Jena is driven by user contributions. (Andy has a great phrase for this but I don't recall what it is at the moment). But if users want the functionality and contribute it then Jena will have it.
Moving the permissions implementation up the stack (to datasets for example) has been a goal of mine for some time but I have never had the direct need nor the time to do it. If you have the time and the inclination I would help you with the development as much as I can. Claude On Mon, May 14, 2018 at 8:45 PM, katja.danilova94 < katja.danilov...@gmail.com> wrote: > Thanks for guidance, I will do it this way then. > And the future plan is to create a type of secured dataset in Fuseki so > that all incoming and outgoing models are secured and checked automatically? > > > > От: Claude Warren <cla...@xenei.com> Дата: 14.05.18 21:43 (GMT+02:00) > Кому: users@jena.apache.org Тема: Re: Problem with understanding Jena > Permissions > Permissions were originally designed to work outside of Fuseki and still > does. I often use them to create read only models. > > The Fuseki interface was originally intended to secure existing models. > However, as I mentioned before it should be possible to have the system > generate secured models on creation in Fuseki, it just hasn't been done > yet. > > Claude > > > > On Mon, May 14, 2018 at 7:13 PM, Ekaterina Danilova < > katja.danilov...@gmail.com> wrote: > > > Thank you for your reply, > > > > One more way might be implementing the SecurityEvaluator at the > application > > side and creating secured models there. It should work quite easily, but > I > > am not sure it is best solution. Is the Permissions package intended to > be > > used only as addition to Fuseki? > > > > And if Permissions are originally supposed to be used only with Fuseki, > > then atm the main way how it is used is like in the example below - > loading > > data through Assembler straight into secured model? > > > > my:baseModel rdf:type ja:MemoryModel; > > ja:content [ja:externalContent <file:./example.ttl>] > > . > > > > my:securedModel rdf:type sec:Model ; > > perm:baseModel my:baseModel ; > > ja:modelName "https://example.org/securedModel"; ; > > perm:evaluatorImpl my:secEvaluator . > > > > > > > > > > > > > > > > 2018-05-11 17:06 GMT+03:00 Claude Warren <cla...@xenei.com>: > > > > > The permissions in your example are attached to the model called > > > my:secModel. > > > > > > Basically you have the graph and it you access it with "using" or > "from" > > > statements the evaluator will be called. > > > > > > It is possible to make the model the default model for fuseki queries > but > > > that is not really what you want. > > > > > > What you want is the ability to create new models and have them be > > > recognized as secured models. This has not been implemented. It might > > be > > > doable as a secured dataset (not implemented) or it may require other > > work > > > to ensure that the models are correctly created as secured models. (not > > > sure how this would work off the top of my head). > > > > > > Claude > > > > > > On Fri, May 11, 2018 at 2:59 PM, Ekaterina Danilova < > > > katja.danilov...@gmail.com> wrote: > > > > > > > Hello! > > > > Yes, I tried to modify the config.ttl accoridng to the guide and it > > looks > > > > this way: > > > > > > > > PREFIX : <#> > > > > PREFIX fuseki: <http://jena.apache.org/fuseki#> > > > > PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> > > > > PREFIX perm: <http://apache.org/jena/permissions/Assembler#> > > > > PREFIX rdfs: <http://www.w3.org/2000/01/rdf-schema#> > > > > PREFIX tdb2: <http://jena.apache.org/2016/tdb#> > > > > PREFIX my: <http://example.org/#> > > > > PREFIX sec: <http://apache.org/jena/permission/Assembler#Model> > > > > > > > > [] perm:loadClass "org.apache.jena.permissions.SecuredAssembler" > . > > > > sec:Model rdfs:subClassOf perm:NamedModel . > > > > > > > > sec:evaluator rdfs:domain sec:Model ; > > > > rdfs:range sec:Evaluator . > > > > > > > > my:secModel a sec:Model ; > > > > sec:baseModel my:baseModel ; > > > > perm:modelName "http://example.com/securedModel"; ; > > > > sec:evaluatorImpl my:myEvaluator; > > > > . > > > > > > > > my:myEvaluator a sec:Evaluator ; > > > > perm:args [ > > > > rdf:_1 my:baseModel ; > > > > ] ; > > > > perm:evaluatorClass > > > > "org.apache.jena.permissions.example.ShiroExampleEvaluator" . > > > > > > > > [] rdf:type fuseki:Server ; > > > > fuseki:services ( > > > > <#service_tdb2> > > > > //the list of services omitted > > > > > > > > And the models are uploaded from the application with : > > > > > > > > DatasetAccessor accessor = DatasetAccessorFactory.createHTTP(....); > > > > accessor.putModel(name, model); > > > > > > > > So, with these configurations Fuseki doesn't do anything with the > > models. > > > > Am I missing something? > > > > > > > > Thank you for help. > > > > > > > > > > > > 2018-05-11 16:11 GMT+03:00 Claude Warren <cla...