| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| |
| |
| <title>Apache Jena - Data Access Control for Fuseki</title> |
| <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| |
| <link href="/css/bootstrap.min.css" rel="stylesheet" media="screen"> |
| <link href="/css/bootstrap-icons.css" rel="stylesheet" media="screen"><link rel="stylesheet" type="text/css" href="https://jena.apache.org/sass/jena.1b17c39a117e22b46db4c66f6395dc27c134a60377d87d2d5745b8600eb69722.css" integrity="sha256-GxfDmhF+IrRttMZvY5XcJ8E0pgN32H0tV0W4YA62lyI="> |
| <link rel="shortcut icon" href="/images/favicon.ico" /> |
| |
| </head> |
| |
| <body> |
| |
| <nav class="navbar navbar-expand-lg bg-body-tertiary" role="navigation"> |
| <div class="container"> |
| <div class="navbar-header"> |
| <button class="navbar-toggler" type="button" data-bs-toggle="collapse" data-bs-target="#navbarNav" aria-controls="navbarNav" aria-expanded="false" aria-label="Toggle navigation"> |
| <span class="navbar-toggler-icon"></span> |
| </button> |
| <a class="navbar-brand" href="/index.html"> |
| <img class="logo-menu" src="/images/jena-logo/jena-logo-notext-small.png" alt="jena logo">Apache Jena</a> |
| </div> |
| |
| <div class="collapse navbar-collapse" id="navbarNav"> |
| <ul class="navbar-nav me-auto mb-2 mb-lg-0"> |
| <li id="homepage" class="nav-item"><a class="nav-link" href="/index.html"><span class="bi-house"></span> Home</a></li> |
| <li id="download" class="nav-item"><a class="nav-link" href="/download/index.cgi"><span class="bi-download"></span> Download</a></li> |
| <li class="nav-item dropdown"> |
| <a href="#" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-journal"></span> Learn <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li class="dropdown-header">Tutorials</li> |
| <li><a class="dropdown-item" href="/tutorials/index.html">Overview</a></li> |
| <li><a class="dropdown-item" href="/documentation/fuseki2/index.html">Fuseki Triplestore</a></li> |
| <li><a class="dropdown-item" href="/documentation/notes/index.html">How-To's</a></li> |
| <li><a class="dropdown-item" href="/documentation/query/manipulating_sparql_using_arq.html">Manipulating SPARQL using ARQ</a></li> |
| <li><a class="dropdown-item" href="/tutorials/rdf_api.html">RDF core API tutorial</a></li> |
| <li><a class="dropdown-item" href="/tutorials/sparql.html">SPARQL tutorial</a></li> |
| <li><a class="dropdown-item" href="/tutorials/using_jena_with_eclipse.html">Using Jena with Eclipse</a></li> |
| <li class="dropdown-divider"></li> |
| <li class="dropdown-header">References</li> |
| <li><a class="dropdown-item" href="/documentation/index.html">Overview</a></li> |
| <li><a class="dropdown-item" href="/documentation/query/index.html">ARQ (SPARQL)</a></li> |
| <li><a class="dropdown-item" href="/documentation/io/">RDF I/O</a></li> |
| <li><a class="dropdown-item" href="/documentation/assembler/index.html">Assembler</a></li> |
| <li><a class="dropdown-item" href="/documentation/tools/index.html">Command-line tools</a></li> |
| <li><a class="dropdown-item" href="/documentation/rdfs/">Data with RDFS Inferencing</a></li> |
| <li><a class="dropdown-item" href="/documentation/geosparql/index.html">GeoSPARQL</a></li> |
| <li><a class="dropdown-item" href="/documentation/inference/index.html">Inference API</a></li> |
| <li><a class="dropdown-item" href="/documentation/ontology/">Ontology API</a></li> |
| <li><a class="dropdown-item" href="/documentation/permissions/index.html">Permissions</a></li> |
| <li><a class="dropdown-item" href="/documentation/extras/querybuilder/index.html">Query Builder</a></li> |
| <li><a class="dropdown-item" href="/documentation/rdf/index.html">RDF API</a></li> |
| <li><a class="dropdown-item" href="/documentation/rdfconnection/">RDF Connection - SPARQL API</a></li> |
| <li><a class="dropdown-item" href="/documentation/rdfstar/index.html">RDF-star</a></li> |
| <li><a class="dropdown-item" href="/documentation/shacl/index.html">SHACL</a></li> |
| <li><a class="dropdown-item" href="/documentation/shex/index.html">ShEx</a></li> |
| <li><a class="dropdown-item" href="/documentation/tdb/index.html">TDB</a></li> |
| <li><a class="dropdown-item" href="/documentation/tdb2/index.html">TDB2</a></li> |
| <li><a class="dropdown-item" href="/documentation/query/text-query.html">Text Search</a></li> |
| </ul> |
| </li> |
| |
| <li class="nav-item dropdown"> |
