Virtuoso Authentication Layer
Package VAL

SPARQL query callback which enforces VAL ACL rules. More...


package  DBA
package  VAL

Detailed Description

SPARQL query callback which enforces VAL ACL rules.

This is an internal graph security callback which is used for evaluating conditional group conditions.

It is important that the queries are executed under the permissions of the owner of the rule/group. otherwise (if executed as dba) it would be possible to deduce private information from other users by for example simply asking if some triple exists in a private graph and then try to access as some id.

This callback only allows public graphs and such owned by the creator of the rule. It does not take the actual acl rules into account as this would lead to an endless loop. Plus, in theory acl rules could be stored with another scope and a customer callback. In that case applying the rules here would be wrong.

This function can be used as a sparql security callback to enforce ACL rules setup via the VAL ACL API. To use it two pragmas are required. First the callback needs to be specified:

define sql:gs-app-callback "VAL_SPARQL_PERMS"

Second the authenticated user for which to apply the ACL rules needs to be provided:

define sql:gs-app-uid ""

The special uid value "nobody" is supported to represent the fact that no user has logged in. In that case only public rules will be applied, ie. only graphs that are public according to the acl rules are accessed.

The application realm can be set via:

connection_set ('val_sparql_rule_realm', 'urn:myrealm');

It is also highly recommended to cache the WebID profile (in the case of WebID authentication) in a temp graph and set that graph via:

connection_set ('val_sparql_webid_graph', tmpWebidGraph);

That way the callback can pick it up and reuse it for all permission checks. Otherwise the profile has to be fetched for every permission check which results in a considerable performance drop. The simplest way to achieve this is to let VAL.DBA.get_authentication_details_for_connection() fetch the data by providing the tmp graph IRI to it and clearing the graph after executing the sparql query.

Ideally the query should be executed as user VAL_SPARQL_ADMIN.

Cache table for named graph ACLs. This cache table is only used for read-only queries if the graph query context feature is enabled:

__dbf_set ('enable_g_in_sec', 1);
See also
VAL.DBA.VAL_GRAPH_ACL_CACHE_W, VAL.DBA.update_graph_acl_cache()

Cache table for named graph ACLs. This cache table is only used for write queries if the graph query context feature is enabled:
__dbf_set ('enable_g_in_sec', 1);
VAL.DBA.VAL_GRAPH_ACL_CACHE, VAL.DBA.update_graph_acl_cache()
ACL Cache State table which lists the user/realm combinations for which a cache has been created. The purpose is to not always re-evaluate for users which have no permissions at all.

Function which produces a list of graphs the given service id has access to according to the VAL ACLs in the private graph scope. Only read-only access is checked.

Create the url rewrite rule for the social images pointing to socialimg.vsp
Create the url rewrite rules to ensure that /sparql still works in addition to /sparql/ This is required because VAL uses a vsp page.