OSDB - HTTPS Registries
Contents
See Also
Using an OSDB Service Registry over HTTPS
While OSDB can use an unprotected HTTP SPARQL endpoint for the Registry, some protection of the Registry might be desirable. To this end, OSDB can use SPARQL over HTTPS. The configuration described below limits access to the SPARQL endpoint, but does not restrict access to the Registry graphs themselves. Any authenticated user granted access to the SPARQL endpoint will have access to these graphs. The graphs remain public within the Virtuoso quad store.
Protecting a Virtuoso SPARQL Endpoint Using VAL
Controlling access to an HTTPS SPARQL endpoint relies on the Virtuoso Authentication Layer (VAL) and its support for WebID and WTD (WebID + TLS + Delegation). The VAL What Why How Guide provides a detailed discussion of VAL and how to configure it. The essential requirements from the perspective of OSDB are:
- an OSDB server WebID and accompanying X509 certificate and private key, to allow authentication against the Registry’s SPARQL endpoint.
- a VAL ACL rule granting the OSBD server WebID access to the SPARQL endpoint.
- an OSDB configuration entry identifying the credentials to be used for a particular registry.
OSDB Configuration File
If, for example, OSDB is started with the command
NODE_ENV=osdb node bin/osdb_server -r https://linkeddata.uriburner.com/sparql
OSDB looks for configuration settings in the file {osdb_root}/config/osdb.json.
In the extract from osdb.json below
{
"serverURL": "https://osdb.openlinksw.com/",
"serverKey": "myServerKey.pem",
"serverCertificate": "myServerCert.pem",
...
"registryHostRdfViewerTemplate" : "/describe/(?url)",
"registryHostRdfViewerWithLoadTemplate" : "/describe/(?url)&sponger:get=add&sr=clean",
"registryCredentials": {
"https://linkeddata.uriburner.com/sparql" : {
"registryLoginKey" : "config/osdb-key.pem",
"registryLoginCertificate" : "config/osdb-crt.pem",
"registryLoginCACertificate" : "",
"registryLoginOnBehalfOf" : ""
}
}
}
the registryCredentials property holds an object which in turn has one property for each OSDB Registry which may be used with this OSDB Server. In this example, the server was started using registry https://linkeddata.uriburner.com/sparql. The corresponding entry points to an object with properties:
- registryLoginKey - Identifies the X509 private key to be used for authentication.
- registryLoginCertificate - Identifies the X509 certificate to authenticate with.
- registryLoginCACertificate - The PEM containing the issuer CA certificate (optional).
- registryLoginOnBehalfOf - The WebID of the agent (delegator) on whose behalf the software agent (delegate) identified by the WebID in
registryLoginCertificatewill authenticate. (optional - required only if WebID delegation is being used).
Because the OSDB Server is the only agent requiring access to the OSDB-related graphs, WebID delegation should not be needed. The directory {osdb_root}/config should contain the identified PEMs.
OSDB WebID
The certificate identified by registryLoginCertificate must contain the WebID of the OSDB Server in the certificate’s SAN slot. The WebID must identify a WebID profile document containing the OSDB Server’s public key, as specified by the WebID specification.
A minimal example profile document is listed below:
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
@prefix cert: <http://www.w3.org/ns/auth/cert#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix xml: <http://www.w3.org/2001/XMLSchema#> .
<http://ods-qa.openlinksw.com:8896/DAV/home/nobody/osdb_ex_webid_170727.ttl>
a foaf:PersonalProfileDocument ;
foaf:primaryTopic <http://ods-qa.openlinksw.com:8896/DAV/home/nobody/osdb_ex_webid_170727.ttl#identity> .
<http://ods-qa.openlinksw.com:8896/DAV/home/nobody/osdb_ex_webid_170727.ttl#identity>
a foaf:Agent ;
foaf:name "OSDB Server" ;
cert:key <#keyOSDB> .
<#keyOSDB>
a cert:RSAPublicKey ;
rdfs:label "A self-signed key" ;
cert:exponent "65537"^^xml:integer ;
cert:modulus
"aeb762c..."^^xml:hexBinary .
OSDB ACL Rule
The last step needed to give the OSDB Server access to the protected registry is to create a suitable VAL ACL rule on the registry server.
SPARQL
PREFIX oplacl: <http://www.openlinksw.com/ontology/acl#>
PREFIX acl: <http://www.w3.org/ns/auth/acl#>
PREFIX foaf: <http://xmlns.com/foaf/0.1/>
WITH <http://linkeddata.uriburner.com/acl/graph/rules/http%3A%2F%2Fwww.openlinksw.com%2Fontology%2Facl%23DefaultRealm>
INSERT
{
<#OSDBSparql>
a acl:Authorization ;
foaf:maker <http://linkeddata.uriburner.com/dataspace/person/dba#this> ;
oplacl:hasAccessMode oplacl:Read , oplacl:Write ;
acl:accessTo <urn:virtuoso:access:sparql> ;
acl:agent <http://ods-qa.openlinksw.com:8896/DAV/home/nobody/osdb_ex_webid_170727.ttl#identity> ;
oplacl:hasScope oplacl:Query ;
oplacl:hasRealm oplacl:DefaultRealm .
};
The above rule <#OSDBSparql> grants SPARQL UPDATE access to the OSDB server WebID identified by acl:agent. Assuming that the Registry server’s VAL configuration has been set up to limit access on http://{OSDB registry host}/sparql to ‘read only’, SPARQL UPDATE access will be restricted to specific authenticated agents. While public graphs may be readable by all (or not at all, depending on the VAL settings); the ability to create, update or delete public graphs graphs is limited to these agents. These public graphs include the OSDB graphs <http://www.openlinksw.com/osdb/services> and <http://www.openlinksw.com/osdb/services/{service ID}>. An attempt by an unauthenticated user to update these graphs results in the user being forced to authenticate.
For more information on how to control access to SPARQL, refer to the VAL guide SPARQL ACLs in Virtuoso.
Further protection of the Registry graphs is potentially possible by making them private. This would require creation of a Virtuoso service, for use by the OSDB server, to make a service description graph private and set its ownership whenever a new service is registered with OSDB.