-- Read, Write, Sponge, Graph Group listing privileges on 'world' named graphs for users
--- VAL_SPARQL_ADMIN_G_CTX
DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('VAL_SPARQL_ADMIN_G_CTX', 15, 1);
-- Graph Security Integrity Check
RDF_GRAPH_SECURITY_AUDIT ( 0 ) ;
-- Goal:
-- Restrict access to a specific named graph. In this case you have a named
-- graph IRI derived from each turtle document url in your RDF dump.
-- ACL Rules Declaration Script run via Virtuosos iSQL interface:
-- Cleanup
DB.DBA.RDF_GRAPH_GROUP_DEL
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','urn:acl:qa:test:berlin') ;
DB.DBA.RDF_GRAPH_GROUP_DEL
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','urn:acl:qa:test:paris') ;
-- DB.DBA.RDF_GRAPH_GROUP_DEL
-- ('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','file:urn:acl:qa:test:berlin') ;
-- DB.DBA.RDF_GRAPH_GROUP_DEL
-- ('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','file:urn:acl:qa:test:paris') ;
DB.DBA.RDF_GRAPH_GROUP_DEL
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','urn:acl:qa:readonly:test') ;
DB.DBA.RDF_GRAPH_GROUP_DEL
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','urn:acl:qa:read:write:test') ;
-- Make Public Graph Private by adding it to Private Named Graph Group
DB.DBA.RDF_GRAPH_GROUP_INS
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','urn:acl:qa:test:berlin') ;
DB.DBA.RDF_GRAPH_GROUP_INS
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','urn:acl:qa:test:paris') ;
-- DB.DBA.RDF_GRAPH_GROUP_INS
-- ('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','file:urn:acl:qa:test:berlin') ;
-- DB.DBA.RDF_GRAPH_GROUP_INS
-- ('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','file:urn:acl:qa:test:paris') ;
DB.DBA.RDF_GRAPH_GROUP_INS
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','urn:acl:qa:readonly:test') ;
DB.DBA.RDF_GRAPH_GROUP_INS
('http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs','urn:acl:qa:read:write:test') ;
-- Data Generation for Test Named Graph
SPARQL
PREFIX dbpedia:
PREFIX dbo:
INSERT {
GRAPH
{
dbpedia:Paris a dbo:Place .
}
} ;
SPARQL
PREFIX dbpedia:
PREFIX dbo:
INSERT {
GRAPH
{
dbpedia:Berlin a dbo:Place .
}
} ;
SPARQL
PREFIX dbpedia:
PREFIX dbo:
INSERT {
GRAPH
{
dbpedia:Paris a dbo:Place .
}
} ;
-- Conditional Group HTTP (Default Realm)
SPARQL
PREFIX acl:
PREFIX oplacl:
PREFIX foaf:
WITH
DELETE {
<#groupBasicNetID> ?p ?o .
}
WHERE {
<#groupBasicNetID> ?p ?o .
} ;
-- Conditional Group Definition
SPARQL
PREFIX acl:
PREFIX oplacl:
PREFIX foaf:
WITH GRAPH
INSERT {
<#groupBasicNetID>
a ;
"Identities Denoted using a NetID based Identifier" ;
[
a ,
;
;
;
1
] .
} ;
-- Clear ACL Cache
-- VAL.DBA.clear_graph_acl_cache() ;
VAL.DBA.clear_graph_acl_cache (null, null, 1) ;
-- Declare DeaultRealm (HTTP) ACL
-- Cleanup
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
DELETE
{
<#HttpTLSPrivateNamedGraphRule1> ?p ?o .
}
WHERE {
<#HttpTLSPrivateNamedGraphRule1> ?p ?o .
};
-- ACL Definition
-- Protection of Private Named Graph identified by IRI:
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
INSERT
{
<#HttpTLSPrivateNamedGraphRule1>
a acl:Authorization ;
rdfs:label "Private Named Graph ACL (HTTP Realm) for Named Graph Identified by IRI: " ;
foaf:maker ;
oplacl:hasAccessMode oplacl:Read ;
acl:accessTo ;
acl:agent <#groupBasicNetID> ;
oplacl:hasScope oplacl:PrivateGraphs ;
oplacl:hasRealm oplacl:DefaultRealm .
