Hi Danny,
Currently, Fuseki packages everything up into a blob: database engine,
servlet container, etc. People want to deploy Fuseki include other
rthigns, e.g. as WAR file (caveat - where does the configuration come
from? - I think it would be useful to provide a WAR generator a simple
tool for config+database+jar -> specific WAR file).
What would be better would be to divide Fuseki into parts like the core
engine and how it is packaged and delivered.
What has this to do with auth? There are lots of authentication
systems, from HTTP basic auth, to enterprise specific role based access
control system to control the endpoint. All are reasonable and so we
should find a way to make integration easy, rather than support specific
choices. It's a packaging issue - the same core engine in different
delivery forms hooking into whatever security infrastructure is around.
At it's simplest, reusing tomcat/jetty security modules.
All the standard stuff is to protect the endpoint - it's not data
specific. There's also use case for data-context specific
authentication/security e.g. you (or rather your query) can see some
properties but not others, your query can see some graphs and not
others. There does require some hooks directly into the system. There
are low level hooks in TDB to help (quad filtering and dynamic datasets)
but they are just the lowest mechanism necessary, not a solution.
The counter argument is that strength of service access point
authentication is precisely that you don't need to hook into the
database engine. Instead, have a mediation service that the users/app
goes to - it is more privileged than the user and can look and reject
data access. I don't disagree with that but in a data publishing world,
I think you need data-specific authentication and access control.
Andy
On 28/06/12 22:52, Danny Ayers wrote:
ps.
It was ridiculously easy to slap a content management system on top of
SPARQL 1.1. My little Seki project, live at hyperdata.org -
communicates with Fuseki very crudely, the auth at the moment is
non-existent. Make a URI at hyperdata.org/whatever and it works. Hard
coded credentials at the mo, danja:sasha
On 28 June 2012 23:46, Danny Ayers <[email protected]> wrote:
Andy,
How far off in your mind is auth on this?
In your shoes I'd probably put it out of scope.
At the moment the best advice I could get was to use Basic Auth, over
HTTPS. The Fuseki is the back end, block that apart from my own IP.
Bergi (Thomas Bergwinkl) has been working on the auth modeling,
starting with the w3 thing but trying to do roles etc. Reto (for
Apache Clerrezza) seems to have strong opinion on how that should go.
Thoughts?
Cheers,
Danny.
--
http://dannyayers.com
http://webbeep.it - text to tones and back again
