RE: Fuseki Web UI does not consider Dataset Level Access Control Lists

Wed, 14 Oct 2020 00:29:02 -0700 

It appears my attachments didn't come through.

config.ttl:
```
@prefix : <#> .
@prefix fuseki: <http://jena.apache.org/fuseki#> .
@prefix ja: <http://jena.hpl.hp.com/2005/11/Assembler#> .

<#service1> a fuseki:Service ;
   fuseki:name "dataset1" ;
   fuseki:allowedUsers "user1" ;
   fuseki:endpoint [ 
      fuseki:operation fuseki:query ;
      fuseki:name "sparql" ;
   ] ;
   fuseki:dataset [
      a ja:MemoryDataset
   ] .

<#service2> a fuseki:Service ;
   fuseki:name "dataset2" ;
   fuseki:allowedUsers "user2" ;
   fuseki:endpoint [ 
      fuseki:operation fuseki:query ;
      fuseki:name "sparql" ;
   ] ;
   fuseki:dataset [
      a ja:MemoryDataset
   ] .
```

shiro.ini:
```
[main]
# Development
ssl.enabled = false 

plainMatcher=org.apache.shiro.authc.credential.SimpleCredentialsMatcher
#iniRealm=org.apache.shiro.realm.text.IniRealm 
iniRealm.credentialsMatcher = $plainMatcher

localhostFilter=org.apache.jena.fuseki.authz.LocalhostFilter

[users]
# Implicitly adds "iniRealm =  org.apache.shiro.realm.text.IniRealm"
user1=pw
user2=pw

[roles]

[urls]
## Control functions open to anyone
/$/status  = anon
/$/ping    = anon
/$/metrics = anon

/$/** = authcBasic,user[admin]

# Everything else
/**=anon
```

Cheers,
Han

-----Original Message-----
From: Kruiger, J.F. (Han) <[email protected]> 
Sent: woensdag 14 oktober 2020 09:24
To: [email protected]
Subject: Fuseki Web UI does not consider Dataset Level Access Control Lists

Hi there,

When using the Dataset Level Access Control Lists 
(https://jena.apache.org/documentation/fuseki2/data-access-control#dataset-acl) 
to disallow a user from accessing a dataset, I expect the dataset in question 
to *not* be listed in the list of datasets that that user sees in the web UI.

However, when I do the following:

- Use the attached configuration and shiro.ini (user1 has access to only 
dataset1, user2 has access to only dataset2)
- Visit localhost:3030 and log in as user1

I can still see dataset2 in the list, even though user1 cannot access its 
services.

My questions are the following:

- Is this the intended behavior?
- How do I make it so that the web UI only shows the accessible datasets for 
the logged in user?

Thanks in advance!

Best,
Han
This message may contain information that is not intended for you. If you are 
not the addressee or if this message was sent to you by mistake, you are 
requested to inform the sender and delete the message. TNO accepts no liability 
for the content of this e-mail, for the manner in which you use it and for 
damage of any kind resulting from the risks inherent to the electronic 
transmission of messages.

Reply via email to