How to manage Graph Security Level for SQL Clients?


Graph Security Level for ODBC, JDBC, ADO.NET, OLE-DB SQL Clients.


SPARQL-level graph security is sufficient for SPARQL client operating over HTTP. It is not sufficient for SQL clients due to the fact that graph level security is baked into the SPARQL compiler, not by an SQL compiler.

The Virtuoso SPARQL compiler analyzes the graph-level permissions of a user (an identity principal named using an identifier e.g., WebID? or NetID?). For each triple pattern or graph group pattern the compiler adds an implicit FILTER () that ensures that appropriate privileges are granted on target named graphs to a given user. Ultimately, these FILTERs becomes part of the generated SQL code processed against the RDF_QUAD and related RDF data management system tables.

SQL users accessing Virtuoso via ODBC, JDBC, ADO.NET, and OLE-DB connections have the ability to execute arbitrary SQL code via stored procedures, subject to SQL level privileges on target Tables and Views which provides a point of vulnerability to the RDF system tables (RDF_QUAD and others). To close this vulnerability, the SQL compiler restricts SQL connection access, in regards to RDF system tables, to members of the SPARQL_SELECT_RAW group.

Note: SPARQL_SELECT_RAW group is a feature applicable to Virtuoso 7.5 or higher.

Usage Example

The following example demonstrates how to grant SPARQL_SELECT_RAW to a Virtuoso SQL user:

SQL> DB.DBA.USER_CREATE ('John', 'John');
Done. -- 0 msec.

Done. -- 0 msec.

Done. -- 0 msec.