Page History

...

• published---all resource instances and user records visible to the public, and all relevant ontologies and metadata.
• published-resources ---just resource instances visible to the public, and all relevant ontologies and metadata.
• metadata---all named graphs of type Metadata visible to the authenticated user.
• ontology---all named graphs of type Ontology visible to the authenticated user
• metadata+ontology---all named graphs of types Metadata and Ontology visible to the authenticated user
• null---all statements in the internal RDF database regardless of named graph. Administrators only.NOTE: This is the ONLY way to see any statements that do not belong to any named graph, i.e. the "null context" in Sesame. If we are lucky this will be a small or empty set.
• user--- those graphs which that the current user has permission to read.
• user-resources--- the graphs containing or related to eagle-i resources which that the current user has permission to read. Note that the graph containing instances of repository users (i.e. user,s of type foaf:Person) is , ironically, NOT part of this data set, since they are not eagle-i resources.
• public---all graphs which that are visible to the public, i.e. to the anonymous user, plus inferred statements. Note that this is not the same thing same  as 'published'.
• all---all named graphs including the ones internal to the repository; administrators only.

...

See the RDF Semantics page for an overview of the greater body of inference rules (of which we implement only implement a small subset). The repository implements two different kinds of inferencing:

1. "TBox" inferencing:
   • TBox is the terminology source, i.e. the ontology graphs.
   • It consists of named graphs whose type is ontology.
   • Upon * any change to a TBox graph, inferencing is redone on the entire graph, and on all the ABox graphs.
   • All inferred TBox statements are added as inferred statements directly to their TBox graph.
   • Inference is done independently on every TBox graph they are expected to be completely disjointed. Thus, there should only be one or two TBox graphs.
   • Following entailment rule rdfs11, all inferred rdfs:subClassOf relationships are created as direct statements.
   • Following entailment rule rdfs5, all inferred subPropertyOf relationships are created as direct statements.
   • Following entailment rule rdfs9, all inferred rdf:type properties are added.
2. " ABox"   inferencing:
   • ABox is the body of assertions, i.e. the statements about resource instances.
   • All non-TBox named graphs are part of the ABox.
   • All statements created from inference on ABox statements are added to a special named graph, http://eagle-i.org/ont/repo/1.0/NG_Inferred.;
     • This makes it easy to include or exclude the inferred statements in the dataset of SPARQL query
     • You can detect whether or not a statement is inferred by adding a GRAPH keyword to the query and testing its home graph.
   • Any change to a TBox graph only causes re-inferencing of the subject of each statement where a named instance was changed. This is possible because the inferred statements only depend on the asserted rdf:type properties of a a subject and the TBox graphs.
   • Following entailment rule rdfs9, all inferred rdf:type properties are added to the graph for inferred statements.

...

This inferencing scheme ensures very fast performance by assuming the TBox graphs never change under normal operations, which ought to be true. The data model ontology graph is only modified when a new version of the ontology is released. Likewise, the repository's internal ontology graph remains unchanged once the repository is installed. When the TBox graphs are changed, be aware that you will probably see a delay of many seconds or perhaps minutes, as all the TBox and ABox inferencing is re-done.

Inferred statements are not normally written when an entire graph is dumped. See the /graph service for details.

...

The RDBMS description of a user contains:

1. Username---*Present present in RDF as well, this is the common key. Since it is the permanent description of a user this is is  *immutable.
2. Password---Only only in RDBMS.
3. Membership in Superuser role. No other roles.

The RDF description of a user contains:

1. Username of the corresponding RDBMS user.
2. Roles including Superuser if present in RDBMS
3. Various descriptive and provenance metadata.

...

When a user is present in the RDBMS but not in the RDF, they are considered undocumented. Upon loginlogging in, an undocumented user is given the URI corresponding to his/her highest known role:
:Role_Superuser if the RDBMS indicates that role, or :Role_Anonymous otherwise. (Arguably, the default role could also be :Role_Authenticated, but without RDF data for the user they are not fully authenticated, and this is incentive to fix the discrepancy.)

...

Each Role is independent of other Roles. Roles cannot be "nested". \   This is a necessary limitation that simplified the implementation considerably.

The Superuser role is built into the system because its privileges are hardcodedhard coded.

There are a couple of special Roles whose membership is implicit, that is, it never needs to be granted explicitly:

...

All of the servlet URLs in this interface except the public dissemination request (/i) require authentication. The dissemination request makes use of an authenticated user and roles when they are available, to access data that would be invisible to an anonymous request, but it is never required.

