;</span>#<span
class="n">securityRegistry</span><span class="o">&gt;</span> <span
class="n">rdf</span><span class="p">:</span><span class="n">type</span>
<span class="n">access</span><span class="p">:</span><span class="n">SecurityRegistry</span>
<span class="p">;</span>
+    <span class="n">access</span><span class="p">:</span><span
class="n">entry</span> <span class="p">(</span> &quot;<span class="n">user1</span>&quot;
<span class="o">&lt;</span><span class="n">http</span><span
class="p">:</span><span class="o">//</span><span class="n">host</span><span
class="o">/</span><span class="n">graphname1</span><span class="o">&gt;</span>
 <span class="o">&lt;</span><span class="n">http</span><span
class="p">:</span><span class="o">//</span><span class="n">host</span><span
class="o">/</span><span class="n">graphname2</span><span class="o">&gt;</span>
<span class="p">)</span> <span class="p">;</span>
+    <span class="n">access</span><span class="p">:</span><span
class="n">entry</span> <span class="p">(</span> &quot;<span class="n">user1</span>&quot;
<span class="o">&lt;</span><span class="n">http</span><span
class="p">:</span><span class="o">//</span><span class="n">host</span><span
class="o">/</span><span class="n">graphname3</span><span class="o">&gt;</span>
<span class="p">)</span> <span class="p">;</span>
+
+    <span class="n">access</span><span class="p">:</span><span
class="n">entry</span> <span class="p">(</span> &quot;<span class="n">user1</span>&quot;
<span class="o">&lt;</span><span class="n">urn</span><span
class="p">:</span><span class="n">x</span><span class="o">-</span><span
class="n">arq</span><span class="p">:</span><span class="n">DefaultGraph</span><span
class="o">&gt;</span> <span class="p">)</span> <span class="p">;</span>
+
+    <span class="n">access</span><span class="p">:</span><span
class="n">entry</span> <span class="p">(</span> &quot;<span class="n">user2</span>&quot;
<span class="o">&lt;</span><span class="n">http</span><span
class="p">:</span><span class="o">//</span><span class="n">host</span><span
class="o">/</span><span class="n">graphname9</span><span class="o">&gt;</span>
<span class="p">)</span> <span class="p">;</span>
+    <span class="n">access</span><span class="p">:</span><span
class="n">entry</span> <span class="p">[</span> <span class="n">access</span><span
class="p">:</span><span class="n">user</span> &quot;<span class="n">user3</span>&quot;
<span class="p">;</span> <span class="n">access</span><span class="p">:</span><span
class="n">graphs</span> <span class="p">(</span> <span class="o">&lt;</span><span
class="n">http</span><span class="p">:</span><span class="o">//</span><span
class="n">host</span><span class="o">/</span><span class="n">graphname3</span><span
class="o">&gt;</span> <span class="o">&lt;</span><span class="n">http</span><span
class="p">:</span><span class="o">//</span><span class="n">host</span><span
class="o">/</span><span class="n">graphname4</span><span class="o">&gt;</span>
<span class="p">)</span> <span class="p">]</span> <span class="p">;</span>
+    <span class="n">access</span><span class="p">:</span><span
class="n">entry</span> <span class="p">[</span> <span class="n">access</span><span
class="p">:</span><span class="n">user</span> &quot;<span class="n">user3</span>&quot;
<span class="p">;</span> <span class="n">access</span><span class="p">:</span><span
class="n">graphs</span> <span class="o">&lt;</span><span class="n">http</span><span
class="p">:</span><span class="o">//</span><span class="n">host</span><span
class="o">/</span><span class="n">graphname5</span><span class="o">&gt;</span>
<span class="p">]</span> <span class="p">;</span>
+    <span class="n">access</span><span class="p">:</span><span
class="n">entry</span> <span class="p">[</span> <span class="n">access</span><span
class="p">:</span><span class="n">user</span> &quot;<span class="n">userZ</span>&quot;
<span class="p">;</span> <span class="n">access</span><span class="p">:</span><span
class="n">graphs</span> <span class="o">&lt;</span><span class="n">http</span><span
class="p">:</span><span class="o">//</span><span class="n">host</span><span
class="o">/</span><span class="n">graphnameZ</span><span class="o">&gt;</span>
<span class="p">]</span> <span class="p">;</span>
+    <span class="p">.</span>
+</pre></div>
+
+
+<h2 id="jetty-configuration">Jetty Configuration<a class="headerlink" href="#jetty-configuration"
title="Permanent link">&para;</a></h2>
+<p>For authentication configuration not covered by Fuseki configuration,
+the deployed server can be run using a Jetty comnfiguration.</p>
+<p>Server command line: <tt>--jetty=<i>jetty.xml</i></tt>.</p>
+<p><a href="https://www.eclipse.org/jetty/documentation/current/jetty-xml-config.html">Documentation
for
+<code>jetty.xml</code></a>.</p>
+  </div>
+</div>
+
+</div><!--/.container -->
+
+    <footer class="footer">
+      <div class="container">
+        <p>Copyright &copy; 2011&ndash;2018 The Apache Software Foundation,
Licensed under
+        the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version
2.0</a>.
+        </p>
+        <p>
+        Apache Jena, Jena, the Apache Jena project logo,
+        Apache and the Apache feather logos are trademarks of The Apache Software Foundation.
+        </p>
+      </div>
+  </footer>
+
+  <!-- for marking links as active in the navbar-menu -->
+  <script type="text/javascript">
+    var link = $('a[href="' + this.location.pathname + '"]');
+    if (link != undefined)
+      link.parents('li,ul').addClass('active');
+  </script>
+
+</body>
+</html>



Mime
View raw message