| <a href="#" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-journal-code"></span> Javadoc <b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a class="dropdown-item" href="/documentation/javadoc.html">All Javadoc</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/arq/">ARQ</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/fuseki2/">Fuseki</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/geosparql/">GeoSPARQL</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/jena/">Jena Core</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/permissions/">Permissions</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/extras/querybuilder/">Query Builder</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/shacl/">SHACL</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/tdb/">TDB</a></li> |
| <li><a class="dropdown-item" href="/documentation/javadoc/text/">Text Search</a></li> |
| </ul> |
| </li> |
| </ul> |
| <form class="d-flex" role="search" action="/search" method="GET"> |
| <div class="input-group"> |
| <input class="form-control border-end-0 border m-0" type="search" name="q" id="search-query" placeholder="Search...." aria-label="Search" style="width: 10rem;"> |
| <button class="btn btn-outline-secondary border-start-0 border" type="submit"> |
| <i class="bi-search"></i> |
| </button> |
| </div> |
| </form> |
| <ul class="navbar-nav"> |
| <li id="ask" class="nav-item"><a class="nav-link" href="/help_and_support/index.html" title="Ask"><span class="bi-patch-question"></span><span class="text-body d-none d-xxl-inline"> Ask</span></a></li> |
| |
| <li class="nav-item dropdown"> |
| <a href="#" title="Get involved" class="nav-link dropdown-toggle" role="button" data-bs-toggle="dropdown" aria-expanded="false"><span class="bi-megaphone"></span><span class="text-body d-none d-xxl-inline"> Get involved </span><b class="caret"></b></a> |
| <ul class="dropdown-menu"> |
| <li><a class="dropdown-item" href="/getting_involved/index.html">Contribute</a></li> |
| <li><a class="dropdown-item" href="/help_and_support/bugs_and_suggestions.html">Report a bug</a></li> |
| <li class="dropdown-divider"></li> |
| <li class="dropdown-header">Project</li> |
| <li><a class="dropdown-item" href="/about_jena/about.html">About Jena</a></li> |
| <li><a class="dropdown-item" href="/about_jena/architecture.html">Architecture</a></li> |
| <li><a class="dropdown-item" href="/about_jena/citing.html">Citing</a></li> |
| <li><a class="dropdown-item" href="/about_jena/team.html">Project team</a></li> |
| <li><a class="dropdown-item" href="/about_jena/contributions.html">Related projects</a></li> |
| <li><a class="dropdown-item" href="/about_jena/roadmap.html">Roadmap</a></li> |
| <li><a class="dropdown-item" href="/about_jena/security-advisories.html">Security Advisories</a></li> |
| <li class="dropdown-divider"></li> |
| <li class="dropdown-header">ASF</li> |
| <li><a class="dropdown-item" href="https://www.apache.org/">Apache Software Foundation</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/foundation/sponsorship.html">Become a Sponsor</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/licenses/LICENSE-2.0">License</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/security/">Security</a></li> |
| <li><a class="dropdown-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li> |
| </ul> |
| </li> |
| |
| |
| |
| |
| <li class="nav-item" id="edit"><a class="nav-link" href="https://github.com/apache/jena-site/edit/main/source/documentation/fuseki2/fuseki-data-access-control.md" title="Edit this page on GitHub"><span class="bi-pencil-square"></span><span class="text-body d-none d-xxl-inline"> Edit this page</span></a></li> |
| </ul> |
| </div> |
| </div> |
| </nav> |
| |
| <div class="container"> |
| <div class="row"> |
| <div class="col-md-12"> |
| |
| <div id="breadcrumbs"> |
|
|
|
|
|
|
|
|
|
|
|
|
| <ol class="breadcrumb mt-4 p-2 bg-body-tertiary">
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| <li class="breadcrumb-item"><a href='/documentation'>DOCUMENTATION</a></li>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| <li class="breadcrumb-item"><a href='/documentation/fuseki2'>FUSEKI2</a></li>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| <li class="breadcrumb-item active">FUSEKI DATA ACCESS CONTROL</li>
|
|
|
|
|
|
|
|
|
| </ol>
|
|
|
|
|
|
|
| |
| </div> |
| <h1 class="title">Data Access Control for Fuseki</h1> |
| |
| |
| <main class="d-flex flex-xl-row flex-column"> |
| |
| <aside class="text-muted align-self-start mb-3 p-0 d-xl-none d-block"> |
| <h2 class="h6 sticky-top m-0 p-2 bg-body-tertiary">On this page</h2> |
| <nav id="TableOfContents"> |
| <ul> |
| <li><a href="#https">HTTPS</a> |
| <ul> |
| <li><a href="#https-details">HTTPS certificate details file</a></li> |
| <li><a href="#self-signed-certificates">Self-signed certificates</a></li> |
| </ul> |
| </li> |
| <li><a href="#authentication">Authentication</a> |
| <ul> |
| <li><a href="#using-curl">Using <code>curl</code></a></li> |
| <li><a href="#using-wget">Using <code>wget</code></a></li> |
| </ul> |
| </li> |
| <li><a href="#acl">Access Control Lists</a> |
| <ul> |
