Permissions on LDP Containers and Resources

markwilkinson · November 7, 2018, 12:13pm

Hi all,

I notice that the permissions on LDP resources and containers that I create using PUT are not the same as their parent “folder”. I would prefer everything to be publicly readable, and i can set that on the top-level folder, but Containers that I create inside of that (and inside of those) not not inherit the ‘r’ permission for all.

Is there a way to force the new containers/resources to carry their parent permissions?

Mark

TallTed · November 7, 2018, 11:21pm

Fastest and easiest way to resolve this, given that your intended parent directory exists now, is to visit the Conductor → Web Application Server → Content Management, and locate your intended top-level container.

Click the properties icon, and locate the menu for Permissions Inheritance (new label) or Default Permissions (old label).

This menu defaults to Off. Select Recursively for your desired effect.

(Direct members would apply this container’s permissions only to resources created directly within this container – not to resources created within sub-containers of this container.)

Please let me know if this is satisfactory.

markwilkinson · November 8, 2018, 8:43am

Yes, that’s what I thought too… but ‘recursively’ isn’t recursive. It only works for the first level of “children”. Not beyond that.

TallTed · November 9, 2018, 4:04pm

When you changed the Permissions Inheritance setting, did you also tick the box for Apply changes to all subfolders and resources to apply it recursively to all existing containers in the container you edited?

What is the full version of the Virtuoso binary you’re running? Please provide the full first stanza (above “Usage”) of output from virtuoso-t -? for VOS, or virtuoso-iodbc-t -? for Enterprise Edition.

Please also provide full output of this SQL query –

vad_list_packages ();

markwilkinson · November 28, 2018, 9:12am

I’m running Virtuoso 7.2.5 Tenforce Docker image (https://hub.docker.com/r/tenforce/virtuoso/).

Just to clarify: When I say “it isn’t recursive”, I don’t mean that it isn’t recursive when I apply it to all existing containers - that does work! What I mean is that it doesn’t “stick”, and when I add new containers or resources those new entities do not have the permissions of the parent container, which is the behaviour I expect/want/need. Should I not be expecting that?

TallTed · November 30, 2018, 10:07pm

Trying to be explicitly clear – Changing the Permissions Inheritance setting on the parent folder to Recursively, and ticking Apply changes to all subfolders and resources before clicking Update should result in all new subfolders (and sub-subfolders, etc.) inheriting their parent’s permissions. It’s not 100% clear to me that these are the steps you’ve taken.

Please ensure that all VADs are up to date. This is why I asked for the vad_list_packages(); output. You can pull the latest VADs for your VOS 7.2 from our distribution site.

You might also try running with our own Docker Image, which brings you Virtuoso 7.2.6-rc1 (most recently built from develop/7), instead of that third-party Image (which gets auto-built from stable/7).

markwilkinson · December 4, 2018, 12:24pm

I have switched to your docker image (tag “latest”). It starts perfectly. I have installed VAL, ODS Framework and ODS Briefcase (Kingsley said these are required for the LDP functionality).

When I browse to the Web Application Server tab, i get the following error:

An error has occurred when processing “/conductor/cont_page.vspx” page.

SQL State	07S01
SQL Message	SR180: Extra arguments to WEBDAV.DBA.ui_size, takes only 2

So I am unable to continue setting-up my LDP server.

Advice?

TallTed · December 4, 2018, 2:27pm

Please provide full output of this SQL query (best run through iSQL or any SQL data connection [ODBC, JDBC, etc.]) –

vad_list_packages ();

markwilkinson · December 4, 2018, 2:29pm

Connected to OpenLink Virtuoso
Driver: 07.20.3230 OpenLink Virtuoso ODBC Driver
name     title    version  build_date  install_date
VARCHAR  VARCHAR  VARCHAR  VARCHAR  VARCHAR
_______________________________________________________________________________

Briefcase  ODS Briefcase  2.2.1_git263  2017-04-28 00:15  2018-12-04 12:16
Framework  ODS Framework  2.2.1_git263  2017-04-28 00:15  2018-12-04 12:16
VAL      Virtuoso Authentication Layer  2.2.2_git127  2018-04-23 14:02  2018-12-04 12:15
conductor  Virtuoso Conductor  1.00.8785  2018-11-02 11:55  2018-12-04 12:03

TallTed · December 4, 2018, 6:00pm

OK, it looks like there have been some misunderstandings, and you’ve somehow managed to install VADs built for Enterprise Edition v8.2 on Open Source Edition v7.2… I’ve raised an issue about that, as these should have simply refused to install.

For best results, please discard this Docker Instance.

Start afresh with the openlink/virtuoso-opensource-7 Image (tag latest). Download the latest VOS 7.2 VAD builds, and install at least ODS-Framework and ODS-Briefcase which are needed for LDP. (VAL is Enterprise only, so is not found in this download repo, and is not needed for LDP.)

Please let me know if this resolves the issue with permission inheritance.

markwilkinson · December 5, 2018, 5:07pm

Significant progress! Thank you!

