[
https://issues.apache.org/jira/browse/RYA-420?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kevin Chilton updated RYA-420:
------------------------------
Description:
We can't use Sail to maintain PCJs because it does not support visibility
maintenance. If we want to do batch PCJ maintenance through the shell, we will
have to implement it in a visibility compatible way. Right now, all derivative
binding sets have no visibilities associated with them.
For example, suppose you load the following statements:
{code}
urn:alice, urn:talksTo, urn:bob vis: a
urn:bob, urn:worksAt, urn:tacoJoint vis: b
{code}
If you are computing the following SPARQL query as a PCJ:
{code}
SELECT * WHERE {
?person urn:talksTo ?employee .
?employee urn:worksAt ?employer .
}
{code}
Then you will get a Binding Set in the PCJ for that query with no visibilities
instead of "a&b". Users who should not see that derivative binding set will
have access to it.
We could fix how these are maintained, or we could completely remove that
option from the shell.
was:
We can't use Sail to maintain PCJs because it does not support visibility
maintenance. If we want to do batch PCJ maintenance through the shell, we will
have to implement it in a visibility compatible way. Right now, all derivative
binding sets have no visibilities associated with them.
For example, suppose you load the following statements:
{code}
urn:alice, urn:talksTo, urn:bob vis: a
urn:bob, urn:worksAt, urn:tacoJoint vis: b
{code}
If you are computing the following SPARQL query as a PCJ:
{code}
SELECT * WHERE {
?person urn:talksTo ?employee .
?employee urn:worksAt ?employer .
}
{code}
Then you will get a Binding Set in the PCJ for that query with no visibilities
instead of "a&b".
We could fix how these are maintained, or we could completely remove that
option from the shell.
> Security Flaw: Batch Update PCJ for the shell does not create derivative
> visibilities for produced binding sets.
> ----------------------------------------------------------------------------------------------------------------
>
> Key: RYA-420
> URL: https://issues.apache.org/jira/browse/RYA-420
> Project: Rya
> Issue Type: Bug
> Reporter: Kevin Chilton
>
> We can't use Sail to maintain PCJs because it does not support visibility
> maintenance. If we want to do batch PCJ maintenance through the shell, we
> will have to implement it in a visibility compatible way. Right now, all
> derivative binding sets have no visibilities associated with them.
> For example, suppose you load the following statements:
> {code}
> urn:alice, urn:talksTo, urn:bob vis: a
> urn:bob, urn:worksAt, urn:tacoJoint vis: b
> {code}
> If you are computing the following SPARQL query as a PCJ:
> {code}
> SELECT * WHERE {
> ?person urn:talksTo ?employee .
> ?employee urn:worksAt ?employer .
> }
> {code}
> Then you will get a Binding Set in the PCJ for that query with no
> visibilities instead of "a&b". Users who should not see that derivative
> binding set will have access to it.
> We could fix how these are maintained, or we could completely remove that
> option from the shell.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
