[GitHub] jena pull request #492: JENA-1623: Endpoint access control lists
Github user asfgit closed the pull request at: https://github.com/apache/jena/pull/492 ---
[GitHub] jena pull request #492: JENA-1623: Endpoint access control lists
Github user afs commented on a diff in the pull request:
https://github.com/apache/jena/pull/492#discussion_r235441879
--- Diff:
jena-fuseki2/jena-fuseki-core/src/main/java/org/apache/jena/fuseki/build/FusekiBuilder.java
---
@@ -70,16 +69,42 @@ public static void populateStdServices(DataService
dataService, boolean allowUpd
/** Add an operation to a {@link DataService} with a given endpoint
name */
public static void addServiceEP(DataService dataService, Operation
operation, String endpointName) {
-dataService.addEndpoint(operation, endpointName) ;
+dataService.addEndpoint(operation, endpointName) ;
+}
+
+/** Add an operation to a {@link DataService} with a given endpoint
name */
+public static void addServiceEP(DataService dataService, Operation
operation, String endpointName, AuthPolicy requestAuth) {
+dataService.addEndpoint(operation, endpointName, requestAuth) ;
}
public static void addServiceEP(DataService dataService, Operation
operation, Resource svc, Property property) {
String p = "<"+property.getURI()+">" ;
ResultSet rs = FusekiBuildLib.query("SELECT * { ?svc " + p + "
?ep}", svc.getModel(), "svc", svc) ;
for ( ; rs.hasNext() ; ) {
QuerySolution soln = rs.next() ;
-String epName = soln.getLiteral("ep").getLexicalForm() ;
-addServiceEP(dataService, operation, epName);
+AuthPolicy requestAuth = null;
--- End diff --
Yes - the authorization setup needs to be passed out of the "else" arm of
the if it is found, otherwise it is "no AuthPolicy". Java scope issue. "null"
means "no value seen in the configuration".
An alternative would have been to always have an executable AuthPolicy even
if it's "anyone, unauthenticated or not".
For keeping track of setup, which can be become quite complicated, I found
it slightly easier to use a null as "this hasn't been set" rather than use a
marker AuthPolicy.
Comment added.
---
[GitHub] jena pull request #492: JENA-1623: Endpoint access control lists
Github user afs commented on a diff in the pull request:
https://github.com/apache/jena/pull/492#discussion_r235441851
--- Diff:
jena-fuseki2/jena-fuseki-core/src/main/java/org/apache/jena/fuseki/auth/AuthPolicy.java
---
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.jena.fuseki.auth;
+
+/**
+ * Policy for authorization to a resource.
+ * Assumes the user has already been authenticated.
+ */
+public interface AuthPolicy {
+/**
+ * Is the use authorized for this resource?
+ */
+public boolean isAllowed(String user);
+
+/**
+ * Is the use denied for this resource? Both {@linkplain #isAllowed}
and
+ * {@linkplain #isDenied} could be false if the policy does not knwo
one way of the
--- End diff --
Done
---
[GitHub] jena pull request #492: JENA-1623: Endpoint access control lists
Github user rvesse commented on a diff in the pull request:
https://github.com/apache/jena/pull/492#discussion_r235398663
--- Diff:
jena-fuseki2/jena-fuseki-core/src/main/java/org/apache/jena/fuseki/build/FusekiBuilder.java
---
@@ -70,16 +69,42 @@ public static void populateStdServices(DataService
dataService, boolean allowUpd
/** Add an operation to a {@link DataService} with a given endpoint
name */
public static void addServiceEP(DataService dataService, Operation
operation, String endpointName) {
-dataService.addEndpoint(operation, endpointName) ;
+dataService.addEndpoint(operation, endpointName) ;
+}
+
+/** Add an operation to a {@link DataService} with a given endpoint
name */
+public static void addServiceEP(DataService dataService, Operation
operation, String endpointName, AuthPolicy requestAuth) {
+dataService.addEndpoint(operation, endpointName, requestAuth) ;
}
public static void addServiceEP(DataService dataService, Operation
operation, Resource svc, Property property) {
String p = "<"+property.getURI()+">" ;
ResultSet rs = FusekiBuildLib.query("SELECT * { ?svc " + p + "
?ep}", svc.getModel(), "svc", svc) ;
for ( ; rs.hasNext() ; ) {
QuerySolution soln = rs.next() ;
-String epName = soln.getLiteral("ep").getLexicalForm() ;
-addServiceEP(dataService, operation, epName);
+AuthPolicy requestAuth = null;
--- End diff --
Looks like `FusekiBuilder` populates this at a later stage so maybe a
comment to that effect here?