| <li><a href="#alloweduser">Format of <code>fuseki:allowedUsers</code></a></li> |
| <li><a href="#server-acl">Server Level ACLs</a></li> |
| <li><a href="#dataset-acl">Dataset Level ACLs</a></li> |
| <li><a href="#endpoint-acl">Endpoint Level ACLs</a></li> |
| </ul> |
| </li> |
| <li><a href="#graph-acl">Graph Access Control Lists</a> |
| <ul> |
| <li><a href="#graph-security-registry">Graph Security Registry</a></li> |
| </ul> |
| </li> |
| <li><a href="#jetty-configuration">Jetty Configuration</a></li> |
| </ul> |
| </nav> |
| </aside> |
| <article class="flex-column me-lg-4"> |
| <p>Fuseki can provide access control at the level on the server, on datasets, |
| on endpoints and also on specific graphs within a dataset. It also |
| provides native https to protect data in-flight.</p> |
| <p><a href="/documentation/fuseki2/fuseki-main.html">Fuseki Main</a> |
| provides some common patterns of authentication and also |
| <a href="#graph-acl">Graph level Data Access Control</a> to provide control over the visibility of |
| graphs within a dataset, including the union graph of a dataset and |
| the default graph. Currently, Graph level access control only applies to |
| read-only datasets.</p> |
| <p>Fuseki Full (Fuseki with the UI) can be used when <a href="/documentation/fuseki2/fuseki-webapp.html#fuseki-web-application">run in a web application |
| server such as |
| Tomcat</a> to |
| provide authentication of the user. See “<a href="fuseki-security">Fuseki Security</a>” |
| for configuring security over the whole of the Fuseki UI.</p> |
| <p>This page applies to Fuseki Main.</p> |
| <h2 id="https">HTTPS</h2> |
| <p>HTTPS support is configured from the fuseki server command line.</p> |
| <table> |
| <thead> |
| <tr> |
| <th>Server Argument</th> |
| <th></th> |
| <th></th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td><tt>–https=<i>SETUP</i></tt></td> |
| <td>Name of file for certificate details.</td> |
| <td></td> |
| </tr> |
| <tr> |
| <td><tt>–httpsPort=<i>PORT</i></tt></td> |
| <td>The port for https</td> |
| <td>Default: 3043</td> |
| </tr> |
| </tbody> |
| </table> |
| <p>The <code>--https</code> argument names a file in JSON which includes the name of |
| the certificate file and password for the certificate.</p> |
| <h3 id="https-details">HTTPS certificate details file</h3> |
| <p>The file is a simple JSON file:</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json"><span style="display:flex;"><span>{ <span style="color:#008000;font-weight:bold">"cert"</span>: <span style="">KEYSTORE</span>, <span style="color:#008000;font-weight:bold">"passwd"</span>: <span style="">SECRET</span> } |
| </span></span></code></pre></div><p>This file must be protected by file access settings so that it can only |
| be read by the userid running the server. One way is to put the |
| keystore certificate and the certificate details file in the same |
| directory, then make the directory secure.</p> |
| <h3 id="self-signed-certificates">Self-signed certificates</h3> |
| <p>A self-signed certificate provides an encrypted link to the server and |
| stops some attacks. What it does not do is guarantee the identity of the |
| host name of the Fuseki server to the client system. A signed certificate provides that through the chain of trust. A self-signed certificate does protect data in HTTP responses.</p> |
| <p>A self-signed certificate can be generated with:</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ keytool -keystore <span style="color:#b8860b">$keystore</span> -alias jetty -genkey -keyalg RSA |
| </span></span></code></pre></div><p>For information on creating a certificate, see the Jetty documentation |
| for <a href="http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#generating-key-pairs-and-certificates">generating certificates</a>.</p> |
| <h2 id="authentication">Authentication</h2> |
| <p><a href="https://en.wikipedia.org/wiki/Authentication">Authentication</a>, |
| is establishing the identity of the principal (user or program) accessing the |
| system. Fuseki Main provides users/password setup and HTTP authentication, |
| <a href="https://en.wikipedia.org/wiki/Digest_access_authentication">digest</a> or |
| <a href="https://en.wikipedia.org/wiki/Basic_access_authentication">basic</a>).</p> |
| <p>These should be <a href="#https">used with HTTPS</a>.</p> |
| <table> |
| <thead> |
| <tr> |
| <th>Server Argument</th> |
| <th></th> |
| <th></th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td><tt>–passwd=<i>FILE</i></tt></td> |
| <td>Password file</td> |
| <td></td> |
| </tr> |
| <tr> |
| <td><tt>–auth=</tt></td> |
| <td>“basic” or “digest”</td> |
| <td>Default is “digest”</td> |
| </tr> |
| </tbody> |
| </table> |
