AllegroGraph Enterprise Security and Management

Franz AllegroGraph v4 represents the first Semantic Technology Database with OLTP, ACID compliance and Enterprise Management functionality. AllegroGraph Enterprise Security and Management (ESM) provides the mission critical functionality that organizations need to support 24/7/365 operations. AllegroGraph has received a Certificate of Networthiness for the product to run on the Department of Defense .mil network.

This document gives and overview of security in AllegroGraph. See Security Implementation for implementation details.

AllegroGraph ESM includes the following:

Transport Layer Security

Access to an AllegroGraph database server can be obtained via AllegroGraph’s RESTful interface (for HTTP and HTTPS clients), through AllegroGraph’s built-in web interface – AGWebView, through a Lisp client application, or with other clients such as Java and Python.

All client network access to AllegroGraph occurs though the product’s HTTP and HTTPS RESTful interfaces. The AllegroGraph interface, and RESTful interfaces in general, are remarkable in that they are by definition client-server, stateless, cacheable and provide a uniform interface identifying system resources in the client request.

AllegroGraph clients can connect directly to the server via HTTP, sending and receiving clear text. AllegroGraph clients also have the ability to send and receive encrypted requests.

Connections using SSL

An AllegroGraph session can be established over Secure Sockets Layer (SSL). AllegroGraph supports TLS versions 1.0, 1.1, and 1.2.

Several AllegroGraph configuration options relate to SSL. See the Top-level directives for SSL client certificate authentication section in Server Configuration and Control document. See also the SSL/TLS Quickstart document.

AllegroGraph utilizes FIPS 140-2 compliant encryption for data in transit. Reference http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf.

X.509 Certificates

The server provides an X.509 certificate to the client during the SSL/TLS handshake when the connection is established. Therefore the client can check the contents of the certificate if desired.

Encryption At Rest

To enable data-at-rest encryption with AllegroGraph we recommend using a third party tool such as Linux LUKS disk encryption.

If running AllegroGraph using a cloud service provider, we recommend using the provider's disk encryption mechanism (such as EBS encryption on AWS). Google Cloud Services encrypts storage volumes by default.

External authentication

AllegroGraph supports using LDAP (Lightweight Directory Access Protocol, see this Wikipedia entry) for external authentication. All user data (permissions, etc) are stored locally, so in order to be able to authenticate a user externally, a user with the same name must already exist on a given AllegroGraph server. See the Managing Users document for information about creating and managing users.

Use of LDAP is enabled with several configuration directives described here in the Server Configuration and Control document.

Note that external authentication refers to a support of an external user password database, so other AllegroGraph authentication methods (tokens, certificates etc) are not affected when authentication policy is set to external-only.

Management Access Control

AGWebView provides a GUI management and data access interface to AllegroGraph, as we describe in Security Implementation. The web-browser based interface allows the system administrator to manage access control to individual repositories, maintain users and roles, and control the Warm Standby and Replication interfaces.

Configuration of Repositories and Catalogs

Repositories are effectively managed through AGWebView. Control over placement of the catalogs and server settings is managed during initial server configuration.

Management of JavaScript and Lisp Stored Procedures

Both JavaScript and Lisp stored procedures are supported. The user manages stored procedures through AGWebView.

User Management

The system administrator is given fine-grained control over creation and management of users, passwords and roles through the AGWebView interface.

There are several predefined user permissions, including Superuser, Start Sessions, Eval (stored procedures) and (control) Replication.

For each user and role, the administrator can manage these permissions and repository access. Access can be granted to specific repositorities in specific catalogs, all repositories in a catalog, or all repositories in the server.

Programmatic System Management

All the management functions of the product are exposed via HTTP, Java, Python, Lisp and others. Organizations can take advantage of AGWebView or provide their own custom interface to AllegoGraph security and management.

Summary:

Manage User Permissions and Access Rights

Administrative Functionality

Triple Level Security

As RDF stores become more entrenched in enterprise applications, increased security and fine-grained data access control is required. To support this, AllegroGraph supports statement-level Security Filters, which are described in the Security Filters section of Security Implementation.

With Security Filters the system administrator is able to grant user access to the entire repository, or restrict access to a limited and filtered view of a repository.

Security Filters can be applied to individual repositories for all add/delete/query operations, per user and per role. You specify which values of the subject, predicate, object, or graph should be allowed or disallowed and then query responses are filtered appropriately, and attempts to add or delete filtered triples fail.

Key Security Filter Features: