-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathhttp%3A%2F%2Fhelp.metaphacts.com%2Fresource%2FBasicSystemConfiguration.html
291 lines (263 loc) · 13.1 KB
/
http%3A%2F%2Fhelp.metaphacts.com%2Fresource%2FBasicSystemConfiguration.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
<div class="metaphacts_help">
<ol class="breadcrumb" style="background:white;border:none;padding-left:0px;">
<li>
<semantic-link title="Help" data-uri="http://help.metaphacts.com/resource/Start">Help</semantic-link>
</li>
<li>
<semantic-link title="Documentation" uri="http://help.metaphacts.com/resource/DocumentationOverview">Documentation</semantic-link>
</li>
<li class="active">Basic System Configuration</li>
</ol>
<h1> Basic System Configuration </h1>
This page describes how to adjust general system behavior via configuration properties.
<h2> Configuration Properties</h2>
Configuration properties are divided into three so called "configuration groups":
<ul>
<li> Environment Configuration Group </li>
<li> Global Configuration Group </li>
<li> UI Configuration Group </li>
</ul>
<p>
Properties in these groups might be shadowed via JVM runtime parameters, for example, depending on the deployment mode one may particular supply environment specific groups via JVM runtime parameters.
This can by done by supplying <span class="inline-code">"-Dconfig.{configGroup}.{propertyName}={propertyValue}"</span>,
where "configGroup"" is the identifier of the configuration (either "environment", "global", or "ui" for the three groups, respectively) and "propertyName" is the name of the property in the given group.
Shadowed parameters can not be overwritten or changed during runtime.
</p>
<h3>Environment Configuration Group </h3>
The environment group (file "config/environment.prop") contains all deployment-specific configuration options such as server URLs, keys, etc.
These parameters may influence how the platform is initialized and as such they can not be change during runtime, for example, through the <semantic-link uri="http://www.metaphacts.com/resource/admin/Configuration" title="Configuration">configuration UI</semantic-link>.
<br><br>
<table class="table table-striped">
<thead>
<tr>
<th>Property</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>sparqlEndpoint</td>
<td>URL</td>
<td>URL to the remote repository e.g. "http://127.0.0.1:9001/bigdata/sparql" if a blazegraph instance is running on the same host. <b> If the repository is running on a different machine and only accessible through HTTPS</b>, then it might be required to import certificates into your JVM's keystore.</td>
</tr>
<tr>
<tr>
<td>shiroAuthenticationFilter</td>
<td>List of Strings (comma separated)</td>
<td>Authentication filter to apply. Any combination of "anon" (Anonymous User),"authc" (FormBasedAuthentication) ,"authcBasic" (HTTP Basic Authentication). Default: "authcBasic, authc" </td>
</tr>
<tr>
<td>shiroSessionTimeoutSecs</td>
<td>Integer</td>
<td>The time after which sessions will be closed in case of inactivity Default: 1800. </td>
</tr>
</tbody>
</table>
<h3>Global Configuration Group </h3>
Global system configuration, affecting system functionality like global redirects etc.
<br><br>
<table class="table table-striped">
<thead>
<tr>
<th>Property</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>homePage</td>
<td>URI</td>
<td>Prefixed or full URI ( surround by <>) to specify the page the user should be redirect to after login or if she clicks on the home button. Default: "Start"</td>
</tr>
</tbody>
</table>
<h3>UI Configuration Group </h3>
Configuration properties for options that affect how data is displayed in the UI.
