Federated SELECT with nesting leads to write permission error

[holycrab13]

This query gives an error, where no writing should occur:

PREFIX rdfs:   <http://www.w3.org/2000/01/rdf-schema#>
PREFIX rdf:    <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
PREFIX dcat:   <http://www.w3.org/ns/dcat#>
PREFIX dct:    <http://purl.org/dc/terms/>
PREFIX dcv: <https://dataid.dbpedia.org/databus-cv#>
PREFIX databus: <https://dataid.dbpedia.org/databus#>
SELECT DISTINCT * WHERE
{
    SERVICE <https://databus.dbpedia.org/sparql>
    {
        ?distribution databus:file ?file .
        {
            SELECT ?version { 
                ?ds databus:group <https://databus.dbpedia.org/dbpedia/mappings> . 
                ?ds dct:hasVersion ?version . 
            } 
        }
    }
}

Error:
Virtuoso RDF02 Error SR619: SPARUL LOAD SERVICE DATA access denied: database user 107 (SPARQL) has no write permission on graph https://databus.dbpedia.org/sparql

However, omitting the ?distribution databus:file ?file . in the above query makes it work.
I am using the docker image pkleef/virtuoso-opensource-7:latest which includes the fix for #571

[HughWilliams]

Can you confirm the SPARQL_LOAD_SERVICE_DATA role is enabled on the Virtuoso host running the SPARQL query, as detailed in the post?

BTW, the fix for #571 should be in the latest stable/7 and docker release from May 2023 (and more recent) and I would suggest upgrading to the latest release, as anything under the pkleef docker account is liable to be updated or removed without notice.

[holycrab13]

SPARQL user has

• SPARQL_SELECT
• SPARQL_SPONGE
• SPARQL_SELECT_FED
• SPARQL_LOAD_SERVICE_DATA

I will update to latest stable/7 then and check if the issue persists.
EDIT: Still happening on openlink/virtuoso-opensource-7:latest

Most federated queries work fine, e.g.

PREFIX rdfs:   <http://www.w3.org/2000/01/rdf-schema#>
PREFIX rdf:    <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
PREFIX dcat:   <http://www.w3.org/ns/dcat#>
PREFIX dct:    <http://purl.org/dc/terms/>
PREFIX dcv: <https://dataid.dbpedia.org/databus-cv#>
PREFIX databus: <https://dataid.dbpedia.org/databus#>
SELECT DISTINCT * WHERE
{
    SERVICE <https://databus.dbpedia.org/sparql>
    {
        SELECT ?version { 
            ?ds databus:group <https://databus.dbpedia.org/dbpedia/mappings> . 
            ?ds dct:hasVersion ?version . 
        } 
    }
}

The combination of nested select and a triple statement fails.

[pkleef]

Depending on the complexity of the SERVICE query you want to perform, Virtuoso wants to probe the remote endpoint to see if it supports certain SPARQL language constructions which it then uses to optimize running the subquery on the remote endpoint. It stores this fingerprint in its internal metadata so subsequent SERVICE queries can be generated faster.

I suggest you run the following line with the iSQL tool on your existing docker database:

SPARQL LOAD SERVICE <https://databus.dbpedia.org/sparql> DATA
;

I suggest you add these lines to one of the startup scripts you have in your initdb.d directory, which are run when creating a new database.

You can then comment out the line that adds the SPARQL_LOAD_SERVICE_DATA role to your SPARQL user.