I am using the newer fuseki:endpoint style. The issue is that when a new dataset is created via the Fuseki UI, the default endpoints that are created include the following two:
fuseki:endpoint [ fuseki:operation fuseki:update ] ; fuseki:endpoint [ fuseki:operation fuseki:gsp-rw ] ; If I understand correcting the former enables SPARQL UPDATE queries and the latter enables PUTting a new graph. These endpoints make it difficult to use shiro.ini to restrict updates, since they use the path of the dataset itself rather than a subpath like /data or /update. I can go in and remove these endpoints by editing the configuration file for the dataset, and that’s what I’ve done to address this issue. But it’s less than ideal, since I can’t just use the UI to create a dataset — I also have to deploy a modified config file, which can be a little fiddly when you’re running Fuseki in a cloud container. Since I am using this Fuseki instance in a class to teach students SPARQL, it would be nice to be able to create a dataset in the UI that students can query, without worrying about them deleting or modifying the dataset, and without having a separate sysadmin step of pushing a new config file every time I create a dataset. > On Nov 2, 2022, at 6:55 AM, Andy Seaborne <[email protected]> wrote: > > Hi Ryan, > > Are you using the "fuseki:service*" style for defining the operations? > > The newer > > fuseki:endpoint [ > # SPARQL Graph Store Protcol (read and write) > fuseki:operation fuseki:gsp_rw ; > fuseki:name "data" > ] ; > > style allows more precise definition of endpoints. > > https://jena.apache.org/documentation/fuseki2/fuseki-configuration.html > > :serviceReadWriteGraphStore implicitly adds PUT to the dataset (quads mode) > and "/**=anon" applies. > > If you use "fuseki:operation fuseki:gsp_rw" there isn't this side effect. > > You can go further with fuseki:allowedUsers on individual endpoint/operation. > shiro.ini does not support that but you'll need shiro to do user login. > > A server without UI and without admin (currently :-) can Fuseki/main can use > the Jetty security handling - no shiro.ini - but that's a completely separate > setup. > > Andy > > On 31/10/2022 22:36, Shaw, Ryan wrote: >> I am trying to configure fuseki-server so that >> * an admin logging in via basic auth can create and update datasets >> * anonymous users can only query datasets >> My shiro.ini: >> [main] >> ssl.enabled = false >> plainMatcher = org.apache.shiro.authc.credential.SimpleCredentialsMatcher >> iniRealm.credentialsMatcher = $plainMatcher >> [users] >> admin=${ADMIN_PASSWORD} >> [roles] >> [urls] >> # admin functions open to anyone >> /$/ping = anon >> /$/server = anon >> /$/stats = anon >> /$/stats/* = anon >> # and the rest of the admin functions are restricted >> /$/** = authcBasic,user[admin] >> # dataset loads and updates are restricted >> /*/data/** = authcBasic,user[admin] >> /*/update/** = authcBasic,user[admin] >> # everything else is open to anyone >> /**=anon >> With this shiro.ini configuration, anonymous users can still PUT to a >> dataset URL to update it. I want to disallow that. How ?