@xenei.com>: > > > > > > > > > You don't say if you have modified the default Fuseki configuration > > but > > > > > what you will need to do is to modify the configuration file so > that > > > the > > > > > models that are created using the SecuredAssembler. > > > > > ( > > > > > http://jena.apache.org/documentation/javadoc/ > > > > permissions/org/apache/jena/ > > > > > permissions/SecuredAssembler.html). > > > > > This process will hook your security evaluator to the models. > > > > > > > > > > Then requests will be filtered automatically. Your security > > evaluator > > > > will > > > > > be called with the name of the model as specified in the > > > > SecuredAssembler. > > > > > > > > > > I don;t think anyone has implemented a mechanism to allow uploading > > of > > > > > graphs/models into secure graphs. It probably could be done. If > you > > > are > > > > > interested in attempting such let me know and we can outline how to > > do > > > > it. > > > > > > > > > > Claude > > > > > > > > > > On Fri, May 11, 2018 at 1:41 PM, Ekaterina Danilova < > > > > > katja.danilov...@gmail.com> wrote: > > > > > > > > > > > Hello! > > > > > > I have a problem with understanding Jena permissions. > > > > > > > > > > > > I have an application which creates named graphs, uploads and > reads > > > > those > > > > > > through Fuseki. I would like to add some security and create > > > different > > > > > > access rules for different users etc. As the documentation ( > > > > > > https://jena.apache.org/documentation/permissions/) says, it can > > be > > > > done > > > > > > with my own Security Evaluator implementation. > > > > > > > > > > > > What I don't understand is where and how exactly permissions > should > > > be > > > > > > added. Should they be only at Fuseki side? If so, then how can > > Fuseki > > > > > > understand to process each model as secured model? If I wish to > > > create > > > > > > secured model at the side of application, then I have to use this > > > > method: > > > > > > Factory.getInstance( SecurityEvaluator, String, Model ); > > > > > > which requires the SecurityEvaluator at the application side too. > > But > > > > if > > > > > I > > > > > > add it there, then there is no sense in having the security > > evaluator > > > > at > > > > > > Fuseki side. > > > > > > > > > > > > My problem is that even though I added the permissions jar with > my > > > own > > > > > > SecurityEvaluator (a bit modified ShiroExampleEvaluator) to > Fuseki > > > > > > correctly (with this example > > > > > > https://jena.apache.org/documentation/permissions/example.html), > I > > > > > cannot > > > > > > get it to process data through it. Fuseki is not seeing the > > incoming > > > > data > > > > > > as secured models. > > > > > > > > > > > > So, in short, the question is - how to set up Fuseki in such way, > > > that > > > > it > > > > > > would see all incoming models as secured models and check the > > access > > > > > level > > > > > > for those? > > > > > > And if it is impossible, what is the right way to add the > > > permissions? > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > I like: Like Like - The likeliest place on the web > > > > > <http://like-like.xenei.com> > > > > > LinkedIn: http://www.linkedin.com/in/claudewarren > > > > > > > > > > > > > > > > > > > > > -- > > > I like: Like Like - The likeliest place on the web > > > <http://like-like.xenei.com> > > > LinkedIn: http://www.linkedin.com/in/claudewarren > > > > > > > > > -- > I like: Like Like - The likeliest place on the web > <http://like-like.xenei.com> > LinkedIn: http://www.linkedin.com/in/claudewarren > -- I like: Like Like - The likeliest place on the web <http://like-like.xenei.com> LinkedIn: http://www.linkedin.com/in/claudewarren
