On 02/11/2022 16:29, Shaw, Ryan wrote:
I am using the newer fuseki:endpoint style.
The issue is that when a new dataset is created via the Fuseki UI, the default
endpoints that are created include the following two:
fuseki:endpoint [ fuseki:operation fuseki:update ] ;
fuseki:endpoint [ fuseki:operation fuseki:gsp-rw ] ;
So that is the one that matching "/**=anon"
> /*/data/**
Did you want it on that endpoint?
[ fuseki:operation fuseki:gsp-rw ;
fuseki:name "data"
] ;
It will go to the same dataset.
GSP/quads is hard to distinguished because it's signature is the
content-type.
If I understand correcting the former enables SPARQL UPDATE queries and the
latter enables PUTting a new graph.
Yes - but they don't have to be operations directly on the dataset. They
can be named services of the dataset which tnen match in shio rules :
/*/data.
These endpoints make it difficult to use shiro.ini to restrict updates, since
they use the path of the dataset itself rather than a subpath like /data or
/update.
You don't have to do it that way.
I can go in and remove these endpoints by editing the configuration file for
the dataset, and that’s what I’ve done to address this issue. But it’s less
than ideal, since I can’t just use the UI to create a dataset — I also have to
deploy a modified config file, which can be a little fiddly when you’re running
Fuseki in a cloud container.
Agreed.
You can also change the template file used when creating the dataset. It
is in run/templates/config-tdb2 etc. so you can change it on a per
server basis.
zip up the modified run with the binary and distribute that.
Since I am using this Fuseki instance in a class to teach students SPARQL, it
would be nice to be able to create a dataset in the UI that students can query,
without worrying about them deleting or modifying the dataset, and without
having a separate sysadmin step of pushing a new config file every time I
create a dataset.
On Nov 2, 2022, at 6:55 AM, Andy Seaborne <a...@apache.org> wrote:
Hi Ryan,
Are you using the "fuseki:service*" style for defining the operations?
The newer
fuseki:endpoint [
# SPARQL Graph Store Protcol (read and write)
fuseki:operation fuseki:gsp_rw ;
fuseki:name "data"
] ;
style allows more precise definition of endpoints.
https://jena.apache.org/documentation/fuseki2/fuseki-configuration.html
:serviceReadWriteGraphStore implicitly adds PUT to the dataset (quads mode) and
"/**=anon" applies.
If you use "fuseki:operation fuseki:gsp_rw" there isn't this side effect.
You can go further with fuseki:allowedUsers on individual endpoint/operation.
shiro.ini does not support that but you'll need shiro to do user login.
A server without UI and without admin (currently :-) can Fuseki/main can use
the Jetty security handling - no shiro.ini - but that's a completely separate
setup.
Andy
On 31/10/2022 22:36, Shaw, Ryan wrote:
I am trying to configure fuseki-server so that
* an admin logging in via basic auth can create and update datasets
* anonymous users can only query datasets
My shiro.ini:
[main]
ssl.enabled = false
plainMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher
iniRealm.credentialsMatcher = $plainMatcher
[users]
admin=${ADMIN_PASSWORD}
[roles]
[urls]
# admin functions open to anyone
/$/ping = anon
/$/server = anon
/$/stats = anon
/$/stats/* = anon
# and the rest of the admin functions are restricted
/$/** = authcBasic,user[admin]
# dataset loads and updates are restricted
/*/data/** = authcBasic,user[admin]
/*/update/** = authcBasic,user[admin]
# everything else is open to anyone
/**=anon
With this shiro.ini configuration, anonymous users can still PUT to a dataset
URL to update it. I want to disallow that. How ?