<br><br>
<table class="table table-striped">
<thead>
<tr>
<th>Property</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr>
<td>templateIncludeQuery</td>
<td>SPARQL SELECT Query</td>
<td>Specifies the SPARQL SELECT query according to which the template engine selects templates depending on the request resource / context (i.e. ??). <br/> Query must have at least a "?type" projection variable. Default: "SELECT ?type WHERE{?? a ?type}" </td>
</tr>
<tr>
<td>preferredLabels</td>
<td>Comma separated list of full or prefixed IRIs.</td>
<td>
Prefixed or full predicate IRIs ( surround by <>) that will typically be used as human readable label in the application.<br>
If multiple labels exists for an entity, order of preference is denoted through order of predicates in the list.<br>
Default: rdfs:label
</td>
</tr>
<tr>
<td>preferredLanguages</td>
<td>Comma separated list of language tags</td>
<td>
Language tag filter of over potential preferredLabels candidates. Order of preference is denoted through order of language tags in the list.
Default: null
</td>
</tr>
<tr>
<td>preferredThumbnails</td>
<td>Comma separated list of full or prefixed IRIs.</td>
<td>
Prefixed or full predicate IRIs (surround by <>) that will typically be used as URI of thumbnail depiction in the application.<br>
If multiple thumbnails exists for an entity, order of preference is denoted through order of predicates in the list.<br>
Default: http://schema.org/thumbnail
</td>
</tr>
</tbody>
</table>
<h2> Security </h2>
The platform relies on the <a href="http://shiro.apache.org" target="_blank">Apache Shiro</a> security framework.
While it is possible to hook-in different security providers and realms, the easiest way is to define users, roles and permissions using the "shiro.ini" file. <br/>
New user accounts should be created using the respective <semantic-link uri="http://www.metaphacts.com/resource/admin/Security" title="Security">administration page </semantic-link>. The same widget can be used to modify accounts and to re-assign existing roles to users. However, creating new roles and permissions need to be done by modifying the shiro.ini manually (c.f. Basic ACLs section at the bottom of the page). <br/>
<bs-alert bs-style="info"><strong>Please Note:</strong><br/>
If no shiro.ini file is configured, the platform will use a a pre-bundled shiro.ini file with default logins and a warning will be printed in the startup logs.
</bs-alert>
<h3> Login Protection </h3>
By default the platform requires authentication for all resources below the root /** URL. <br/>
For security reasons it is not possible to disable authentication entirely,
however, one can grant access to anonymous/guest user by enabling a special "anon" authentication filter (c.f. general system properties section).
To activate the filter, the following configuration property needs to be set in environment.prop
<div class="highlight" style="margin-left:2%"><pre>
shiroAuthenticationFilter=authcBasic,anon,authc
</pre></div>
<bs-alert bs-style="info"><strong>Please Note:</strong><br/>
For the special anonymous filter ("anon") a static user with the user principal <b>"anonymous"</b> (and any dummy password) must be configured
i.e. must granted access to the respective resource and operations by assigning the respective roles (c.f. Basic ACLs section below).
</bs-alert>
<h3> Basic ACLs </h3>
For the time being fine fine-granular permissions can only be granted to the SPARQL endpoint, RDF Graph Store, Account service and the Template service.
Permissions are <b>whitelist based</b> i.e. one needs to assign permissions explicitly.
Permissions:
<table class="table table-striped">
<thead>
<tr>
<th>#</th>
<th>Package/Pattern</th>
<th>Permission</th>
</tr>
</thead>
<tbody>
<tr>
<th scope="row">1</th>
<td>sparql:query:select</td>
<td>Grants permission to execute SELECT queries.</td>
</tr>
<tr>
<th scope="row">2</th>
<td>sparql:query:ask</td>
<td>Grants permission to execute ASK queries.</td>
</tr>
<tr>
<th scope="row">3</th>
<td>sparql:query:construct</td>
<td>Grants permission to execute CONSTRUCT queries.</td>
</tr>
<tr>
<th scope="row">4</th>
<td>sparql:query:describe</td>
<td>Grants permission to execute DESCRIBE queries.</td>
</tr>
<tr>
<th scope="row">5</th>
<td>sparql:query:*</td>
<td>Grants permission to all SPARQL query operations i.e. SELECT, ASK, CONSTRUCT, DESCRIBE</td>
</tr>
<tr>
<th scope="row">6</th>
<td>sparql:graphstore:get</td>
<td>Grants permission to get any named graph by performing a GET to /rdf-graph-store?graph={URI} .</td>
</tr>
<tr>
<th scope="row">7</th>
<td>sparql:graphstore:create</td>
<td>Grants permission to create any named graph by performing a POST to /rdf-graph-store?graph={URI} .</td>
</tr>
<tr>
<th scope="row">8</th>
<td>sparql:graphstore:modify</td>
<td>Grants permission to modify any named graph by performing a PUT to /rdf-graph-store?graph={URI} .</td>
</tr>
<tr>
<th scope="row">9</th>
<td>sparql:graphstore:delete</td>
<td>Grants permission to delete any named graph by performing a DELETE to /rdf-graph-store?graph={URI} .</td>
</tr>
<tr>
<th scope="row">9</th>
<td>sparql:graphstore:*</td>
<td>Grants permission to perform all graph store operations.</td>
</tr>
<tr>
<th scope="row">10</th>
<td>templates:edit:view</td>
<td>Grants permission to view templates code.</td>
</tr>
<tr>
<th scope="row">11</th>
<td>templates:edit:save</td>
<td>Grants permission to edit and save templates pages.</td>
</tr>
<tr>
<th scope="row">12</th>
<td>templates:edit:*</td>
<td>Grants permission to all templates edit operations.</td>
</tr>
<tr>
<th scope="row">13</th>
<td>accounts:users:query</td>
<td>Grants permission to query user account information (i.e. roles/permissions)</td>
</tr>
<tr>
<th scope="row">14</th>
<td>accounts:users:create</td>
<td>Grants permission to create user accounts.</td>
</tr>
<tr>
<th scope="row">15</th>
<td>accounts:users:delete</td>
<td>Grants permission to delete user accounts.</td>
</tr>
<tr>
<th scope="row">16</th>
<td>api:config:{configGroup}:{propertyName}:{usageMode}</td>
<td>
Grants permission to configuration properties. <br>
<b>Examples:</b><br>
api:config:ui:templateIncludeQuery:read - grants permission to read the templateIncludeQuery parameter <br>
api:config:ui:*:write - grants permission to write all config parameters in the ui configuration group<br>
api:config:environment:*:* - grants permission to read and write all config parameters in the environment configuration group<br>
</td>
</tr>
</tbody>
</table>
<b>Example Configuration:</b><br/>
The example below defines two users with salt-encrypted passwords (c.f. <a href="http://shiro.apache.org/command-line-hasher.html" target="_blank">Shiro Command Line Hasher</a>) and assigns roles to them. Permissions are granted to roles in the <i>[roles]</i> section.<br/>
<ul>
<li>The role "rootRole" is granted permission to view, create and modify accounts.</li>
<li>The role "adminRole" is granted permission to execute all SPARQL query and update operations as well as to save template pages .</li>
<li>The role "guestRole" is granted permission to execute all SPARQL query operations, but no update operations. In addition, the "guestRole" can not save template pages.</li>
</ul>
<div class="highlight" style="margin-left:2%"><pre>
[users]
admin=$shiro1$SHA-256$500000$JWFyxDbrkcdlGl6Xpj02dg==$UYbUG3bHmT8Z4dTeEHToK5WdyvwR9cRefiM/9zRjfr4=,adminRole,rootRole
guest=$shiro1$SHA-256$500000$IbH5irWwZzyQlXHZg33GeA==$n+A1vGbmrIxJBBxGcsNn3cz48wDvhBkMbNPcskfAQy4=,guestRole
[roles]
rootRole = accounts:*:*
adminRole = sparql:update, sparql:query:*, sparql:graphstore:*, templates:*:*
guestRole = sparql:query:*
</pre></div>
It is <b>strongly recommended</b> to only change the <i>[roles]</i> section by hand and to do these changes not during runtime.<br/>
</div>