| <p>These can also be given in the server configuration file:</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b"><#server></span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">Server</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">passwd</span><span style="color:#bbb"> </span><span style="color:#b44">"<i>password_file</i>"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">auth</span><span style="color:#bbb"> </span><span style="color:#b44">"<i>digest</i>"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>...<span style="color:#bbb"> |
| </span></span></span></code></pre></div><p>The format of the password file is:</p> |
| <pre tabindex="0"><code>username: password |
| </code></pre><p>and passwords can be stored in hash or obfuscated form.</p> |
| <p>Documentation of the <a href="http://www.eclipse.org/jetty/documentation/current/configuring-security.html#hash-login-service">Eclipse Jetty Password file format</a>.</p> |
| <p>If different authentication is required, the full facilities of |
| <a href="http://www.eclipse.org/jetty/documentation/current/configuring-security.html">Eclipse Jetty configuration</a> |
| are available - see <a href="#jetty-configuration">the section below</a>.</p> |
| <h3 id="using-curl">Using <code>curl</code></h3> |
| <p>See the <a href="https://curl.haxx.se/docs/manpage.html">curl documentation</a> for full |
| details. This section is a brief summary of some relevant options:</p> |
| <table> |
| <thead> |
| <tr> |
| <th>curl argument</th> |
| <th>Value</th> |
| <th>–</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td><code>-n</code>, <code>--netrc</code></td> |
| <td></td> |
| <td>Take passwords from <code>.netrc</code> (<code>_netrc</code> on windows)</td> |
| </tr> |
| <tr> |
| <td><code>--user=</code></td> |
| <td><code>user:password</code></td> |
| <td>Set the user and password (visible to all on the local machine)</td> |
| </tr> |
| <tr> |
| <td><code>--anyauth</code></td> |
| <td></td> |
| <td>Use server nominated authentication scheme</td> |
| </tr> |
| <tr> |
| <td><code>--basic</code></td> |
| <td></td> |
| <td>Use HTTP basic auth</td> |
| </tr> |
| <tr> |
| <td><code>--digest</code></td> |
| <td></td> |
| <td>Use HTTP digest auth</td> |
| </tr> |
| <tr> |
| <td><code>-k</code>, <code>--insecure</code></td> |
| <td></td> |
| <td>Don’t check HTTPS certificate.<br/> This allows for self-signed or expired certificates, or ones with the wrong host name.</td> |
| </tr> |
| </tbody> |
| </table> |
| <h3 id="using-wget">Using <code>wget</code></h3> |
| <p>See the <a href="https://www.gnu.org/software/wget/manual/wget.html">wget documentation</a> for full |
| details. This section is a brief summary of some relevant options:</p> |
| <table> |
| <thead> |
| <tr> |
| <th>wget argument</th> |
| <th>Value</th> |
| <th>–</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td><code>--http-user</code></td> |
| <td>user name</td> |
| <td>Set the user.</td> |
| </tr> |
| <tr> |
| <td><code>--http-password</code></td> |
| <td>password</td> |
| <td>Set the password (visible to all on the local machine)</td> |
| </tr> |
| <tr> |
| <td></td> |
| <td></td> |
| <td><code>wget</code> uses users/password from <code>.wgetrc</code> or <code>.netrc</code> by default.</td> |
| </tr> |
| <tr> |
| <td><code>--no-check-certificate</code></td> |
| <td></td> |
| <td>Don’t check HTTPS certificate.<br/> This allows for self-signed or expired, certificates or ones with the wrong host name.</td> |
| </tr> |
| </tbody> |
| </table> |
| <h2 id="acl">Access Control Lists</h2> |
| <p>ACLs can be applied to the server as a whole, to a dataset, to endpoints, and to |
| graphs within a dataset. This section covers server, dataset and endpoint access control |
| lists. Graph-level access control is <a href="#graph-acl">covered below</a>.</p> |
| <p>Access control lists (ACL) as part of the server configuration file.</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>$ fuseki --conf configFile.ttl |
| </span></span></code></pre></div><p>ACLs are provided by the <code>fuseki:allowedUsers</code> property</p> |
| <h3 id="alloweduser">Format of <code>fuseki:allowedUsers</code></h3> |
| <p>The list of users allowed access can be an RDF list or repeated use of |
