Virtuoso user RDF Graph Level access to RDF Quad Store

Virtuoso Universal Server Tips, Tricks, and HowTos
, , ,
1

What

Using the Virtuoso 08.03.3326 commercial and 7.2.8 open source releases and above, to perform SPARQL operations as an existing or new users, low level RDF Graph Security permissions need to set for the user to determine what access (read/write/sponge) the user has to the RDF Quad Store.

Why

For security reasons to protect against inadvertent access to the RDF Quad Store, by default Virtuoso SQL users are not allowed access to the RDF Quad Store, as a result in addition to SQL-level access users also need to be granted Graph-level access to the RDF Quad store using the DB.DBA.RDF_DEFAULT_USER_PERMS_SET() function.

How

The DB.DBA.RDF_DEFAULT_USER_PERMS_SET() function can be used to set the permissions a SQL user has to access the RDF Quad Store.

These lower graph level permissions must now be set in addition to the original higher level SQL security roles (SPARQL_SELECT, SPARQL_UPDATE, SPARQL_SPONGE) that also need to be set, as has always been the case.

Function prototype:

DB.DBA.RDF_DEFAULT_USER_PERMS_SET (	in uname varchar ,
                                    in perms integer ,
                                    in set_private integer (default 0) );

Parameters:

uname - User name.

perms. - If perms is null, then the procedure acts as DB.DBA.RDF_DEFAULT_USER_PERMS_DEL (uname, set_private) ;

If perms is not null (hence an integer) then the specified user should be an active SQL user or “nobody”.

Four sorts of access are specified by four bits of an integer “permission bit-mask”, plain old UNIX style:

Bit Permits Notes
1 Read access.
2 Update access (i.e., Write via SPARUL). Basically useless without bit 1 set.
4 Sponge access (i.e., Write via “RDF Network Resource Fetch” methods). Basically useless without bits 1 and 2 set.
8 Listing the members of a graph group. As discussed above, an IRI can be used as a graph IRI and as a graph group IRI at the same time, so bit 8 can be freely combined with any of bits 1, 2 or 4.

set_private - (0|1 default 0). If set_private is true then the permission is set as default for “private” graphs otherwise it is set for “world” graphs.

Example:

-- Set 'demo' user/role ability to read, update, sponge other graphs, assuming bit_or (1,2,4) = 7
DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('demo', 7, 0);

Typically errors encountered when the lower graph level permissions have not been set are:

Virtuoso RDF02 Error SR619: SPARUL LOAD SERVICE DATA access denied: database user 107 (SPARQL) has no write permission on graph {graph-name}

Related