ONTOTEXT ANSWER:
GraphDB has a fairly versatile suite of authentication and authorization providers. When it comes to authentication, essentially, there are three providers:
- Basic authentication – the username and password are provided plainly in the URL. For example, https://user:password@graphdb.com/. This is a very easy workaround for small tests. However, it does not scale and presents a very big security risk.
- Local authentication with JWT – the REST API for authentication is activated. The user gives their details and a Java Web Token (JWT) is generated for them, if they are present in the local database. This uses the GraphDB API.
- Remote authentication with JWT (Single Sign On) – the REST API for authentication is disabled. The user gives their details and a Java Web Token (JWT) is generated for them, if they are present in the remote security provider. This uses the remote security provider API. There are two options:
- OIDC-compliant providers such as FusionAuth and Keycloak
- Kerberos
However, authentication is only part of the problem. GraphDB employs Role-based access control (RBAC) to determine the access rights of its users. Essentially, it can use one of two authorization providers for this:
- Local security – the default. Users are created locally and their permissions are assigned via the Ontotext API. Their passwords are encrypted and stored at the local filesystem. This is great for development and prototyping, but hard to scale.
- SSO – the users are managed and stored at the remote security provider and the remote security provider is used for this. There are two SSO providers:
- LDAP – in this case, the security configuration is provided by filters within the properties file. Users are managed by your LDAP provider. You can use other providers utilizing the LDAP protocol, e.g., Active Directory.
- Oauth – in this case, access is granted according to the roles of the users. For example, a user must have the role READ_REPO_TEST to have read access over the repository “test”.
Here’s the compatibility matrix for our security providers.
| Provider | Local | LDAP | Oauth |
|---|---|---|---|
| Basic | Yes | Yes | No |
| Local | Yes | Yes | No |
| OIDC | Yes | Yes | Yes |
| Kerberos | Yes | Yes | No |
This means that in order to use Oauth as your single sign on, you are restricted to Open ID connect. However, in this case, the GraphDB Security API is disabled and only the UI access via the Workbench remains. For automated access to the database, this gives you two approaches:
- Log in via the workbench and intercept the JWT from your “Authorization” header by using the developer console, or a more sophisticated automated tool. This is obviously not scalable, but might be the best solution for manual testing and exploration.
- Log in via your SSO of choice’s API and using the JWT it has provided for further authentication requests.
Alternatively, if you really want to use GraphDB’s security API for your scripts, you can switch to using the Local or LDAP authorization providers.
Article's content
GraphDB Users Ask: Where Can We Deploy GraphDB And What Are Some Best Practices?
In this blog, we answer questions from our GraphDB users. This question is about where can one deploy GraphDB and what are some best practices
GraphDB Users Ask: What Isolation Levels Does GraphDB Support?
In this blog, we answer questions from our GraphDB users. This question is about the the isolation levels GraphDB supports..
GraphDB Users Ask: What is the Most Important Hardware Attribute for Optimizing GraphDB Performance?
In this blog, we answer questions from our GraphDB users. This question is about the most important hardware attribute for optimizing GraphDB performance.
GraphDB Users Ask: What is the Best Way to Store the Triples’ History in the Database?
In this blog, we answer questions from our GraphDB users. This question is about the best way to store the triples’ history in the database
GraphDB Users Ask: Can I Use Nested Repositories to Introduce Logical Separation to GraphDB?
In this blog, we answer questions from our GraphDB users. This question is about using nested repositories to introduce logical separation to GraphDB
GraphDB Users Ask: Can I Fine-tune Security on Some of the Endpoints in GraphDB?
In this blog, we answer questions from our GraphDB users. This question is about fine-tuning securing on a GraphDB endpoint.
GraphDB Users Ask: What Are the Different Ways to Deploy GraphDB?
In this blog, we answer questions from our GraphDB users. This question is about the different ways to deploy GraphDB.
GraphDB Users Ask: What is the best way to integrate JSON data in GraphDB?
In this blog, we answer questions from our GraphDB users. This question is about the best ways to integrate JSON data in GraphDB.
GraphDB Users Ask: How Does GraphDB’s Security Work, Especially for Automated APIs?
In this feature, we answer questions from our GraphDB users. This question is about how about GraphDB security workds, especially for Automated APIs
GraphDB Users Ask: Is Kafka Only Used for Exporting Data, or for Importing, or Can We Do Both?
In this feature, we answer questions from our GraphDB users. This question is about if Kafka is used only for exporting or importing data or we can use for both
GraphDB Users Ask: How Do I Change the Configuration of an Existing Connector?