| the property or a mixture. The different settings are combined into one ACL.</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">"user1"</span>,<span style="color:#bbb"> </span><span style="color:#b44">"user2"</span>,<span style="color:#bbb"> </span><span style="color:#b44">"user3"</span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">"user3"</span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b44">"user1"</span><span style="color:#bbb"> </span><span style="color:#b44">"user2"</span><span style="color:#bbb"> </span><span style="color:#b44">"user3"</span>)<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span></code></pre></div><p>There is a special user name “*” which means “any authenticated user”.</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">"*"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span></code></pre></div><h3 id="server-acl">Server Level ACLs</h3> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b"><#server></span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">Server</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b8860b"><b></span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">"user1"</span>,<span style="color:#bbb"> </span><span style="color:#b44">"user2"</span>,<span style="color:#bbb"> </span><span style="color:#b44">"user3"</span>;<span style="color:#b8860b"></b></span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>...<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">services</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span>...<span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>...<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb"> |
| </span></span></span></code></pre></div><p>A useful pattern is:</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b"><#server></span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">Server</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#b8860b"><b></span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">"*"</span>;<span style="color:#b8860b"></b></span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>...<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">services</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span>...<span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>...<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb"> |
| </span></span></span></code></pre></div><p>which requires all access to to be authenticated and the allowed users are |
| those in the password file.</p> |
| <h3 id="dataset-acl">Dataset Level ACLs</h3> |
| <p>When there is an access control list on the <code>fuseki:Service</code>, it applies |
| to all requests to the endpoints of the dataset.</p> |
| <p>Any server-wide “allowedUsers” configuration also applies and both |
| levels must allow the user access.</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b"><#service_auth></span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">Service</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdfs:</span><span style="color:#008000;font-weight:bold">label</span><span style="color:#bbb"> </span><span style="color:#b44">"ACL controlled dataset"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">"db-acl"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic"># ACL here.</span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">"user1"</span>,<span style="color:#bbb"> </span><span style="color:#b44">"user3"</span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">## Choice of operations.</span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">query</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">"sparql"</span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>];<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">update</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">"sparql"</span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">gsp-r</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">"get"</span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">dataset</span><span style="color:#bbb"> </span><span style="color:#b8860b"><#base_dataset></span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb"> |
| </span></span></span></code></pre></div><h3 id="endpoint-acl">Endpoint Level ACLs</h3> |
| <p>An access control list can be applied to an individual endpoint. |
| Again, any other “allowedUsers” configuration, service-wide, or |
| server-wide) also applies.</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">query</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">"query"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">"user1"</span>,<span style="color:#bbb"> </span><span style="color:#b44">"user2"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span>];<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">update</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">"update"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">allowedUsers</span><span style="color:#bbb"> </span><span style="color:#b44">"user1"</span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span>]<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span></code></pre></div><p>Only <em>user1</em> can use SPARQL update; both <em>user1</em> and |
| <em>user2</em> can use SPARQL query.</p> |
| <h2 id="graph-acl">Graph Access Control Lists</h2> |