...

This is just an outline of the access control system. It is implemented as statements stored in the internal metadata graph. The access controls applying to an instance or other object are not to be directly visible in the repository API, except through administrative UI.

These types of access can be granted:

• Read---in context of named graph, allows the graph to be included in dataset of a query; for workflow transitions and hidden/contact property groups, this is the only relevant access grant.
• Add---add triples to a graph or instance.
• Remove---remove triples from a graph or instance.
• Admin---change the access controls on a resource. (Not really used in practice; only the Superuser role can change access.)

On the following types of * resources*:

• Named Graphs, including workspaces.
  • Read lets people download and run queries against the graph.
  • Add, Remove lets you modify it with /graph Usually reserved for admins.
• Resource Instances (ignores explicit Read access; that comes from it's home named graph.)
  • Add, Remove let you modify it with /update, this is usually granted temporarily to a specific user as part of the workflow process.
  • ignores Read grants, read access reverts to its home graph.
• Property Groups - sets of properties on a resource instance identified by statements in the data model ontology, see the data model configuration manual, particularly datamodel.hideProperty.predicate, datamodel.hideProperty.object.
  • Read lets the Dissemination and Harvest service report on these properties.
  • All other access types are ignored.
• Workflow Transitions
  • Read gives access to take (push) the transition.
  • All other access types are ignored.

...

The resource is the URI of the instance, named graph, or workflow transition of interest. The access-type names one of the four types of access described above: read, add, remove, admin. Finally, the accessor is the URI of the Principal to be granted the access, either a Role or an Agent (user).

...

• dcterms:modified---literal date of last modification, encoded as xsd:dateTime
• dcterms:contributor---the URI of the Agent (authenticated user) who last modified it
• dcterms:source---description of the file or URI last loaded into this NG, if that is how it was created.  This record is used to compare it against the source later to decide whether an update is necessary. It is a node (possibly blank node) with the following properties:
  • dcterms:identifier---the resolvable URI of the resource loaded, most likely a URL in either the file or http scheme.
  • dcterms:modified---last-modification date of the resource, for later comparison when deciding whether to decache the repository copy of an external file, a literal xsd:dateTime.
    Resource Instance:
  • dcterms:created---literal date when resource was created, encoded as xsd:dateTime
    • Set automatically by the Repository.
  • dcterms:creator---the URI of the Agent (should be an authorized user) who created the instance.
    • The true meaning is the user who authored the data in the inital version of this instance.
    • Usually, this is the same as the user directly responsible for creating the instance.
    • However, when a different user uploads, a spreadsheet created by other RNAVs, for example, the Repository user is a mediator. The actual value of dcterms:creator comes from the uploaded data.
  • (optional) dcterms:mediator---ONLY when dcterms:creator does not refer to the authenticated user who created the data, this is the URI of the Agent (authenticated user) who created this instance in the Repository.
    • Set automatically by the Repository.
  • dcterms:modified---literal date when resource was last modified, encoded as xsd:dateTime
    • Set automatically by the Repository.
  • dcterms:contributor---the URI of the Agent (authenticated user) who last modified this instance.
    • Set automatically by the Repository.

...

This section lists the formats that the repo repository can use for output and, in some cases, input, of data. The MIME type is how you describe it in the API, whether through explicit args or HTTP headers.

...

About HTML dissemination:
When the negotiated format is text/html, and unless either of the forceRDF or forceXML args was given, the dissemination process creates an intermediate XML document and transforms it into XHTML with the configured XSLT stylesheet. See description of the eaglei.repository.instance.xslt in the Repoistory Administrator Guide.

If no XSLT stylesheet is configured, the intermediate XML document is delivered instead, with a media content type of application/xml. Note that this means, to obtain correct XHTML output, you MUST configure an XSLT stylesheet.

...

There is also access control on some indivdual individual properties of the resource: those properties identified as hidden and contact properties by the data model ontology (and its configuration, see that separate document). The access controls on the resource URI configured as datamodel.hideProperty.object regulate hidden proertiesproperties, and datamodel.contactProperty.object regulates contact properties.

...

