Example Performing Sponging on a entirely confidential database using get:private pragma
The following example demonstrates how private sponging using get:private pragma works for entirely confidential database.
Note: Please take in mind that the steps from below will change the security of any existing database, thus the example scenario should be performed on a empty db.
- Create few users in alphabetical order:
DB.DBA.USER_CREATE ('Anna', 'Anna'); DB.DBA.USER_CREATE ('Brad', 'Brad'); DB.DBA.USER_CREATE ('Carl', 'Carl');
- Set to Anna, Brad and Carl SPARQL SELECT, UPDATE and SPONGE permissions:
grant SPARQL_SELECT to "Anna"; grant SPARQL_SELECT to "Brad"; grant SPARQL_SELECT to "Carl"; grant SPARQL_UPDATE to "Anna"; grant SPARQL_UPDATE to "Brad"; grant SPARQL_UPDATE to "Carl"; grant SPARQL_SPONGE to "Anna"; grant SPARQL_SPONGE to "Brad"; grant SPARQL_SPONGE to "Carl";
- Set specific privileges to given graphs for specifics users: Catering for the fact that some datasets are supposed to be confidential, thus the whole quad storage is set to confidential.
Then specific privileges can be assigned to specific graphs for specific users:
DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('nobody', 0);
- Set specific privileges: assuming for users Anna, Brad and Carl none of these individual has any kind of global access to graphs:
DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('Anna', 0); DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('Brad', 0); DB.DBA.RDF_DEFAULT_USER_PERMS_SET ('Carl', 0);
- Assuming the following four sorts of access that are specified by four bits of an integer "permission bit-mask", following plain old UNIX style:
- Bit 1 permits read access.
- Bit 2 permits write access via SPARUL and is basically useless without bit 1 set.
- Bit 4 permits write access via "RDF Network Resource Fetch" methods and is basically useless without bits 1 and 2 set.
- Bit 8 allows retrieval of the list of members of a graph group. An IRI can be used as a graph IRI and as a graph group IRI at the same time, so bit 8 can be freely combined with any of bits 1, 2 or 4.
- In the statements from below should be considered:
- "15 = 8+4+2+1 " -- i.e. combining all the four sorts of access FROM above
- "9 = 8 + 1" -- i.e.
read access + access to retrieve the list of members for a given graph group
-- Create Graph Group for Anna and set privileges: DB.DBA.RDF_GRAPH_GROUP_CREATE ('urn:Anna:Sponged:Data', 1); DB.DBA.RDF_GRAPH_USER_PERMS_SET ('urn:Anna:Sponged:Data', 'Anna', 15); DB.DBA.RDF_GRAPH_USER_PERMS_SET ('urn:Anna:Sponged:Data', 'Brad', 9); DB.DBA.RDF_GRAPH_USER_PERMS_SET ('urn:Anna:Sponged:Data', 'Carl', 9); -- Create Graph Group for Brad and set privileges: DB.DBA.RDF_GRAPH_GROUP_CREATE ('urn:Brad:Sponged:Data', 1); DB.DBA.RDF_GRAPH_USER_PERMS_SET ('urn:Brad:Sponged:Data', 'Anna', 9); DB.DBA.RDF_GRAPH_USER_PERMS_SET ('urn:Brad:Sponged:Data', 'Brad', 15); DB.DBA.RDF_GRAPH_USER_PERMS_SET ('urn:Brad:Sponged:Data', 'Carl', 9); -- Create Graph Group for Carl and set privileges: DB.DBA.RDF_GRAPH_GROUP_CREATE ('urn:Carl:Sponged:Data', 1); DB.DBA.RDF_GRAPH_USER_PERMS_SET ('urn:Carl:Sponged:Data', 'Anna', 9); DB.DBA.RDF_GRAPH_USER_PERMS_SET ('urn:Carl:Sponged:Data', 'Brad', 9); DB.DBA.RDF_GRAPH_USER_PERMS_SET ('urn:Carl:Sponged:Data', 'Carl', 15);
- Examples with invalid graph group names:
- Example with Non-existing Graph Group:
