Merged - along with all the bits and pieces that accumulated.
First draft, not finished, documentation
http://jena.staging.apache.org/documentation/fuseki2/data-access-control.html
Outstanding, but not blocking a release:
Endpoint access control (it can be done by defining different services
but it will be neater if it were more consistently handled).
Andy
On 15/11/2018 10:33, Andy Seaborne wrote:
Hi all - the work of Fuseki and security is nearly ready to merge to
master so here is a brief overview of what has become a large PR (sorry
about that).
Jena 3.9.0 introduced a library to for graph-level security (module
jena-fuseki-access). This work adds user authentication, https, and
support for access control on the server as a whole and on databases.
JENA-1594 : Provide per-graph access control in Fuseki
JENA-1623 : Access control of server and services
JENA-1627 : HTTPS support
PR#486: https://github.com/apache/jena/pull/486
Most of this is relying on Jetty features and packaging them up to make
them easier to use in the context of Fuseki.
* https support.
Because data transfer over unencrypted HTTP is not a good thing if you
wanted to restrict access to the data in any way.
* Users and passwords.
Basic and Digest auth supported; the server defaults to digest auth.
that might have to change because in my experience simple scripts work
with basic auth - it is the default with curl and wget.
The code provides password file support - for more complex integrations
into a deployment environment, e.g. SSO, LDAP, access to the Jetty
features is easily available. If there are common patterns, better
support can be added later but for now it's standalone user/passwd or
extension in Java code.
* Access control for the server
The server can be set to require an authenticated user.
* Access control for the services
This can also be applied to individual services.
These two are probably the most useful part of the new features for
general use.
A deployed server can have different access control lists on the server
itself, and on various databases (a user has to satisfy all restrictions).
There is no per-endpoint security ATM - something to add later. The same
dataset can be shared between different services with different access
control lists.
* Graph-level access control.
This only applies to a read-only database. There are per-user access
control lists; the union graph is all named graphs the user has access to.
When used with TDB, the implementation uses TDB tuple filtering so it is
efficient. In the general case, it is a specially created view of the
dataset which is functionally correct but will call back to general
query execution, and for expensive queries may well be observable less
efficient.
Updates can be done under different access control via a different set
of service endpoints over the same shared TDB database.
Andy
Unrelated small things : these are small fixes of things I came across
or have been mentioned recently during the lifetime of this PR which got
fixed:
JENA-1625 : Update DynamicDatasets.
JENA-1626 : Txn improvements.
JENA-1631 : Use DatasetGraphMapLink transactions.
JENA-1629 : Print CONSTRUCT Quads executions.
JENA-1632 : https support in SOH scripts.