};
-- Cleanup
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
DELETE
{
<#HttpTLSPrivateNamedGraphRule2> ?p ?o .
}
WHERE {
<#HttpTLSPrivateNamedGraphRule2> ?p ?o .
} ;
-- ACL Definition
-- Protection of Private Named Graph identified by IRI:
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
INSERT
{
<#HttpTLSPrivateNamedGraphRule2>
a acl:Authorization ;
rdfs:label "Private Named Graph ACL (HTTP Realm) for Named Graph Identified by IRI: " ;
foaf:maker ;
oplacl:hasAccessMode oplacl:Read ;
acl:accessTo ;
acl:agent ,
,
,
,
,
,
,
,
, ;
oplacl:hasScope oplacl:PrivateGraphs ;
oplacl:hasRealm oplacl:DefaultRealm .
};
-- ReadOnly ACL
-- Cleanup
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
DELETE
{ <#HTTPSPrivateNamedGraphReadWriteTest> ?p ?o . }
WHERE
{ <#HTTPSPrivateNamedGraphReadWriteTest> ?p ?o . } ;
-- Read-Write ACL Description
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
INSERT
{
<#HTTPSPrivateNamedGraphReadWriteTest>
a acl:Authorization ;
rdfs:label "Private Named Graph ACL (SQL Realm) for Named Graph Identified by IRI: " ;
foaf:maker ;
oplacl:hasAccessMode oplacl:Read, oplacl:Write ;
acl:accessTo ;
# acl:agent <#SQLTLSgroupBasicNetID>, <#SQLTLSstaticGroup> ;
acl:agent <#groupBasicNetID> ;
oplacl:hasScope oplacl:PrivateGraphs ;
oplacl:hasRealm oplacl:DefaultRealm .
};
--- End of Default (HTTP) Realm ACLs for Protected Named Graphs ---
---- Start of SQLRealm ACLs ----
-- Static Group Description
-- Cleanup
SPARQL
PREFIX acl:
PREFIX oplacl:
PREFIX foaf:
WITH GRAPH
DELETE {
<#SQLTLSstaticGroup>
?p ?o
}
WHERE {
<#SQLTLSstaticGroup>
?p ?o
};
-- Group Definition
SPARQL
PREFIX acl:
PREFIX oplacl:
PREFIX foaf:
WITH GRAPH
INSERT {
<#SQLTLSstaticGroup>
a foaf:Group ;
foaf:name "Conventional Group" ;
rdfs:comment """Conventional group to which a collection of WebIDs (in the form of a list) belong.""" ;
foaf:member ,
,
,
,
,
,
,
,
,
,
.
} ;
-- Conditional Group Description SQL Realm
-- Cleanup
SPARQL
PREFIX acl:
PREFIX oplacl:
PREFIX foaf:
WITH GRAPH
DELETE {
<#SQLTLSgroupBasicNetID>
?p ?o
}
WHERE {
<#SQLTLSgroupBasicNetID>
?p ?o
} ;
-- Conditional Group Definition
SPARQL
PREFIX acl:
PREFIX oplacl:
PREFIX foaf:
WITH GRAPH
INSERT {
<#SQLTLSgroupBasicNetID>
a ;
"Identities Denoted using a NetID based Identifier" ;
[
a ,
;
;
;
1
] .
} ;
-- Grant NetID Group Access to SQL Realm
-- Cleanup
SPARQL
PREFIX oplacl:
PREFIX acl:
PREFIX foaf:
WITH GRAPH
DELETE {
<#NetIDTLSSQLAccessRule1> ?p ?o .
}
WHERE {
<#NetIDTLSSQLAccessRule1> ?p ?o .
};
-- ACL Definition
SPARQL
PREFIX oplacl:
PREFIX acl:
PREFIX foaf:
WITH GRAPH
INSERT {
<#NetIDTLSSQLAccessRule1> a acl:Authorization ;
foaf:maker ;
rdfs:label "SQL Realm Access Authorization ACL for NetIDs" ;
rdfs:comment """Conditional Group based ACL that provides NetIDs with SQL Realm Access.""" ;
oplacl:hasAccessMode oplacl:Read, oplacl:Write ;
acl:accessTo ;
acl:agent <#groupBasicNetID>, <#staticGroup> ;
oplacl:hasScope oplacl:Query ;
oplacl:hasRealm oplacl:SqlRealm .
