Fuseki can provide access control at the level on the server, on datasets, on endpoints and also on specific graphs within a dataset. It also provides native https to protect data in-flight.
Fuseki Main provides some common patterns of authentication and also Graph level Data Access Control to provide control over the visibility of graphs within a dataset, including the union graph of a dataset and the default graph. Currently, Graph level access control only applies to read-only datasets.
Fuseki Full (Fuseki with the UI) can be used when run in a web application server such as Tomcat to provide authentication of the user. See “Fuseki Security” for configuring security over the whole of the Fuseki UI.
This page applies to Fuseki Main.
HTTPS
HTTPS support is configured from the fuseki server command line.
| Server Argument | ||
|---|---|---|
| –https=SETUP | Name of file for certificate details. | |
| –httpsPort=PORT | The port for https | Default: 3043 |
The --https argument names a file in JSON which includes the name of
the certificate file and password for the certificate.
HTTPS certificate details file
The file is a simple JSON file:
{ "cert": KEYSTORE, "passwd": SECRET }
This file must be protected by file access settings so that it can only be read by the userid running the server. One way is to put the keystore certificate and the certificate details file in the same directory, then make the directory secure.
Self-signed certificates
A self-signed certificate provides an encrypted link to the server and stops some attacks. What it does not do is guarantee the identity of the host name of the Fuseki server to the client system. A signed certificate provides that through the chain of trust. A self-signed certificate does protect data in HTTP responses.
A self-signed certificate can be generated with:
$ keytool -keystore $keystore -alias jetty -genkey -keyalg RSA
For information on creating a certificate, see the Jetty documentation for generating certificates.
Authentication
Authentication, is establishing the identity of the principal (user or program) accessing the system. Fuseki Main provides users/password setup and HTTP authentication, digest or basic).
These should be used with HTTPS.
| Server Argument | ||
|---|---|---|
| –passwd=FILE | Password file | |
| –auth= | “basic” or “digest” | Default is “digest” |
These can also be given in the server configuration file:
<#server> rdf:type fuseki:Server ;
fuseki:passwd "<i>password_file</i>" ;
fuseki:auth "<i>digest</i>" ;
...
The format of the password file is:
username: password
and passwords can be stored in hash or obfuscated form.
Documentation of the Eclipse Jetty Password file format.
If different authentication is required, the full facilities of Eclipse Jetty configuration are available - see the section below.
Using curl
See the curl documentation for full details. This section is a brief summary of some relevant options:
| curl argument | Value | – |
|---|---|---|
-n, --netrc |
Take passwords from .netrc (_netrc on windows) |
|
--user= |
user:password |
Set the user and password (visible to all on the local machine) |
--anyauth |
Use server nominated authentication scheme | |
--basic |
Use HTTP basic auth | |
--digest |
Use HTTP digest auth | |
-k, --insecure |
Don’t check HTTPS certificate. This allows for self-signed or expired certificates, or ones with the wrong host name. |
Using wget
See the wget documentation for full details. This section is a brief summary of some relevant options:
| wget argument | Value | – |
|---|---|---|
--http-user |
user name | Set the user. |
--http-password |
password | Set the password (visible to all on the local machine) |
wget uses users/password from .wgetrc or .netrc by default. |
||
--no-check-certificate |
Don’t check HTTPS certificate. This allows for self-signed or expired, certificates or ones with the wrong host name. |
Access Control Lists
ACLs can be applied to the server as a whole, to a dataset, to endpoints, and to graphs within a dataset. This section covers server, dataset and endpoint access control lists. Graph-level access control is covered below.
Access control lists (ACL) as part of the server configuration file.
$ fuseki --conf configFile.ttl
ACLs are provided by the fuseki:allowedUsers property
Format of fuseki:allowedUsers
The list of users allowed access can be an RDF list or repeated use of the property or a mixture. The different settings are combined into one ACL.
fuseki:allowedUsers "user1", "user2", "user3";
fuseki:allowedUsers "user3";
fuseki:allowedUsers ( "user1" "user2" "user3") ;
There is a special user name “*” which means “any authenticated user”.
fuseki:allowedUsers "*" ;
Server Level ACLs
<#server> rdf:type fuseki:Server ;
<b>fuseki:allowedUsers "user1", "user2", "user3";</b>
...
fuseki:services ( ... ) ;
...
.
A useful pattern is:
<#server> rdf:type fuseki:Server ;
<b>fuseki:allowedUsers "*";</b>
...
fuseki:services ( ... ) ;
...
.
which requires all access to to be authenticated and the allowed users are those in the password file.
Dataset Level ACLs
When there is an access control list on the fuseki:Service, it applies
to all requests to the endpoints of the dataset.
Any server-wide “allowedUsers” configuration also applies and both levels must allow the user access.
<#service_auth> rdf:type fuseki:Service ;
rdfs:label "ACL controlled dataset" ;
fuseki:name "db-acl" ;
# ACL here.
fuseki:allowedUsers "user1", "user3";
## Choice of operations.
fuseki:endpoint [
fuseki:operation fuseki:query ;
fuseki:name "sparql"
];
fuseki:endpoint [
fuseki:operation fuseki:update ;
fuseki:name "sparql"
] ;
fuseki:endpoint [
fuseki:operation fuseki:gsp-r ;
fuseki:name "get"
] ;
fuseki:dataset <#base_dataset>;
.
Endpoint Level ACLs
An access control list can be applied to an individual endpoint. Again, any other “allowedUsers” configuration, service-wide, or server-wide) also applies.
fuseki:endpoint [
fuseki:operation fuseki:query ;
fuseki:name "query" ;
fuseki:allowedUsers "user1", "user2" ;
];
fuseki:endpoint [
fuseki:operation fuseki:update ;
fuseki:name "update" ;
fuseki:allowedUsers "user1"
] ;
Only user1 can use SPARQL update; both user1 and user2 can use SPARQL query.
Graph Access Control Lists
Graph level access control is defined using a specific dataset implementation for the service.
<#access_dataset> rdf:type access:AccessControlledDataset ;
access:registry ... ;
access:dataset ... ;
.
Graph ACLs are defined in a Graph Security Registry which lists the users and graph URIs.
<#service_tdb2> rdf:type fuseki:Service ;
rdfs:label "Graph-level access controlled dataset" ;
fuseki:name "db-graph-acl" ;
## Read-only operations on the dataset URL.
fuseki:endpoint [ fuseki:operation fuseki:query ] ;
fuseki:endpoint [ fuseki:operation fuseki:gsp_r ] ;
fuseki:dataset <b><#access_dataset></b> ;
.
# Define access on the dataset.
<#access_dataset> rdf:type access:AccessControlledDataset ;
access:registry <#securityRegistry> ;
access:dataset <#tdb_dataset_shared> ;
.
<#securityRegistry>rdf:type access:SecurityRegistry ;
. . .
<#tdb_dataset_shared> rdf:type tdb:DatasetTDB ;
. . .
All dataset storage types are supported. TDB1 and TDB2 have special implementations for handling graph access control.
Graph Security Registry
The Graph Security Registry is defined as a number of access entries in
either a list format “(user graph1 graph2 …)” or as RDF properties
access:user and access:graphs. The property access:graphs has graph URI or a
list of URIs as its object.
<#securityRegistry> rdf:type access:SecurityRegistry ;
access:entry ( "user1" <http://host/graphname1> <http://host/graphname2> ) ;
access:entry ( "user1" <http://host/graphname3> ) ;
access:entry ( "user1" <urn:x-arq:DefaultGraph> ) ;
access:entry ( "user2" <http://host/graphname9> ) ;
access:entry [ access:user "user3" ; access:graphs ( <http://host/graphname3> <http://host/graphname4> ) ] ;
access:entry [ access:user "user3" ; access:graphs <http://host/graphname5> ] ;
access:entry [ access:user "userZ" ; access:graphs <http://host/graphnameZ> ] ;
.
Jetty Configuration
For authentication configuration not covered by Fuseki configuration, the deployed server can be run using a Jetty configuration.
Server command line: --jetty=jetty.xml.