I can create new folders, and (at least for the first level of depth) they do inherit the parent container permissions.

New problem: When I attempt to HTTP GET those new entities, I get the following error:

$ curl -u dav:XXXXXXXXX -H "Accept: text/turtle" http://evaluations.fairdata.solutions/DAV/home/LDP/evals/ThisIsANewContainer/
Virtuoso 22023 Error HT042: Not valid user id "SPARQL_ADMIN"

SPARQL query:
define sql:select-option "order" define input:storage "" construct { `sql:dynamic_host_name(?s)` ?p `sql:dynamic_host_name(?o)` . `sql:dynamic_host_name(?o)` a ?t } where { ?s ?p ?o option (table_option "index G") . optional { graph ?g { ?o a ?t option (table_option "index primary key") } } } order by ?s ?p ?o limit 10000 offset 0

There is certainly no user called SPARQL_ADMIN, but there is a role SPARQL_ADMIN, that I have added explicitly to both dba and dav users just to check if that would solve the problem (it didn’t).

Suggestions? (This error didn’t appear on the previous docker Virtuoso I was using, if that helps troubleshoot at all…)

Thanks!

markwilkinson · December 9, 2018, 5:06am

(it would be great to have a solution or work-around for this quickly. I am at the Japan BioHackathon this week… 6 clear days of hacking! I’d love to work on the code that requires the Virtuoso LDP functionality while I am here… if possible.)

hwilliams · December 9, 2018, 9:40pm

@markwilkinson: HT042: Not valid user id "SPARQL_ADMIN" is a known error with Virtuoso Open Source builds which are missing the creation of the special SPARQL_ADMIN user, and can be created manually with the commands:

DB.DBA.USER_CREATE ('SPARQL_ADMIN', uuid());
DB.DBA.EXEC_STMT ('grant SPARQL_UPDATE to SPARQL_ADMIN', 0);

Thus for now the above should be executed on Virtuoso Open Source builds seeking to use LDP.

Please let us know if this resolves the problem for you …

markwilkinson · December 10, 2018, 12:41am

Unfortunately not. The first command fails:

DB.DBA.USER_CREATE ('SPARQL_ADMIN', uuid())
Enter password for dba :
Connected to OpenLink Virtuoso
Driver: 07.20.3230 OpenLink Virtuoso ODBC Driver
*** Error 22023: [Virtuoso Driver][Virtuoso Server]U0001: Conflicting type of existing security object.
at line 1 of Top-Level:
DB.DBA.USER_CREATE ('SPARQL_ADMIN', uuid())

The second command executes happily, but I still get the same error when I try to GET my Container.

hwilliams · December 10, 2018, 3:12pm

@markwilkinson: I am not able to recreate the original HT042: Not valid user id "SPARQL_ADMIN" when I setup an LDP folder with the latest Virtuoso docker open source container and install the ODS Framework and Briefacse VADs from the latest VOS 7.2 VAD builds:

De-iMac-1460:~ hwilliams$ curl -u dav:mysecret -H "Accept: text/turtle" http://localhost:8890/DAV/home/dav/Public
De-iMac-1460:~ hwilliams$

I also do not get the U0001: Conflicting type of existing security object. error running the DB.DBA.USER_CREATE ('SPARQL_ADMIN', uuid()) command, which runs successfully for me:

SQL> vad_list_packages ();
name     title    version  build_date  install_date
VARCHAR  VARCHAR  VARCHAR  VARCHAR  VARCHAR
_______________________________________________________________________________

Briefcase  ODS Briefcase  1.21.68  2018-08-16 12:08  2018-12-10 14:54
Framework  ODS Framework  1.89.47  2018-08-16 12:06  2018-12-10 14:53
conductor  Virtuoso Conductor  1.00.8785  2018-11-02 11:55  2018-12-10 14:02

3 Rows. -- 2 msec.
SQL> DB.DBA.USER_CREATE ('SPARQL_ADMIN', uuid());

Done. -- 8 msec.
SQL> DB.DBA.EXEC_STMT ('grant SPARQL_UPDATE to SPARQL_ADMIN', 0);

Done. -- 2 msec.
SQL>

Thus can you confirm the version of Virtuoso being used with the commands below and also if you started with an empty database with just the ODS Framework and Briefcase VADs installed as I did:

SQL> select sys_stat ('git_head');
sys_stat
LONG VARCHAR
_______________________________________________________________________________

4d226f4

1 Rows. -- 1 msec.
SQL> status('');
REPORT
VARCHAR
_______________________________________________________________________________

OpenLink Virtuoso  Server
Version 07.20.3230-pthreads for Linux as of Nov  2 2018 
Started on: 2018-12-10 14:45 GMT+0

as there must be something different in our test cases …

markwilkinson · December 11, 2018, 2:26am

I wiped all of my images/containers and started from scratch. Everything works using the :latest docker image.

Thanks!!

hwilliams · December 11, 2018, 12:05pm

@markwilkinson: Great, glad to hear LDP is now working for you …