---
[GitHub] jena pull request #492: JENA-1623: Endpoint access control lists
Github user rvesse commented on a diff in the pull request:
https://github.com/apache/jena/pull/492#discussion_r235395467
--- Diff:
jena-fuseki2/jena-fuseki-core/src/main/java/org/apache/jena/fuseki/build/FusekiBuilder.java
---
@@ -70,16 +69,42 @@ public static void populateStdServices(DataService
dataService, boolean allowUpd
/** Add an operation to a {@link DataService} with a given endpoint
name */
public static void addServiceEP(DataService dataService, Operation
operation, String endpointName) {
-dataService.addEndpoint(operation, endpointName) ;
+dataService.addEndpoint(operation, endpointName) ;
+}
+
+/** Add an operation to a {@link DataService} with a given endpoint
name */
+public static void addServiceEP(DataService dataService, Operation
operation, String endpointName, AuthPolicy requestAuth) {
+dataService.addEndpoint(operation, endpointName, requestAuth) ;
}
public static void addServiceEP(DataService dataService, Operation
operation, Resource svc, Property property) {
String p = "<"+property.getURI()+">" ;
ResultSet rs = FusekiBuildLib.query("SELECT * { ?svc " + p + "
?ep}", svc.getModel(), "svc", svc) ;
for ( ; rs.hasNext() ; ) {
QuerySolution soln = rs.next() ;
-String epName = soln.getLiteral("ep").getLexicalForm() ;
-addServiceEP(dataService, operation, epName);
+AuthPolicy requestAuth = null;
--- End diff --
Should this be getting populated with a non-null value here? Or is the
intention to set to `null` by default and then potentially load in the auth
policy later elsewhere?
---
[GitHub] jena pull request #492: JENA-1623: Endpoint access control lists
Github user rvesse commented on a diff in the pull request:
https://github.com/apache/jena/pull/492#discussion_r235394477
--- Diff:
jena-fuseki2/jena-fuseki-core/src/main/java/org/apache/jena/fuseki/auth/AuthPolicy.java
---
@@ -0,0 +1,39 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.jena.fuseki.auth;
+
+/**
+ * Policy for authorization to a resource.
+ * Assumes the user has already been authenticated.
+ */
+public interface AuthPolicy {
+/**
+ * Is the use authorized for this resource?
+ */
+public boolean isAllowed(String user);
+
+/**
+ * Is the use denied for this resource? Both {@linkplain #isAllowed}
and
+ * {@linkplain #isDenied} could be false if the policy does not knwo
one way of the
--- End diff --
Typo - `knwo` -> `know`
---
[GitHub] jena pull request #492: JENA-1623: Endpoint access control lists
GitHub user afs opened a pull request: https://github.com/apache/jena/pull/492 JENA-1623: Endpoint access control lists This PR adds endpoint access control list, to go with the existing support for server and dataset ACLs. With endpoint ACLs, the configuration can give different permissions to query and update much more conveniently. You can merge this pull request into a Git repository by running: $ git pull https://github.com/afs/jena fuseki-access Alternatively you can review and apply these changes as the patch at: https://github.com/apache/jena/pull/492.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #492 commit ca7839362f3ce720e6e457e00d84b2c3a55168b3 Author: Andy Seaborne Date: 2018-11-19T23:58:51Z JENA-1623: Endpoint access control lists commit 070fae10908c46508b3454727e4a388640fbdb97 Author: Andy Seaborne Date: 2018-11-20T20:21:43Z JENA-1623: Endpoint access control lists tests ---
