> On 10 Oct 2018, at 23:32, Rob Atkinson <robatkinson...@gmail.com> wrote: > > From a IDE perspective though, I cant see how to translate instructions about > tomcat/users to the equivalent for setting up users in the IDE hosted TBL > server ?
The embedded server in TBCME is a single-user server. It has a limited ability to simulate multiple users for dev/testing purposes, but does not provide proper authentication, and cannot easily simulate security roles. Rights Management settings, which rely on security roles, should be tested against EDG running on Tomcat. (Security roles are basically Tomcat’s notion of user groups.) (To simulate multi-user setups, use the top-right corner login link in Server Administration. There’s an input field for entering the desired username. This will log you in under that username, and also add that name to server.topbraidlive.org/dynamic/users.ttl <http://server.topbraidlive.org/users.ttl> so that it can be selected from the EDG login form.) > Also, it is not clear how tomcat users magically appear in the EDG > configurations - If users are configured in tomcat-users.xml, then EDG only knows about users that have previously logged in (by creating an entry in server.topbraidlive.org/dynamic/users.ttl <http://server.topbraidlive.org/dynamic/users.ttl> the first time it sees a new user logged in). If users are configured in LDAP, then EDG interrogates the LDAP server to get the list of all users. > there is stuff about permission by roles, but then segues into statements > like "the selected permission for the selected user or for an entire security > role" - does EDG know about individual users in the ACL or is there somewhere > else these need to be created? The Rights Management screen is only concerned with rights for entire security roles—it cannot be used to assign rights to individual users. The Roles tab on asset collections, on the other hand, allows assignment to individual users or to security roles. But it only manages per-asset-collection permissions. So, rights that cut across asset collections, such as Administrator rights or the right to create asset collections, cannot be assigned to individual users but only to security roles. Richard > > On Thursday, 11 October 2018 01:10:48 UTC+11, Richard Cyganiak wrote: > I would first try calling the service in the browser while logged in as admin. > > If that works, I would try calling the service in the browser while logged in > as some other user that is supposed to be able to call the service. > > If that works, I would try calling the service with an HTTP client program > like curl or Postman, to figure out how the credentials need to be sent. > > If that works, I would try calling the service from my SPARQLMotion script, > with credentials in the script. > > If that works, I would try calling the service from my SPARQLMotion script, > with credentials in secure storage. > > > For CreateProjectService specifically, any user that can create new asset > collections can also invoke that service. So if “Create new Taxonomy” shows > up on the Taxonomies page when that user is logged in, then the user has > permission to invoke the service. A user can create new asset collections if > they belong to a Security Role that has the CREATE right on the Repositories > project (Server Administration > Rights Management). See here: > http://wiki.topquadrant.com/display/TBS60/Access+Control#AccessControl-RightsManagement > > <http://wiki.topquadrant.com/display/TBS60/Access+Control#AccessControl-RightsManagement> > > > > Secure Storage is a lookup table that stores passwords for username+url > pairs. This can be seen on the Password Management page in the EDG Server > Administration. > > To use Secure Storage with sml:ImportTextFromURL, add a new username+url pair > on that page. The URL is arbitrary in this case, it just serves as a lookup > key. One could for example use the URI of the SPARQLMotion script. > > In the SM script, set: > > - url: the request URL for the service call > - userName: the username to be used for the request > - securePasswordURL: the lookup key URL in secure storage (as a string) > - password: leave blank > > The effect is that instead of using the password argument, the password will > be looked up in the secure storage under the userName+securePasswordURL pair. > > Richard > > > >> On 10 Oct 2018, at 02:18, Rob Atkinson <robatki...@gmail.com <>> wrote: >> >> Ouch - so there is a different method for each possible deployment - making >> it pretty hard to test locally then deploy. >> >> I tried setting up a user and password in the secure store and using that - >> but it didnt seem to work - maybe because there disnt seem to be any >> meaningful way to assign the user to permissions on the >> CreateProjectService. (Its no use to set permissions on individual >> coillections manually - both because we are creating a collection and the >> scalability of such a solution would be broken. >> >> The text for securePasswordURL say "if it has a value" but there is no >> documentation about that value - although the name suggest a URL, the value >> type appears to be string... but if I put "true" it asks for connection for >> batch@true >> >> so i set securePasswordURL with the target URL (instead of arg:url) and it >> complains arg:url is not set ... >> >> so i set them both - and it returns a 500 error with another NPE - even >> though the url works in an authenticated browser session >> >> A 500 error for authentication failure is a bug - it should be 401 or 403 - >> (although at this stage 418 is perhaps appropriate) >> >> >> >> >> >> >> So now I have three problems, irreconcilable in combination: >> 1) checking i have set up the EDg permissions correctly >> 2) checking my script configuration sets permissions correctly >> 3) working out how different future deployments might behave >> >> >> There needs to be a step by step testable methodology for setting up and >> testing access control. >> >> >> >> On Tuesday, 9 October 2018 18:01:30 UTC+11, Rob Atkinson wrote: >> AFIACT if I want to invoke a EDG service without pasting into a browser I >> need to provide authentication - possibly however thats via a session cookie? >> >> I have tried using the SPARQLmotion "import text from URL" as the only >> obvious way i can see to invoke a URL inside SPARQLmotion - but its not >> obvious how access control to web services is handled. >> >> The most comprehensive overview I can find is >> https://www.topquadrant.com/2015/07/24/web-services-and-topquadrant-products/ >> >> <https://www.topquadrant.com/2015/07/24/web-services-and-topquadrant-products/> >> but this is completely silent on access control. >> >> If I use a browser not logged into EDG i get the same result I get from TBC >> - another Null pointer exception. >> >> 1) Is there a better way of invoking an EDG service within TBC? >> 2) what are the EDG user/permissions/roles etc needed to provide password >> controlled access to services? >> 3) Is there a way to avoid putting passwords into SparqlMotion scripts >> (perhaps a SPIN template to retrieve them from EDG configuration somehow?) >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "TopBraid Suite Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to topbraid-user...@googlegroups.com <>. >> For more options, visit https://groups.google.com/d/optout >> <https://groups.google.com/d/optout>. > > > -- > You received this message because you are subscribed to the Google Groups > "TopBraid Suite Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to topbraid-users+unsubscr...@googlegroups.com > <mailto:topbraid-users+unsubscr...@googlegroups.com>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "TopBraid Suite Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to topbraid-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