-- An error for non-existing Graph group <http://nosuch/> will be raised. SPARQL DEFINE get:soft "replacing" DEFINE get:private <http://nosuch/> SELECT * FROM <http://example.com/> WHERE { ?s ?p ?o };
- Example with "virtrdf:PrivateGraphs?" graph group which is reserved for system usage:
-- An error for attempt to add a graph to special graph group <http://www.openlinksw.com/schemas/virtrdf#PrivateGraphs> will be raised. SPARQL DEFINE get:soft "replacing" DEFINE get:private virtrdf:PrivateGraphs SELECT * FROM <http://example.com/> WHERE { ?s ?p ?o };
- Example with "virtrdf:rdf_repl_graph_group" graph group which is reserved for system usage:
-- An error for attempt to add a graph to special graph group <http://www.openlinksw.com/schemas/virtrdf#rdf_repl_graph_group> will be raised. SPARQL DEFINE get:soft "replacing" DEFINE get:private virtrdf:rdf_repl_graph_group SELECT * FROM <http://example.com/> WHERE { ?s ?p ?o };
- Example with Non-existing Graph Group:
- Examples to check Anna's sponging permissions on different graph groups:
- Example for adding graph to Anna's graph group
<urn:Anna:Sponged:Data>
:
-- No error will be raised as Anna has the efficient rights for graph group <urn:Anna:Sponged:Data> reconnect "Anna"; SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Anna:Sponged:Data> SELECT * FROM <http://anna-example.com/> WHERE { ?s ?p ?o };
- Example for adding graph to Brad's graph group
<urn:Brad:Sponged:Data>
:
-- An error will be raised because "Anna" has not enough rights on that group reconnect "Anna"; SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Brad:Sponged:Data> SELECT * FROM <http://example.com/> WHERE { ?s ?p ?o };
- Example for adding graph to Carl's graph group
<urn:Carl:Sponged:Data>
:
-- An error will be raised because "Anna" has not enough rights on that group reconnect "Anna"; SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Carl:Sponged:Data> SELECT * FROM <http://example.com/> WHERE { ?s ?p ?o };
- Example for adding graph to Anna's graph group
- Examples check Brad's sponging permissions on different graph groups:
- Example for adding graph to Anna's graph group
<urn:Anna:Sponged:Data>
:
-- An error will be raised because "Brad" has not enough rights on that group reconnect "Brad"; SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Anna:Sponged:Data> SELECT * FROM <http://example.com/> WHERE { ?s ?p ?o };
- Example for adding graph to Brad's graph group
<urn:Brad:Sponged:Data>
:
-- No error will be raised as Brad has the efficient rights for graph group <urn:Brad:Sponged:Data> reconnect "Brad"; SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Brad:Sponged:Data> SELECT * FROM <http://brad-example.com/> WHERE { ?s ?p ?o };
- Example for adding graph to Carl's graph group
<urn:Carl:Sponged:Data>
:
-- An error will be raised because "Brad" has not enough rights on that group reconnect "Brad"; SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Carl:Sponged:Data> SELECT * FROM <http://example.com/> WHERE { ?s ?p ?o };
- Example for adding graph to Anna's graph group
- Examples check Carl's sponging permissions on different graph groups:
- Example for adding graph to Anna's graph group
<urn:Anna:Sponged:Data>
:
-- An error will be raised because "Carl" has not enough rights on that group reconnect "Carl"; SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Anna:Sponged:Data> SELECT * FROM <http://example.com/> WHERE { ?s ?p ?o };
- Example for adding graph to Brad's graph group