};
-- SPASQL Access in SQL Realm Privileges Grant to a Specific WebID (this is required for LOD Connectivity Licenses )--
-- Cleanup
SPARQL
PREFIX oplacl:
PREFIX acl:
PREFIX foaf:
WITH GRAPH
DELETE {
<#WebIDTLSPASQLAccessRule1> ?p ?o.
}
WHERE {
<#WebIDTLSPASQLAccessRule1> ?p ?o.
} ;
-- ACL Description
SPARQL
PREFIX oplacl:
PREFIX acl:
PREFIX foaf:
WITH GRAPH
INSERT {
<#WebIDTLSPASQLAccessRule1> a acl:Authorization ;
foaf:maker ;
rdfs:label "SQL Realm Access Authorization ACL" ;
rdfs:comment """Mandatory ACL for granting access to SQL Realm which then enables ODBC, JDBC, ADO.NET, OLE-DB compliant
application access, subject to Agent & User Identity.""" ;
oplacl:hasAccessMode oplacl:Read ;
acl:accessTo ;
acl:agent ,
,
,
,
,
,
,
,
,
, ,
;
oplacl:hasScope oplacl:Query ;
oplacl:hasRealm oplacl:SqlRealm .
};
-- SQL Realm Authorizations (enables execution of SQL queries via SQL+TLS connections)
-- Cleanup
SPARQL
PREFIX oplacl:
PREFIX acl:
PREFIX foaf:
WITH GRAPH
DELETE {
<#WebIDTLSSQLAccessRule1> ?p ?o.
}
WHERE {
<#WebIDTLSSQLAccessRule1> ?p ?o.
} ;
-- ACL Description
SPARQL
PREFIX oplacl:
PREFIX acl:
PREFIX foaf:
WITH GRAPH
INSERT {
<#WebIDTLSSQLAccessRule1> a acl:Authorization ;
foaf:maker ;
rdfs:label "SQL Realm Access Authorization ACL" ;
rdfs:comment """Mandatory ACL for granting access to SQL Realm which then enables ODBC, JDBC, ADO.NET, OLE-DB compliant
application access, subject to Agent & User Identity.""" ;
oplacl:hasAccessMode oplacl:Read ;
acl:accessTo ;
acl:agent ,
,
,
,
,
,
,
,
,
, ,
;
oplacl:hasScope oplacl:Query ;
oplacl:hasRealm oplacl:SqlRealm .
};
-- Private Graph ACL Private Named Graph identified by IRI:
-- Cleanup
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
DELETE
{ <#TLSSQLPrivateNamedGraphRule1> ?p ?o . }
WHERE
{ <#TLSSQLPrivateNamedGraphRule1> ?p ?o . } ;
-- ACL Description
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
INSERT
{
<#TLSSQLPrivateNamedGraphRule1>
a acl:Authorization ;
rdfs:label "Private Named Graph ACL (SQL Realm) for Named Graph Identified by IRI: " ;
foaf:maker ;
oplacl:hasAccessMode oplacl:Read ;
acl:accessTo ;
# acl:agent <#SQLTLSgroupBasicNetID>, <#SQLTLSstaticGroup> ;
acl:agent <#SQLTLSstaticGroup> ;
oplacl:hasScope oplacl:PrivateGraphs ;
oplacl:hasRealm oplacl:SqlRealm .
};
-- ReadWrite ACL
-- Private Graph ACL Private Named Graph identified by IRI:
-- Cleanup
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
DELETE
{
<#TLSSQLPrivateNamedGraphRule2> ?p ?o .
}
WHERE {
<#TLSSQLPrivateNamedGraphRule2> ?p ?o .
};
-- ACL Description
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
INSERT
{
<#TLSSQLPrivateNamedGraphRule2>
a acl:Authorization ;
rdfs:label "Private Named Graph ACL (SQL Realm) for Named Graph Identified by IRI: " ;
foaf:maker ;
oplacl:hasAccessMode oplacl:Read ;
acl:accessTo ;
acl:agent ,
,
,
,
,
,
,
,
, ,
;
oplacl:hasScope oplacl:PrivateGraphs ;
oplacl:hasRealm oplacl:SqlRealm .