*URL:* {{/repository/update}} \[_/instance-ID_\] (POST only)

Args:
{{ uri---}}optional way to explicitly specify the complete URI, instead of assuming that the URI's namespace matches the hostname, context, and servlet path ("/i") of this webserver.
format---the default expected format for insert and delete graphs. If the args specify a content-type header, that overrides this value. Only recognizes triples even if the format supports quads.
action=(update|create|gettoken)---Update to modify an existing instance, create adds a new one. See below for details about gettoken.
token=uri---When action is update or create, this must be supplied. The value is the URI returned by the last gettoken request.
workspace=uri---choose workspace named graph where new instance is created. Only necessary when action=create. Optional, default is the default workspace. DO NOT specify a workspace when action=update.
delete---graph of statements to remove from the instance; subject must be the instance URI. Deletes are done before inserts. Graph may include wildcard URIs in predicate and/or object to match all values in that part of a statement.
insert---graph of statements to add to instance; subject must be the instance URI.
bypassSanity---(boolean, default false, deprecated) NOTE: It is best if you pretend this option does not exist. When true, it skips some of the sanity tests on the resulting instance graph, mostly the ones checking the integrity of Embedded instances. Requires Administrator privilege. This was added to make the data migration from broken old EI data possible, it should rarely if ever be needed.

...

Request must include either the name argument or all.

URL: /repository/graph (GET)

Args:
format---output serialization format, overrides what HTTP content negotiation would decide.
name=URI---ps Name of graph to dump - mutually exclusive with all.
all---dumps all (accessible) graphs. Format must be one that encodes quads, e.g. TriG or TriX, or an error will occur.
inferred---include inferred statements as well. By default they are left out. This argument does not need a value, it is boolean so just including its name as a query arg will assert it. (SEE WARNING BELOW)

...

 text/rdf+n3; charset="ISO-8859-1"

. The character set defaults to Unicode UTF-8, so if your source data is not in that character set you must declare it. This can be provided in several different places,they are searched in this order of priority, and the first one found is the only one considered:

...

Args:
name=named-graph-URI---Required required name of the affected graph. Mutually excluseive exclusive with all.
all---loads serialized data into all (accessible) graphs. Format must be one that encodes quads, e.g. TriG or TriX.
action=(add|replace|delete)---Requiredrequired, determines whether new statements are added to existing contents of the graph, replace the contents, or are deleted from teh the graph.
format---MIME type input serialization format, overrides the Content-Type in HTTP protocol.
type=(metadata|ontology|workspace|internal|published)---Keyword keyword representing the type of content in this named graph.
label=text---value for rdfs:label property of the named graph, which appears as its title.
content=---The immediate content of serialized RDF to load into the graph. ONLY used when method is POST, but then it is required.
source=string---The file or URL to record as the source of the data being ingested into the graph. Only applies to add and replace actions. Overrides any filename specified with the content, which would otherwise be recorded as the source identifier. It is recorded as the dcterms:identifier property of the dcterms:source node in the metadata.
sourceModified=dateTimeStamp---last-modified time for the source of data being ingested. Value must be parsed as XSD date-time expression. It is recorded as the dcterms:modified property of the dcterms:source node in the metadata.

Result:
HTTP status indicates success.

Access:
If the graph already exists, requires add access (and remove access action is replace or delete). If there is no existing graph by that name, only the administrator can create a new one. For multi-graph (all) load, requires superuser access.

Logout (/logout)

Destroys any lingering session state and credentials for the current user. Users of shared or public computers need a way to positively end a session so that subsequent users do not get their access to the repository.

NOTE: Beware of this if you are using a Web browser to access the repository . The repository uses HTTP Basic Authentication to identify users. Most web browsers cache the last Basic Authentication credentials for a site and don't offer an easy way to clear it.

For Mozilla Firefox 3, try the Web Developer add-on, and select Miscellaneous->Clear > Clear Private Data->HTTP > HTTP Authentication from its menusmenu.

URL: /repository/logout (POST only)

Args: none.

Result:
HTTP status indicates success. Succeeds even if there was no session to destroy.

Access:
Requires a login and established session.

...

Check or Load Data Model Ontology (/

...

model)

...

- Admin Only

This service either

Destroys any lingering session state and credentials for the current user. Users of shared or public computers need a way to positively end a session so that subsequent users do not get their access to the repository.

NOTE: Beware of this if you are using a Web browser to access the repository The repository uses HTTP Basic Authentication to identify users. Most web browsers cache the last Basic Authentication credentials for a site and don't offer an easy way to clear it.

For Mozilla Firefox 3, try the Web Developer add-on, and select Miscellaneous-> Clear Private Data-> HTTP Authentication from its menu.

URL: /repository/logout (POST only)

Args: none.

Result:
HTTP status indicates success. Succeeds even if there was no session to destroy.

Access:
Requires a login and established session.