<urn:Brad:Sponged:Data>
:
-- An error will be rased because "Carl" has not enough rights on that group reconnect "Carl"; SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Brad:Sponged:Data> SELECT * FROM <http://example.com/> WHERE { ?s ?p ?o };
- Example for adding graph to Carl's graph group
<urn:Carl:Sponged:Data>
:
-- No error will be raised as Carl has the efficient rights for graph group <urn:Brad:Sponged:Data> reconnect "Carl"; SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Carl:Sponged:Data> SELECT * FROM <http://carl-example.com/> WHERE { ?s ?p ?o };
- Example for adding graph to Anna's graph group
- User Carl performs private sponging:
reconnect "Carl"; SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Carl:Sponged:Data> SELECT * FROM <http://www.openlinksw.com/data/turtle/products.ttl> WHERE { ?s ?p ?o }; -- Should return for ex. 365 rows. SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Carl:Sponged:Data> SELECT COUNT(*) FROM <http://www.openlinksw.com/data/turtle/products.ttl> WHERE { ?s ?p ?o }; SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Carl:Sponged:Data> SELECT * FROM NAMED <http://www.openlinksw.com/data/turtle/software.ttl> FROM NAMED <http://www.openlinksw.com/data/turtle/licenses.ttl> WHERE { graph ?g { ?s ?p ?o } }; -- Should return for ex. 1317 rows. SPARQL DEFINE get:soft "replacing" DEFINE get:private <urn:Carl:Sponged:Data> SELECT COUNT(*) FROM NAMED <http://www.openlinksw.com/data/turtle/software.ttl> FROM NAMED <http://www.openlinksw.com/data/turtle/licenses.ttl> WHERE { graph ?g { ?s ?p ?o } };
- Viewing Graph Groups shows Carl's graph group
<urn:Carl:Sponged:Data>
contains total 4 graphs:
SQL> SELECT id_to_iri (RGGM_GROUP_IID), id_to_iri(RGGM_MEMBER_IID) FROM DB.DBA.RDF_GRAPH_GROUP_MEMBER ORDER BY 1,2; id_to_iri id_to_iri__1 VARCHAR VARCHAR __________________________________________________________ .... urn:Anna:Sponged:Data http://anna-example.com/ urn:Brad:Sponged:Data http://brad-example.com/ urn:Carl:Sponged:Data http://carl-example.com/ urn:Carl:Sponged:Data http://www.openlinksw.com/data/turtle/licenses.ttl urn:Carl:Sponged:Data http://www.openlinksw.com/data/turtle/products.ttl urn:Carl:Sponged:Data http://www.openlinksw.com/data/turtle/software.ttl
Sponger Usage Examples
- SPARQL Processor Usage Example
- RDF Proxy Service Example
- Browsing & Exploring RDF View Example Using ODE
- Browsing & Exploring RDF View Example Using iSPARQL
- Basic Sponger Cartridge Example
- HTTP Example for Extracting Metadata using CURL
- RESTFul Interaction Examples
- Flickr Cartridge Example
- MusicBrainz Metadatabase Example
- SPARQL Tutorial -- Magic of SPARUL and Sponger
Related
- Example Performing Sponging with Private Graphs Using get:private pragma
- Sponger's Linked Data Middleware Hooks into SPARQL
- Virtuoso Sponger
- Technical White Paper
- Supported Virtuoso Sponger Cartridges
- SPARQL Sponger
- Interacting with Sponger Middleware via RESTful Patterns
- Interacting with Sponger Meta Cartridge via RESTful Patterns
- Sponger Cartridge RDF Extractor
- Extending SPARQL IRI Dereferencing with RDF Mappers
- Programmer Guide for Virtuoso Linked Data Middleware ("Sponger")
- Create RDF Custom Cartridge Tutorial
- OpenLink-supplied Virtuoso Sponger Cartridges
- Virtuoso Authentication Server
- Virtuoso SPARQL OAuth Tutorial
- Virtuoso Sponger Access Control List (ACL) Setup
- WebID Protocol & SPARQL Endpoint ACLs Tutorial
- Virtuoso Documentation