| <p>Graph level access control is defined using a specific dataset |
| implementation for the service.</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b"><#access_dataset></span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">AccessControlledDataset</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">registry</span><span style="color:#bbb"> </span>...<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">dataset</span><span style="color:#bbb"> </span>...<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb"> |
| </span></span></span></code></pre></div><p>Graph ACLs are defined in a <a href="#graph-security-registry">Graph Security Registry</a> which lists the users and graph URIs.</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b"><#service_tdb2></span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">Service</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdfs:</span><span style="color:#008000;font-weight:bold">label</span><span style="color:#bbb"> </span><span style="color:#b44">"Graph-level access controlled dataset"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">name</span><span style="color:#bbb"> </span><span style="color:#b44">"db-graph-acl"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#080;font-style:italic">## Read-only operations on the dataset URL.</span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">query</span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">endpoint</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">operation</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">gsp_r</span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">fuseki:</span><span style="color:#008000;font-weight:bold">dataset</span><span style="color:#bbb"> </span><span style="color:#b8860b"><b><#access_dataset></b></span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#080;font-style:italic"># Define access on the dataset.</span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#b8860b"><#access_dataset></span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">AccessControlledDataset</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">registry</span><span style="color:#bbb"> </span><span style="color:#b8860b"><#securityRegistry></span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">dataset</span><span style="color:#bbb"> </span><span style="color:#b8860b"><#tdb_dataset_shared></span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#b8860b"><#securityRegistry></span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">SecurityRegistry</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb"> </span>.<span style="color:#bbb"> </span>.<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"></span><span style="color:#b8860b"><#tdb_dataset_shared></span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">tdb:</span><span style="color:#008000;font-weight:bold">DatasetTDB</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb"> </span>.<span style="color:#bbb"> </span>.<span style="color:#bbb"> |
| </span></span></span></code></pre></div><p>All dataset storage types are supported. TDB1 and TDB2 have special implementations for handling graph access control.</p> |
| <h3 id="graph-security-registry">Graph Security Registry</h3> |
| <p>The Graph Security Registry is defined as a number of access entries in |
| either a list format “(user graph1 graph2 …)” or as RDF properties |
| <code>access:user</code> and <code>access:graphs</code>. The property <code>access:graphs</code> has graph URI or a |
| list of URIs as its object.</p> |
| <div class="highlight"><pre tabindex="0" style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-turtle" data-lang="turtle"><span style="display:flex;"><span><span style="color:#b8860b"><#securityRegistry></span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">rdf:</span><span style="color:#008000;font-weight:bold">type</span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">SecurityRegistry</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b44">"user1"</span><span style="color:#bbb"> </span><span style="color:#b8860b"><http://host/graphname1></span><span style="color:#bbb"> </span><span style="color:#b8860b"><http://host/graphname2></span><span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b44">"user1"</span><span style="color:#bbb"> </span><span style="color:#b8860b"><http://host/graphname3></span><span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b44">"user1"</span><span style="color:#bbb"> </span><span style="color:#b8860b"><urn:x-arq:DefaultGraph></span><span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b44">"user2"</span><span style="color:#bbb"> </span><span style="color:#b8860b"><http://host/graphname9></span><span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">user</span><span