};
-- ReadOnly ACL
-- Cleanup
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
DELETE
{ <#TLSSQLPrivateNamedGraphReadWriteTest> ?p ?o . }
WHERE
{ <#TLSSQLPrivateNamedGraphReadWriteTest> ?p ?o . } ;
-- Read-Write ACL Description
SPARQL
PREFIX oplacl:
PREFIX acl:
WITH
INSERT
{
<#TLSSQLPrivateNamedGraphReadWriteTest>
a acl:Authorization ;
rdfs:label "Private Named Graph ACL (SQL Realm) for Named Graph Identified by IRI: " ;
foaf:maker ;
oplacl:hasAccessMode oplacl:Read, oplacl:Write ;
acl:accessTo ;
acl:agent <#SQLTLSstaticGroup> ;
# acl:agent <#SQLTLSgroupBasicNetID> ;
oplacl:hasScope oplacl:PrivateGraphs ;
oplacl:hasRealm oplacl:SqlRealm .
};
--- SQL Query Access Restrictions (SQLRealm re. ODBC, JDBC, ADO.NET) ---
-- Query Request Rate
-- Cleanup
SPARQL
PREFIX oplacl:
PREFIX acl:
PREFIX foaf:
PREFIX oplrest:
WITH GRAPH
DELETE {
<#URIBurnerTLSSQLAccessRestriction1> ?p ?o . }
WHERE {
<#URIBurnerTLSSQLAccessRestriction1> ?p ?o .
};
-- Restriction Definition
SPARQL
PREFIX oplacl:
PREFIX acl:
PREFIX foaf:
PREFIX oplrest:
WITH GRAPH
INSERT {
<#URIBurnerTLSSQLAccessRestriction1>
a oplrest:Restriction ;
foaf:maker ;
rdfs:label "SQL Realm Query Rate Restriction" ;
rdfs:comment """Mandatory Restriction for metering Query Request Rates per second.""" ;
oplacl:hasAccessMode oplacl:Read ;
oplrest:hasRestrictedResource ;
oplrest:hasMaxValue "100"^^xsd:integer ;
acl:agent ,
,
,
,
,
,
,
,
,
, ,
;
oplacl:hasRealm oplacl:SqlRealm .
};
-- Query Results Size
-- Cleanup
SPARQL
PREFIX oplacl:
PREFIX acl:
PREFIX foaf:
PREFIX oplrest:
WITH GRAPH
DELETE {
<#URIBurnerTLSSQLAccessRestriction2> ?p ?o .
}
WHERE {
<#URIBurnerTLSSQLAccessRestriction2> ?p ?o .
};
-- Restriction Definition
SPARQL
PREFIX oplacl:
PREFIX acl:
PREFIX foaf:
PREFIX oplrest:
WITH GRAPH
INSERT {
<#URIBurnerTLSSQLAccessRestriction2>
a oplrest:Restriction ;
foaf:maker ;
rdfs:label "SQL Realm Resultset [Query Solution] Size Restriction" ;
rdfs:comment """Mandatory Restriction for restrictng maximum size of query resultsets [solutions].""" ;
oplrest:hasRestrictedResource ;
oplrest:hasMaxValue "200"^^xsd:integer ;
acl:agent ,
,
,
,
,
,
,
,
,
, ,
;
oplacl:hasRealm oplacl:SqlRealm .
};
-- Test Query 1
-- Should only show solution for members of Group granted accesss to protected graph
SPARQL
SELECT count (*)
FROM
WHERE {?s ?p ?o} ;
-- Test Query 2
-- Should only show solution for authenticated NetIDs
SPARQL
SELECT count (*)
FROM
WHERE {?s ?p ?o} ;
-- Test Query 3
-- Should show aggregate reflective of specific WebID executing query
-- Authenticated NetIDs that are members of Group with access to
-- Graph identified by: , should see the most
-- Authenticated NetIDs that are not members of the aforementioned group see the next largest total
-- Others see nothing.
SPARQL
SELECT count (*)
FROM
FROM
WHERE {?s ?p ?o} ;
-- Test Query 4
-- Count should be 1 inline with acl
SPARQL
SELECT COUNT (*)
FROM
WHERE {?s ?p ?o} ;
-- Test Query 5
-- Count varies subject to acls
SPARQL
SELECT COUNT (*)
FROM
WHERE {?s ?p ?o} ;