Check or Load Data Model Ontology (/model) - Admin Only

This service either reports on or loads the Data Model Ontology. The GET request returns a report of the version of the ontology loaded, and the version that is available to be automatically loaded from within the repository's codebase. The POST request give a choice of selective update or forcibly replacing the ontology.

...

This service is intended for repository internal maintenance and testing procedures ONLY. If{ you are planning to use it in a user application, you are very likely making a bad mistake. Its API is unstable and will probably change without any notice.

GET Method:

name=uri - optional, URI of the internal graph to report on, default is to list all known intenral graphs.
  format=mimetype - optional, default is negotiated, must be tuple query result format.

Result is a tabular query response with teh the following columns:

1. name--- URI of the graph
2. loaded---version of initializer that was loaded, if any
3. available---version of initializer that is avaialble and would be loaded.

...

The set of properties returned when detail=full is automatically filtered to remove hidden and contact properties as dictated by the access privileges of the user making the request. The filtering follows the same access-control rules as the Dissemination service.

URL: /harvest; (GET or POST method)

...

URL: /emailContact (POST method only)
Args:
uri=subject-URI---required
client_ip=IP addr---required
from_name=personal name---required
from_email=mailbox---required
{{ subject=text
{{ message=text
test_mode---default false, true if present.

Sends an email message to the designated contacts for the resource identified by URI. The exact rules for determining that contact address have not been formally specified yet. When a contact cannot be determined, the mail is sent to the configured postmaster for the repository. See the Admin Repository Administrator Guide for details about configuring that and the rest of the e-mail service.

...

/repository/workflow/transitions

Method: GET or POST
Args:
workspace=URI---restrict results to transitions applying to given workspace (includes wildcards). Default is to list all.
format=mime---type of result.

...

• self---those claimed by current user
• all---instances claimed by anyone
• none---includes no claimed resources. Default is self. Note that the combination unclaimed=false and owner=none is illegal.
workspace=URI---restrict results to resources in a given workspace; optional, default is all available worksaces.
  format=mime---type of result, one of the SPARQL query formats.
  detail=(brief|full)---columns to include in results, see description below.
  addPattern=SPARQL-text---add this triple pattern to SPARQL query. May refer to variables as described below. Value is a literal hunk of triple pattern ready to be inserted into the patterns of a SELECT query. It may refer to the result variables mentioned below, e.g. ?r_type.
  addResults=query-variable..---add these variables to results columns. value is expected to be a space-separated series of query variables (which must appear in the triple pattern), e.g. "?lab ?labname"
  addModifiers=modifiers..---add a SPARQL modifiers modifier clause to the query. Modifers include ORDER BY, LIMIT, and OFFSET and can be used to implement pagination.

...

/repository/admin/updateUser

Method: POST
Args:
username=text---account name to change, only not required for create
only_password=(boolean)---do not process changes to user metadata, just update password
password---new password
password_confirm---must match new password
old_password---current (old) password, required for non-admin user
first---first name of person (metadata)
last---last name of person (metadata)
mailbox---email address of person
role---URI of role to add to user, may be multiple; when specified, this list of roles replaces the user's current roles.

...

Method: POST
Args:
action= create | update | delete}}---(keyword)
uri = URI---required except for create, identifies the role role
uri=URI--subject to release
{{label=text}}---required to create
comment=text (---description)
initial= URI of initial state (required to create)
final=URI of final state (required to create)
tAction=java class of transition action provider
tActionParameter* = text or URI param to pass to action method
order= sorting key, usually a decimal integer

Update Named Graph

/repository/admin/updateNamedGraph

Method: POST
Args:
uri*=URI names the graph or context
label=text
type=URI of a NamedGraph Type

...

• Interactive SPARQL query workbench (all auththenticated users).
• List Named Graphs with the option to edit their descriptive metadata and ACLs.
  • Note that new Named Graphs are only added with the /graph service.
• List, add, delete, and modify access Roles - edit the metadata of each Role.
• List, add, and modify User login accounts:
  • Display and change membership in roles.
  • Edit user metadata and change password.
  • Disable a user from logging in at all, or reinstate disabled user.
• List, add, delete, and modify Workflow Transitions.
• Report versions of Data Model Ontology: loaded, and available.
• Get a list of Published Resources. This is handy for troubleshooting (all users).

Search Engine Control

• {{/robots.txt}---direct robots to a site map, warn them away from other pages.
• site maps---HTML and XML site maps to direct crawlers to pages we want them to index.