Google Git
Sign in
apache / jena-site / refs/heads/asf-site / . / content / documentation / fuseki2 / fuseki-data-access-control.html
blob: bbcf163ec0e6ddbedaee444614cea0478de9a96e [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<title>Apache Jena - Data Access Control for Fuseki</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<link href="/css/bootstrap.min.css" rel="stylesheet" media="screen">
<link href="/css/bootstrap-icons.css" rel="stylesheet" media="screen"><link rel="stylesheet" type="text/css" href="https://jena.apache.org/sass/jena.1b17c39a117e22b46db4c66f6395dc27c134a60377d87d2d5745b8600eb69722.css" integrity="sha256-GxfDmhF&#43;IrRttMZvY5XcJ8E0pgN32H0tV0W4YA62lyI=">
<link rel="shortcut icon" href="/images/favicon.ico" />
</head>
<body>
<nav class="navbar navbar-expand-lg bg-body-tertiary" role="navigation">
<div class="container">
<div class="navbar-header">
<button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation">
<span class="navbar-toggler-icon"></span>
</button>
<a class="navbar-brand" href="/index.html">
<img class="logo-menu" src="/images/jena-logo/jena-logo-notext-small.png" alt="jena logo">Apache Jena</a>
</div>
<div class="collapse navbar-collapse" id="navbarNav">
<ul class="navbar-nav me-auto mb-2 mb-lg-0">
<li id="homepage" class="nav-item"><a class="nav-link" href="/index.html"><span class="bi-house"></span> Home</a></li>
<li id="download" class="nav-item"><a class="nav-link" href="/download/index.cgi"><span class="bi-download"></span> Download</a></li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-journal"></span> Learn <b class="caret"></b></a>
<ul class="dropdown-menu">
<li class="dropdown-header">Tutorials</li>
<li><a class="dropdown-item" href="/tutorials/index.html">Overview</a></li>
<li><a class="dropdown-item" href="/documentation/fuseki2/index.html">Fuseki Triplestore</a></li>
<li><a class="dropdown-item" href="/documentation/notes/index.html">How-To's</a></li>
<li><a class="dropdown-item" href="/documentation/query/manipulating_sparql_using_arq.html">Manipulating SPARQL using ARQ</a></li>
<li><a class="dropdown-item" href="/tutorials/rdf_api.html">RDF core API tutorial</a></li>
<li><a class="dropdown-item" href="/tutorials/sparql.html">SPARQL tutorial</a></li>
<li><a class="dropdown-item" href="/tutorials/using_jena_with_eclipse.html">Using Jena with Eclipse</a></li>
<li class="dropdown-divider"></li>
<li class="dropdown-header">References</li>
<li><a class="dropdown-item" href="/documentation/index.html">Overview</a></li>
<li><a class="dropdown-item" href="/documentation/query/index.html">ARQ (SPARQL)</a></li>
<li><a class="dropdown-item" href="/documentation/io/">RDF I/O</a></li>
<li><a class="dropdown-item" href="/documentation/assembler/index.html">Assembler</a></li>
<li><a class="dropdown-item" href="/documentation/tools/index.html">Command-line tools</a></li>
<li><a class="dropdown-item" href="/documentation/rdfs/">Data with RDFS Inferencing</a></li>
<li><a class="dropdown-item" href="/documentation/geosparql/index.html">GeoSPARQL</a></li>
<li><a class="dropdown-item" href="/documentation/inference/index.html">Inference API</a></li>
<li><a class="dropdown-item" href="/documentation/ontology/">Ontology API</a></li>
<li><a class="dropdown-item" href="/documentation/permissions/index.html">Permissions</a></li>
<li><a class="dropdown-item" href="/documentation/extras/querybuilder/index.html">Query Builder</a></li>
<li><a class="dropdown-item" href="/documentation/rdf/index.html">RDF API</a></li>
<li><a class="dropdown-item" href="/documentation/rdfconnection/">RDF Connection - SPARQL API</a></li>
<li><a class="dropdown-item" href="/documentation/rdfstar/index.html">RDF-star</a></li>
<li><a class="dropdown-item" href="/documentation/shacl/index.html">SHACL</a></li>
<li><a class="dropdown-item" href="/documentation/shex/index.html">ShEx</a></li>
<li><a class="dropdown-item" href="/documentation/tdb/index.html">TDB</a></li>
<li><a class="dropdown-item" href="/documentation/tdb2/index.html">TDB2</a></li>
<li><a class="dropdown-item" href="/documentation/query/text-query.html">Text Search</a></li>
</ul>
</li>
<li class="nav-item dropdown">
<a href="#" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-journal-code"></span> Javadoc <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/documentation/javadoc.html">All Javadoc</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/arq/">ARQ</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/fuseki2/">Fuseki</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/geosparql/">GeoSPARQL</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/jena/">Jena Core</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/permissions/">Permissions</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/extras/querybuilder/">Query Builder</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/shacl/">SHACL</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/tdb/">TDB</a></li>
<li><a class="dropdown-item" href="/documentation/javadoc/text/">Text Search</a></li>
</ul>
</li>
</ul>
<form class="d-flex" role="search" action="/search" method="GET">
<div class="input-group">
<input class="form-control border-end-0 border m-0" type="search" name="q" id="search-query" placeholder="Search...." aria-label="Search" style="width: 10rem;">
<button class="btn btn-outline-secondary border-start-0 border" type="submit">
<i class="bi-search"></i>
</button>
</div>
</form>
<ul class="navbar-nav">
<li id="ask" class="nav-item"><a class="nav-link" href="/help_and_support/index.html" title="Ask"><span class="bi-patch-question"></span><span class="text-body d-none d-xxl-inline"> Ask</span></a></li>
<li class="nav-item dropdown">
<a href="#" title="Get involved" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-megaphone"></span><span class="text-body d-none d-xxl-inline"> Get involved </span><b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a class="dropdown-item" href="/getting_involved/index.html">Contribute</a></li>
<li><a class="dropdown-item" href="/help_and_support/bugs_and_suggestions.html">Report a bug</a></li>
<li class="dropdown-divider"></li>
<li class="dropdown-header">Project</li>
<li><a class="dropdown-item" href="/about_jena/about.html">About Jena</a></li>
<li><a class="dropdown-item" href="/about_jena/architecture.html">Architecture</a></li>
<li><a class="dropdown-item" href="/about_jena/citing.html">Citing</a></li>
<li><a class="dropdown-item" href="/about_jena/team.html">Project team</a></li>
<li><a class="dropdown-item" href="/about_jena/contributions.html">Related projects</a></li>
<li><a class="dropdown-item" href="/about_jena/roadmap.html">Roadmap</a></li>
<li><a class="dropdown-item" href="/about_jena/security-advisories.html">Security Advisories</a></li>
<li class="dropdown-divider"></li>
<li class="dropdown-header">ASF</li>
<li><a class="dropdown-item" href="https://www.apache.org/">Apache Software Foundation</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/licenses/LICENSE-2.0">License</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/security/">Security</a></li>
<li><a class="dropdown-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li>
</ul>
</li>
<li class="nav-item" id="edit"><a class="nav-link" href="https://github.com/apache/jena-site/edit/main/source/documentation/fuseki2/fuseki-data-access-control.md" title="Edit this page on GitHub"><span class="bi-pencil-square"></span><span class="text-body d-none d-xxl-inline"> Edit this page</span></a></li>
</ul>
</div>
</div>
</nav>
<div class="container">
<div class="row">
<div class="col-md-12">
<div id="breadcrumbs">
<ol class="breadcrumb mt-4 p-2 bg-body-tertiary">
<li class="breadcrumb-item"><a href='/documentation'>DOCUMENTATION</a></li>
<li class="breadcrumb-item"><a href='/documentation/fuseki2'>FUSEKI2</a></li>
<li class="breadcrumb-item active">FUSEKI DATA ACCESS CONTROL</li>
</ol>
</div>
<h1 class="title">Data Access Control for Fuseki</h1>
<main class="d-flex flex-xl-row flex-column">
<aside class="text-muted align-self-start mb-3 p-0 d-xl-none d-block">
<h2 class="h6 sticky-top m-0 p-2 bg-body-tertiary">On this page</h2>
<nav id="TableOfContents">
<ul>
<li><a href="#https">HTTPS</a>
<ul>
<li><a href="#https-details">HTTPS certificate details file</a></li>
<li><a href="#self-signed-certificates">Self-signed certificates</a></li>
</ul>
</li>
<li><a href="#authentication">Authentication</a>
<ul>
<li><a href="#using-curl">Using <code>curl</code></a></li>
<li><a href="#using-wget">Using <code>wget</code></a></li>
</ul>
</li>
<li><a href="#acl">Access Control Lists</a>
<ul>
<li><a href="#alloweduser">Format of <code>fuseki:allowedUsers</code></a></li>
<li><a href="#server-acl">Server Level ACLs</a></li>
<li><a href="#dataset-acl">Dataset Level ACLs</a></li>
<li><a href="#endpoint-acl">Endpoint Level ACLs</a></li>
</ul>
</li>
<li><a href="#graph-acl">Graph Access Control Lists</a>
<ul>
<li><a href="#graph-security-registry">Graph Security Registry</a></li>
</ul>
</li>
<li><a href="#jetty-configuration">Jetty Configuration</a></li>
</ul>
</nav>
</aside>
<article class="flex-column me-lg-4">
<p>Fuseki can provide access control at the level on the server, on datasets,
on endpoints and also on specific graphs within a dataset. It also
provides native https to protect data in-flight.</p>
<p><a href="/documentation/fuseki2/fuseki-main.html">Fuseki Main</a>
provides some common patterns of authentication and also
<a href="#graph-acl">Graph level Data Access Control</a> to provide control over the visibility of
graphs within a dataset, including the union graph of a dataset and
the default graph. Currently, Graph level access control only applies to
read-only datasets.</p>
<p>Fuseki Full (Fuseki with the UI) can be used when <a href="/documentation/fuseki2/fuseki-webapp.html#fuseki-web-application">run in a web application
server such as
Tomcat</a> to
provide authentication of the user. See &ldquo;<a href="fuseki-security">Fuseki Security</a>&rdquo;
for configuring security over the whole of the Fuseki UI.</p>
<p>This page applies to Fuseki Main.</p>
<h2 id="https">HTTPS</h2>
<p>HTTPS support is configured from the fuseki server command line.</p>
<table>
<thead>
<tr>
<th>Server Argument</th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td><tt>&ndash;https=<i>SETUP</i></tt></td>
<td>Name of file for certificate details.</td>
<td></td>
</tr>
<tr>
<td><tt>&ndash;httpsPort=<i>PORT</i></tt></td>
<td>The port for https</td>
<td>Default: 3043</td>
</tr>
</tbody>
</table>
<p>The <code>--https</code> argument names a file in JSON which includes the name of
the certificate file and password for the certificate.</p>
<h3 id="https-details">HTTPS certificate details file</h3>
<p>The file is a simple JSON file:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ <span style="color:#008000;font-weight:bold">&#34;cert&#34;</span>: <span style="">KEYSTORE</span>, <span style="color:#008000;font-weight:bold">&#34;passwd&#34;</span>: <span style="">SECRET</span> }
</span></span></code></pre></div><p>This file must be protected by file access settings so that it can only
be read by the userid running the server. One way is to put the
keystore certificate and the certificate details file in the same
directory, then make the directory secure.</p>
<h3 id="self-signed-certificates">Self-signed certificates</h3>
<p>A self-signed certificate provides an encrypted link to the server and
stops some attacks. What it does not do is guarantee the identity of the
host name of the Fuseki server to the client system. A signed certificate provides that through the chain of trust. A self-signed certificate does protect data in HTTP responses.</p>
<p>A self-signed certificate can be generated with:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ keytool -keystore <span style="color:#b8860b">$keystore</span> -alias jetty -genkey -keyalg RSA
</span></span></code></pre></div><p>For information on creating a certificate, see the Jetty documentation
for <a href="http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#generating-key-pairs-and-certificates">generating certificates</a>.</p>
<h2 id="authentication">Authentication</h2>
<p><a href="https://en.wikipedia.org/wiki/Authentication">Authentication</a>,
is establishing the identity of the principal (user or program) accessing the
system. Fuseki Main provides users/password setup and HTTP authentication,
<a href="https://en.wikipedia.org/wiki/Digest_access_authentication">digest</a> or
<a href="https://en.wikipedia.org/wiki/Basic_access_authentication">basic</a>).</p>
<p>These should be <a href="#https">used with HTTPS</a>.</p>
<table>
<thead>
<tr>
<th>Server Argument</th>
<th></th>
<th></th>
</tr>
</thead>
<tbody>
<tr>
<td><tt>&ndash;passwd=<i>FILE</i></tt></td>
<td>Password file</td>
<td></td>
</tr>
<tr>
<td><tt>&ndash;auth=</tt></td>
<td>&ldquo;basic&rdquo; or &ldquo;digest&rdquo;</td>
<td>Default is &ldquo;digest&rdquo;</td>
</tr>
</tbody>
</table>
<p>These can also be given in the server configuration file:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b">&lt;#server&gt;</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">Server</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">passwd</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;&lt;i&gt;password_file&lt;/i&gt;&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">auth</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;&lt;i&gt;digest&lt;/i&gt;&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>...<span style="color:#bbb">
</span></span></span></code></pre></div><p>The format of the password file is:</p>
<pre tabindex="0"><code>username: password
</code></pre><p>and passwords can be stored in hash or obfuscated form.</p>
<p>Documentation of the <a href="http://www.eclipse.org/jetty/documentation/current/configuring-security.html#hash-login-service">Eclipse Jetty Password file format</a>.</p>
<p>If different authentication is required, the full facilities of
<a href="http://www.eclipse.org/jetty/documentation/current/configuring-security.html">Eclipse Jetty configuration</a>
are available - see <a href="#jetty-configuration">the section below</a>.</p>
<h3 id="using-curl">Using <code>curl</code></h3>
<p>See the <a href="https://curl.haxx.se/docs/manpage.html">curl documentation</a> for full
details. This section is a brief summary of some relevant options:</p>
<table>
<thead>
<tr>
<th>curl argument</th>
<th>Value</th>
<th>&ndash;</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>-n</code>, <code>--netrc</code></td>
<td></td>
<td>Take passwords from <code>.netrc</code> (<code>_netrc</code> on windows)</td>
</tr>
<tr>
<td><code>--user=</code></td>
<td><code>user:password</code></td>
<td>Set the user and password (visible to all on the local machine)</td>
</tr>
<tr>
<td><code>--anyauth</code></td>
<td></td>
<td>Use server nominated authentication scheme</td>
</tr>
<tr>
<td><code>--basic</code></td>
<td></td>
<td>Use HTTP basic auth</td>
</tr>
<tr>
<td><code>--digest</code></td>
<td></td>
<td>Use HTTP digest auth</td>
</tr>
<tr>
<td><code>-k</code>, <code>--insecure</code></td>
<td></td>
<td>Don&rsquo;t check HTTPS certificate.<br/> This allows for self-signed or expired certificates, or ones with the wrong host name.</td>
</tr>
</tbody>
</table>
<h3 id="using-wget">Using <code>wget</code></h3>
<p>See the <a href="https://www.gnu.org/software/wget/manual/wget.html">wget documentation</a> for full
details. This section is a brief summary of some relevant options:</p>
<table>
<thead>
<tr>
<th>wget argument</th>
<th>Value</th>
<th>&ndash;</th>
</tr>
</thead>
<tbody>
<tr>
<td><code>--http-user</code></td>
<td>user name</td>
<td>Set the user.</td>
</tr>
<tr>
<td><code>--http-password</code></td>
<td>password</td>
<td>Set the password (visible to all on the local machine)</td>
</tr>
<tr>
<td></td>
<td></td>
<td><code>wget</code> uses users/password from <code>.wgetrc</code> or <code>.netrc</code> by default.</td>
</tr>
<tr>
<td><code>--no-check-certificate</code></td>
<td></td>
<td>Don&rsquo;t check HTTPS certificate.<br/> This allows for self-signed or expired, certificates or ones with the wrong host name.</td>
</tr>
</tbody>
</table>
<h2 id="acl">Access Control Lists</h2>
<p>ACLs can be applied to the server as a whole, to a dataset, to endpoints, and to
graphs within a dataset. This section covers server, dataset and endpoint access control
lists. Graph-level access control is <a href="#graph-acl">covered below</a>.</p>
<p>Access control lists (ACL) as part of the server configuration file.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ fuseki --conf configFile.ttl
</span></span></code></pre></div><p>ACLs are provided by the <code>fuseki:allowedUsers</code> property</p>
<h3 id="alloweduser">Format of <code>fuseki:allowedUsers</code></h3>
<p>The list of users allowed access can be an RDF list or repeated use of
the property or a mixture. The different settings are combined into one ACL.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;user1&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;user2&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;user3&#34;</span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;user3&#34;</span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b44">&#34;user1&#34;</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;user2&#34;</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;user3&#34;</span>)<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span></code></pre></div><p>There is a special user name &ldquo;*&rdquo; which means &ldquo;any authenticated user&rdquo;.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;*&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span></code></pre></div><h3 id="server-acl">Server Level ACLs</h3>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b">&lt;#server&gt;</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">Server</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;b&gt;</span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;user1&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;user2&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;user3&#34;</span>;<span style="color:#b8860b">&lt;/b&gt;</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>...<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">services</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span>...<span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>...<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb">
</span></span></span></code></pre></div><p>A useful pattern is:</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b">&lt;#server&gt;</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">Server</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;b&gt;</span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;*&#34;</span>;<span style="color:#b8860b">&lt;/b&gt;</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>...<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">services</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span>...<span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>...<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb">
</span></span></span></code></pre></div><p>which requires all access to to be authenticated and the allowed users are
those in the password file.</p>
<h3 id="dataset-acl">Dataset Level ACLs</h3>
<p>When there is an access control list on the <code>fuseki:Service</code>, it applies
to all requests to the endpoints of the dataset.</p>
<p>Any server-wide &ldquo;allowedUsers&rdquo; configuration also applies and both
levels must allow the user access.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b">&lt;#service_auth&gt;</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">Service</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdfs:</span><span style="color:#008000;font-weight:bold">label</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;ACL controlled dataset&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;db-acl&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># ACL here.</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;user1&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;user3&#34;</span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">## Choice of operations.</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">query</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;sparql&#34;</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>];<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">update</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;sparql&#34;</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">gsp-r</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;get&#34;</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">dataset</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;#base_dataset&gt;</span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb">
</span></span></span></code></pre></div><h3 id="endpoint-acl">Endpoint Level ACLs</h3>
<p>An access control list can be applied to an individual endpoint.
Again, any other &ldquo;allowedUsers&rdquo; configuration, service-wide, or
server-wide) also applies.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">query</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;query&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;user1&#34;</span>,<span style="color:#bbb"> </span><span style="color:#b44">&#34;user2&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span>];<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">update</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;update&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;user1&#34;</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span>]<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span></code></pre></div><p>Only <em>user1</em> can use SPARQL update; both <em>user1</em> and
<em>user2</em> can use SPARQL query.</p>
<h2 id="graph-acl">Graph Access Control Lists</h2>
<p>Graph level access control is defined using a specific dataset
implementation for the service.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b">&lt;#access_dataset&gt;</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">AccessControlledDataset</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">registry</span><span style="color:#bbb"> </span>...<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">dataset</span><span style="color:#bbb"> </span>...<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb">
</span></span></span></code></pre></div><p>Graph ACLs are defined in a <a href="#graph-security-registry">Graph Security Registry</a> which lists the users and graph URIs.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b">&lt;#service_tdb2&gt;</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">Service</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdfs:</span><span style="color:#008000;font-weight:bold">label</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;Graph-level access controlled dataset&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;db-graph-acl&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">## Read-only operations on the dataset URL.</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">query</span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">gsp_r</span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">dataset</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;b&gt;&lt;#access_dataset&gt;&lt;/b&gt;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#080;font-style:italic"># Define access on the dataset.</span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#b8860b">&lt;#access_dataset&gt;</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">AccessControlledDataset</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">registry</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;#securityRegistry&gt;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">dataset</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;#tdb_dataset_shared&gt;</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#b8860b">&lt;#securityRegistry&gt;</span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">SecurityRegistry</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb"> </span>.<span style="color:#bbb"> </span>.<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#b8860b">&lt;#tdb_dataset_shared&gt;</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">tdb:</span><span style="color:#008000;font-weight:bold">DatasetTDB</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb"> </span>.<span style="color:#bbb"> </span>.<span style="color:#bbb">
</span></span></span></code></pre></div><p>All dataset storage types are supported. TDB1 and TDB2 have special implementations for handling graph access control.</p>
<h3 id="graph-security-registry">Graph Security Registry</h3>
<p>The Graph Security Registry is defined as a number of access entries in
either a list format &ldquo;(user graph1 graph2 &hellip;)&rdquo; or as RDF properties
<code>access:user</code> and <code>access:graphs</code>. The property <code>access:graphs</code> has graph URI or a
list of URIs as its object.</p>
<div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b">&lt;#securityRegistry&gt;</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">SecurityRegistry</span><span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b44">&#34;user1&#34;</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;http://host/graphname1&gt;</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;http://host/graphname2&gt;</span><span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b44">&#34;user1&#34;</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;http://host/graphname3&gt;</span><span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b44">&#34;user1&#34;</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;urn:x-arq:DefaultGraph&gt;</span><span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b44">&#34;user2&#34;</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;http://host/graphname9&gt;</span><span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">user</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;user3&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">graphs</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b8860b">&lt;http://host/graphname3&gt;</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;http://host/graphname4&gt;</span><span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">user</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;user3&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">graphs</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;http://host/graphname5&gt;</span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">user</span><span style="color:#bbb"> </span><span style="color:#b44">&#34;userZ&#34;</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">graphs</span><span style="color:#bbb"> </span><span style="color:#b8860b">&lt;http://host/graphnameZ&gt;</span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb">
</span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb">
</span></span></span></code></pre></div><h2 id="jetty-configuration">Jetty Configuration</h2>
<p>For authentication configuration not covered by Fuseki configuration,
the deployed server can be run using a Jetty configuration.</p>
<p>Server command line: <code>--jetty=jetty.xml</code>.</p>
<p><a href="https://www.eclipse.org/jetty/documentation/current/jetty-xml-config.html">Documentation for <code>jetty.xml</code></a>.</p>
</article>
<aside class="text-muted align-self-start mb-3 mb-xl-5 p-0 d-none d-xl-flex flex-column sticky-top">
<h2 class="h6 sticky-top m-0 p-2 bg-body-tertiary">On this page</h2>
<nav id="TableOfContents">
<ul>
<li><a href="#https">HTTPS</a>
<ul>
<li><a href="#https-details">HTTPS certificate details file</a></li>
<li><a href="#self-signed-certificates">Self-signed certificates</a></li>
</ul>
</li>
<li><a href="#authentication">Authentication</a>
<ul>
<li><a href="#using-curl">Using <code>curl</code></a></li>
<li><a href="#using-wget">Using <code>wget</code></a></li>
</ul>
</li>
<li><a href="#acl">Access Control Lists</a>
<ul>
<li><a href="#alloweduser">Format of <code>fuseki:allowedUsers</code></a></li>
<li><a href="#server-acl">Server Level ACLs</a></li>
<li><a href="#dataset-acl">Dataset Level ACLs</a></li>
<li><a href="#endpoint-acl">Endpoint Level ACLs</a></li>
</ul>
</li>
<li><a href="#graph-acl">Graph Access Control Lists</a>
<ul>
<li><a href="#graph-security-registry">Graph Security Registry</a></li>
</ul>
</li>
<li><a href="#jetty-configuration">Jetty Configuration</a></li>
</ul>
</nav>
</aside>
</main>
</div>
</div>
</div>
<footer class="bd-footer py-4 py-md-5 mt-4 mt-lg-5 bg-body-tertiary">
<div class="container" style="font-size:80%" >
<p>
Copyright &copy; 2011&ndash;2024 The Apache Software Foundation, Licensed under the
<a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.
</p>
<p>
Apache Jena, Jena, the Apache Jena project logo, Apache and the Apache feather logos are trademarks of
The Apache Software Foundation.
<br/>
<a href="https://privacy.apache.org/policies/privacy-policy-public.html"
>Apache Software Foundation Privacy Policy</a>.
</p>
</div>
</footer>
<script src="/js/popper.min.js.js" type="text/javascript"></script>
<script src="/js/bootstrap.min.js" type="text/javascript"></script>
<script src="/js/improve.js" type="text/javascript"></script>
<script type="text/javascript">
(function() {
'use strict'
const links = document.querySelectorAll(`a[href="${window.location.pathname}"]`)
if (links !== undefined && links !== null) {
for (const link of links) {
link.classList.add('active')
let parentElement = link.parentElement
let count = 0
const levelsLimit = 4
while (['UL', 'LI'].includes(parentElement.tagName) && count <= levelsLimit) {
if (parentElement.tagName === 'LI') {
parentElement.querySelector('a:first-child').classList.add('active')
}
parentElement = parentElement.parentElement
count++
}
}
}
})()
</script>
</body>
</html>