In this feature, we answer questions from our GraphDB users. Today’s question is about how to change the configuration of connector if you’ve made a mistake when creating it
GraphDB Users Ask: Are There Any Administration Differences to Operating a Cluster on GraphDB 10?
In this feature, we answer questions from our GraphDB users. Today’s question is about whether there are administration differences to operating a cluster in GraphDB 10
GraphDB Users Ask: Can I Scale GraphDB?
In this feature, we answer questions from our GraphDB users. Today’s question is if one can scale GraphDB.
GraphDB Users Ask: Can I Change My Inference At Runtime?
In this feature, we answer questions from our GraphDB users. Today’s question is if one can change inference at runtime.
GraphDB Users Ask: How To Mark Statements In A Query As Explicit Or Implicit?
In this feature, we answer questions from our GraphDB users. Today’s question is about how to mark statements in a query as explicit or implicit.
GraphDB Users Ask: Can I Use the Standard Ontop Configurations?
In this feature, we answer questions from our GraphDB users. Today’s question is if one can use the standard Onotp configurations.
GraphDB Users Ask: Should I Use a SPARQL Repository or a HTTP Repository?
In this feature, we answer questions from our GraphDB users. Today’s question us whether to use a SPARQL Repository or a HTTP Repository.
GraphDB Users Ask: Do You Have Any Advice on the Log4j Vulnerability for Different Versions of GraphDB?
In this feature, we answer questions from our GraphDB users. Today’s question is about the Log4j vulnerability for different versions of GraphDB.
GraphDB Users Ask 12 Very Short Questions
In this feature, we answer questions from our GraphDB users. Today, we answer 12 very short question from GraphDB users.
GraphDB Users Ask: Which of the GraphDB Logs Do I Need to Monitor for Problems?
In this feature, we answer questions from our GraphDB users. Today’s question is about GraphDB logs and how to monitor for problems.
GraphDB Users Ask: Can You Help Me Optimize My Queries?
In this feature, we answer questions from our GraphDB users. Today’s question is about how users can optimize their queries.
GraphDB Users Ask: What’s the Difference Between SPARQL and FedX Federation?
In this feature, we answer questions from our GraphDB users. Today’s question is about the difference between SPARQL and FedX federation.
GraphDB Users Ask: What Does The “Insufficient Free Heap Memory” Error Mean?
In this feature, we answer questions from our GraphDB users. Today’s question is about what the “Insufficient Free Heap memory” error means.
GraphDB Users Ask: How To Optimize My Inference?
In this feature, we answer questions from our GraphDB users. Today’s question is about how to optimize inference.
GraphDB Users Ask: Is RDF-Star The Best Choice For Reification?
In this feature, we answer questions from our GraphDB users. Today’s question is about whether RDF-star is the best choice for reification.
GraphDB Users Ask: Can GraphDB Infer Data Based on Values From a Virtualized Repository?
In this feature, we answer questions from our GraphDB users. Today’s question is about if GraphDB’s inference works with virtualized repositories.
GraphDB Users Ask: How Does SHACL Work on GraphDB?
In this feature, we answer questions from our GraphDB users. Today’s question is about how SHACL works on GraphDB.
GraphDB Users Ask: Does GraphDB Support ABAC?
In this feature, we answer questions from our GraphDB users. Today’s question is about if GraphDB supports ABAC.
GraphDB Users Ask: Why Do I Get Errors About GraphDB Being “Unable to Find Valid Certification Path to Requested Target”?
In this feature, we answer questions from our GraphDB users. Today’s question is about getting errors about GraphDB being “unable to find valid certification path to requested target”.
GraphDB Users Ask: How Can I Break Up My Data to Control Access To It?
In this feature on our blog, we answer questions from our GraphDB users. Today’s question is about GraphDB security and access control.
GraphDB Users Ask: Why does My Import Start Really Fast But Then Starts Losing Speed After a While?
In this feature on our blog, we answer questions from our GraphDB users. Today’s question is about GraphDB import speed.
GraphDB Users Ask: Can You Help Me Understand The Built-in GraphDB Security?
In this feature on our blog, we answer questions from our GraphDB users. Today’s question is about GraphDB security.
GraphDB Users Ask: How Many Repositories Can I Have in GraphDB and How Can I Unite the Disparate Data Between Them?
In this feature, we answer questions from our GraphDB users. Today’s question is about the number of repos in GraphDB and accessing the data.
