Permissions were originally designed to work outside of Fuseki and still does. I often use them to create read only models.
The Fuseki interface was originally intended to secure existing models. However, as I mentioned before it should be possible to have the system generate secured models on creation in Fuseki, it just hasn't been done yet. Claude On Mon, May 14, 2018 at 7:13 PM, Ekaterina Danilova < katja.danilov...@gmail.com> wrote: > Thank you for your reply, > > One more way might be implementing the SecurityEvaluator at the application > side and creating secured models there. It should work quite easily, but I > am not sure it is best solution. Is the Permissions package intended to be > used only as addition to Fuseki? > > And if Permissions are originally supposed to be used only with Fuseki, > then atm the main way how it is used is like in the example below - loading > data through Assembler straight into secured model? > > my:baseModel rdf:type ja:MemoryModel; > ja:content [ja:externalContent <file:./example.ttl>] > . > > my:securedModel rdf:type sec:Model ; > perm:baseModel my:baseModel ; > ja:modelName "https://example.org/securedModel"; ; > perm:evaluatorImpl my:secEvaluator . > > > > > > > > 2018-05-11 17:06 GMT+03:00 Claude Warren <cla...@xenei.com>: > > > The permissions in your example are attached to the model called > > my:secModel. > > > > Basically you have the graph and it you access it with "using" or "from" > > statements the evaluator will be called. > > > > It is possible to make the model the default model for fuseki queries but > > that is not really what you want. > > > > What you want is the ability to create new models and have them be > > recognized as secured models. This has not been implemented. It might > be > > doable as a secured dataset (not implemented) or it may require other > work > > to ensure that the models are correctly created as secured models. (not > > sure how this would work off the top of my head). > > > > Claude > > > > On Fri, May 11, 2018 at 2:59 PM, Ekaterina Danilova < > > katja.danilov...@gmail.com> wrote: > > > > > Hello! > > > Yes, I tried to modify the config.ttl accoridng to the guide and it > looks > > > this way: > > > > > > PREFIX : <#> > > > PREFIX fuseki: <http://jena.apache.org/fuseki#> > > > PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> > > > PREFIX perm: <http://apache.org/jena/permissions/Assembler#> > > > PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#> > > > PREFIX tdb2: <http://jena.apache.org/2016/tdb#> > > > PREFIX my: <http://example.org/#> > > > PREFIX sec: <http://apache.org/jena/permission/Assembler#Model> > > > > > > [] perm:loadClass "org.apache.jena.permissions.SecuredAssembler" . > > > sec:Model rdfs:subClassOf perm:NamedModel . > > > > > > sec:evaluator rdfs:domain sec:Model ; > > > rdfs:range sec:Evaluator . > > > > > > my:secModel a sec:Model ; > > > sec:baseModel my:baseModel ; > > > perm:modelName "http://example.com/securedModel"; ; > > > sec:evaluatorImpl my:myEvaluator; > > > . > > > > > > my:myEvaluator a sec:Evaluator ; > > > perm:args [ > > > rdf:_1 my:baseModel ; > > > ] ; > > > perm:evaluatorClass > > > "org.apache.jena.permissions.example.ShiroExampleEvaluator" . > > > > > > [] rdf:type fuseki:Server ; > > > fuseki:services ( > > > <#service_tdb2> > > > //the list of services omitted > > > > > > And the models are uploaded from the application with : > > > > > > DatasetAccessor accessor = DatasetAccessorFactory.createHTTP(....); > > > accessor.putModel(name, model); > > > > > > So, with these configurations Fuseki doesn't do anything with the > models. > > > Am I missing something? > > > > > > Thank you for help. > > > > > > > > > 2018-05-11 16:11 GMT+03:00 Claude Warren <cla...@xenei.com>: > > > > > > > You don't say if you have modified the default Fuseki configuration > but > > > > what you will need to do is to modify the configuration file so that > > the > > > > models that are created using the SecuredAssembler. > > > > ( > > > > http://jena.apache.org/documentation/javadoc/ > > > permissions/org/apache/jena/ > > > > permissions/SecuredAssembler.html). > > > > This process will hook your security evaluator to the models. > > > > > > > > Then requests will be filtered automatically. Your security > evaluator > > > will > > > > be called with the name of the model as specified in the > > > SecuredAssembler. > > > > > > > > I don;t think anyone has implemented a mechanism to allow uploading > of > > > > graphs/models into secure graphs. It probably could be done. If you > > are > > > > interested in attempting such let me know and we can outline how to > do > > > it. > > > > > > > > Claude > > > > > > > > On Fri, May 11, 2018 at 1:41 PM, Ekaterina Danilova < > > > > katja.danilov...@gmail.com> wrote: > > > > > > > > > Hello! > > > > > I have a problem with understanding Jena permissions. > > > > > > > > > > I have an application which creates named graphs, uploads and reads > > > those > > > > > through Fuseki. I would like to add some security and create > > different > > > > > access rules for different users etc. As the documentation ( > > > > > https://jena.apache.org/documentation/permissions/) says, it can > be > > > done > > > > > with my own Security Evaluator implementation. > > > > > > > > > > What I don't understand is where and how exactly permissions should > > be > > > > > added. Should they be only at Fuseki side? If so, then how can > Fuseki > > > > > understand to process each model as secured model? If I wish to > > create > > > > > secured model at the side of application, then I have to use this > > > method: > > > > > Factory.getInstance( SecurityEvaluator, String, Model ); > > > > > which requires the SecurityEvaluator at the application side too. > But > > > if > > > > I > > > > > add it there, then there is no sense in having the security > evaluator > > > at > > > > > Fuseki side. > > > > > > > > > > My problem is that even though I added the permissions jar with my > > own > > > > > SecurityEvaluator (a bit modified ShiroExampleEvaluator) to Fuseki > > > > > correctly (with this example > > > > > https://jena.apache.org/documentation/permissions/example.html), I > > > > cannot > > > > > get it to process data through it. Fuseki is not seeing the > incoming > > > data > > > > > as secured models. > > > > > > > > > > So, in short, the question is - how to set up Fuseki in such way, > > that > > > it > > > > > would see all incoming models as secured models and check the > access > > > > level > > > > > for those? > > > > > And if it is impossible, what is the right way to add the > > permissions? > > > > > > > > > > > > > > > > > > > > > -- > > > > I like: Like Like - The likeliest place on the web > > > > <http://like-like.xenei.com> > > > > LinkedIn: http://www.linkedin.com/in/claudewarren > > > > > > > > > > > > > > > -- > > I like: Like Like - The likeliest place on the web > > <http://like-like.xenei.com> > > LinkedIn: http://www.linkedin.com/in/claudewarren > > > -- I like: Like Like - The likeliest place on the web <http://like-like.xenei.com> LinkedIn: http://www.linkedin.com/in/claudewarren