style="color:#bbb"> </span><span style="color:#b44">"user3"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">graphs</span><span style="color:#bbb"> </span>(<span style="color:#bbb"> </span><span style="color:#b8860b"><http://host/graphname3></span><span style="color:#bbb"> </span><span style="color:#b8860b"><http://host/graphname4></span><span style="color:#bbb"> </span>)<span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">user</span><span style="color:#bbb"> </span><span style="color:#b44">"user3"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">graphs</span><span style="color:#bbb"> </span><span style="color:#b8860b"><http://host/graphname5></span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">entry</span><span style="color:#bbb"> </span>[<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">user</span><span style="color:#bbb"> </span><span style="color:#b44">"userZ"</span><span style="color:#bbb"> </span>;<span style="color:#bbb"> </span><span style="color:#00f;font-weight:bold">access:</span><span style="color:#008000;font-weight:bold">graphs</span><span style="color:#bbb"> </span><span style="color:#b8860b"><http://host/graphnameZ></span><span style="color:#bbb"> </span>]<span style="color:#bbb"> </span>;<span style="color:#bbb"> |
| </span></span></span><span style="display:flex;"><span><span style="color:#bbb"> </span>.<span style="color:#bbb"> |
| </span></span></span></code></pre></div><h2 id="jetty-configuration">Jetty Configuration</h2> |
| <p>For authentication configuration not covered by Fuseki configuration, |
| the deployed server can be run using a Jetty configuration.</p> |
| <p>Server command line: <code>--jetty=jetty.xml</code>.</p> |
| <p><a href="https://www.eclipse.org/jetty/documentation/current/jetty-xml-config.html">Documentation for <code>jetty.xml</code></a>.</p> |
| |
| </article> |
| |
| <aside class="text-muted align-self-start mb-3 mb-xl-5 p-0 d-none d-xl-flex flex-column sticky-top"> |
| <h2 class="h6 sticky-top m-0 p-2 bg-body-tertiary">On this page</h2> |
| <nav id="TableOfContents"> |
| <ul> |
| <li><a href="#https">HTTPS</a> |
| <ul> |
| <li><a href="#https-details">HTTPS certificate details file</a></li> |
| <li><a href="#self-signed-certificates">Self-signed certificates</a></li> |
| </ul> |
| </li> |
| <li><a href="#authentication">Authentication</a> |
| <ul> |
| <li><a href="#using-curl">Using <code>curl</code></a></li> |
| <li><a href="#using-wget">Using <code>wget</code></a></li> |
| </ul> |
| </li> |
| <li><a href="#acl">Access Control Lists</a> |
| <ul> |
| <li><a href="#alloweduser">Format of <code>fuseki:allowedUsers</code></a></li> |
| <li><a href="#server-acl">Server Level ACLs</a></li> |
| <li><a href="#dataset-acl">Dataset Level ACLs</a></li> |
| <li><a href="#endpoint-acl">Endpoint Level ACLs</a></li> |
| </ul> |
| </li> |
| <li><a href="#graph-acl">Graph Access Control Lists</a> |
| <ul> |
| <li><a href="#graph-security-registry">Graph Security Registry</a></li> |
| </ul> |
| </li> |
| <li><a href="#jetty-configuration">Jetty Configuration</a></li> |
| </ul> |
| </nav> |
| </aside> |
| </main> |
| |
| </div> |
| </div> |
| </div> |
| |
| <footer class="bd-footer py-4 py-md-5 mt-4 mt-lg-5 bg-body-tertiary"> |
| <div class="container" style="font-size:80%" > |
| <p> |
| Copyright © 2011–2024 The Apache Software Foundation, Licensed under the |
| <a href="https://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>. |
| </p> |
| <p> |
| Apache Jena, Jena, the Apache Jena project logo, Apache and the Apache feather logos are trademarks of |
| The Apache Software Foundation. |
| <br/> |
| <a href="https://privacy.apache.org/policies/privacy-policy-public.html" |
| >Apache Software Foundation Privacy Policy</a>. |
| </p> |
| </div> |
| </footer> |
| |
| <script src="/js/popper.min.js.js" type="text/javascript"></script> |
| <script src="/js/bootstrap.min.js" type="text/javascript"></script> |
| <script src="/js/improve.js" type="text/javascript"></script> |
| |
| <script type="text/javascript"> |
| (function() { |
| 'use strict' |
| |
| |
| |
| const links = document.querySelectorAll(`a[href="${window.location.pathname}"]`) |
| if (links !== undefined && links !== null) { |
| for (const link of links) { |
| |
| link.classList.add('active') |
| let parentElement = link.parentElement |
| let count = 0 |
| const levelsLimit = 4 |
| |
| |
| |
| |
| |
| while (['UL', 'LI'].includes(parentElement.tagName) && count <= levelsLimit) { |
| if (parentElement.tagName === 'LI') { |
| |
| |
| |
| parentElement.querySelector('a:first-child').classList.add('active') |
| } |
| parentElement = parentElement.parentElement |
| count++ |
| } |
| } |
| } |
| })() |
| </script> |
| |
| </body> |
| </html> |