This project has retired. For details please refer to its Attic page.
Apache Marmotta - Platform - Security

Apache Marmotta Platform: Security

This module provide security mechanisms for Apache Marmotta, which implements its own authentication and authorization mechanism.

Users and roles

There are two default users in Marmotta: anonymous and admin. The first one is not an actual user, but the user all anonymous requests use. The second is the user with administration rights on the system.

At the same time, users are group in roles for simplifying permission management. The system comes with three groups (manager, editor and user) by default, but this could be customized as preferred.

For instance, by default the admin user is part of manager, editor and user groups.

Profiles

There are three pre-defined profiles, simple, standard, and restricted:

  • simple allows read access from everywhere and write access only from localhost or other local interfaces.
  • standard allows read access from everywhere and write access only for authenticated users of the “manager” role.
  • restricted allows access only for authenticated users.

By default, Marmotta will use the simple profile, allowing only access from localhost. If you want to change the profile, you can set the configuration property security.profile to standard, e.g. via the configuration interface in “Core Services” or “Security”. If your instance is running on a remote server, you can e.g. log in using SSH and run the following command:

curl -X POST -H "Content-Type: application/json" -d '["standard"]' http://<HOST>:<PORT>/marmotta/config/data/security.profile

Afterwards, you can log in with the default admin user and password (“admin” and “pass123”). Needless to say you should change this password.

Rules

The configuration is based on ACL rules such as:

security.{TYPE}.{NAME}.pattern = {PATTERN}
security.{TYPE}.{NAME}.methods = {METHOD}
security.{TYPE}.{NAME}.priority = {PRIORITY}

Where:

  • {TYPE} is the type of control, which can be permission for granting permission the requests matching this rule or restriction for restricting.
  • {NAME} is an arbitrary label for naming the rule, which should be unique in combination with the type.
  • {PATTERN} is the regular expression pattern which this rule matches.
  • {METHOD} is the HTTP method this rule applies (HEAD, OPTIONS, GET, POST, PUT or DELETE). If the rules applies to more than one method, you can add all methods separated by commas or add additional property lines for each method, both options are valid.
  • {PRIORITY} is the the priority of this rule in the access control list.

The system evaluates the rules ordered by priority, allowing or rejecting access whenever a rule matches each request to the system. The adminnistration user interface provides an overview page for the status of the current rules applied to the system.