Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • Aug 10 09:39
    samuel-kerrien edited #3446
  • Aug 10 09:13
    alex4200 commented #3396
  • Aug 10 07:30
    nicwells assigned #3431
  • Aug 10 07:12
    imsdu assigned #3062
  • Aug 10 07:12
    samuel-kerrien assigned #3387
  • Aug 10 07:10
    samuel-kerrien closed #3396
  • Aug 10 07:04
    loris-olivier commented #3387
  • Aug 09 11:58
    imsdu closed #3061
  • Aug 09 07:04

    imsdu on psql

    Migrate files to new sourcing l… (compare)

  • Aug 09 07:04
    imsdu closed #3451
  • Aug 09 07:03
    imsdu closed #3443
  • Aug 09 07:03
    imsdu commented #3443
  • Aug 09 07:01
    imsdu edited #3443
  • Aug 08 14:51
    loris-olivier edited #3325
  • Aug 08 14:40
    loris-olivier edited #3439
  • Aug 08 14:38
    loris-olivier edited #3439
  • Aug 08 14:36
    loris-olivier edited #3439
  • Aug 08 14:35
    imsdu synchronize #3451
  • Aug 08 14:33
    loris-olivier edited #3438
  • Aug 08 14:24
    loris-olivier edited #3437
Bogdan Roman
@bogdanromanx
with respect to the login, there are quite a few options on the table, but it depends on how you’d like to set it up
are you planning on using LDAP? or something different?
either way, I would recommend using Keycloak to mediate access between Nexus and your Identity Provider of choice (LDAP, FB, Google, Github etc.)
with respect to the Nexus configuration, it’s a matter of creating a realm pointing to the openid config discovery document and then granting the appropriate permissions
@MFSY, do we have any documentation on how to create shacl based schemas?
Bogdan Roman
@bogdanromanx
shacl based validation in Nexus is offered through the use of schemas; a schema is a resource in a project; you can have many schemas and they have the same lifecycle as any other resources
once you’ve created a schema, you can create resources that are constrained by that schema using the normal resource api: https://bluebrainnexus.io/docs/delta/api/current/kg-resources-api.html
validation happens when a resource is created or updated; if validation succeeds, the operation will succeed, otherwise the operation will be rejected by the system
mukul ashok joshi
@mukulajoshi_twitter
@bogdanromanx thanks! Really helpful pointers. Will get started on these and hopefully will be able to create/browse the data as a graph. Also how does the data go from Cassandra (write) to Elastic/Blazegraph (read)? Is that also done when the data is created? Or there is some other process for it? Thanks again
Bogdan Roman
@bogdanromanx
the system does that automatically; we call these processes projections
there’s some information on that here: https://bluebrainnexus.io/docs/delta/architecture.html#anatomy
the processes are controlled (configured) through the use of resources of type View
there are quite a few variations of these resources, explained here: https://bluebrainnexus.io/docs/delta/api/current/views/index.html
happy to be able to help

Is that also done when the data is created?

it’s done for each change in the system through asynchronous processes immediately after data is created, updated or deprecated

mukul ashok joshi
@mukulajoshi_twitter
@bogdanromanx thanks again for the detailed replies. These are really helpful insights!
Bogdan Roman
@bogdanromanx
👍
Paul Pawletta
@PaulPawletta
Hi everyone. Is there a better way to create resources against a schema except from sending a "POST /v1/resources/{org_label}/{project_label}/{schema_id}"? I couldn't find any functionalities in Nexus Fusion or Nexus Forge. My use case would be e.g. that I have a pandas dataframe and I want to upload or validate it against the uploaded schema in Nexus Delta.
Alejandra Garcia Rojas M
@alegrm
@PaulPawletta you can use the Nexus Forge to convert a data frame to a Resource object in the Forge, and then you can validate the Resource with the Forge too, but notice that you need to configure the Forge Model to have access to the Shacl Model you want to validate that against. Check the notebook 7 and 11 in https://github.com/BlueBrain/nexus-forge/tree/master/examples/notebooks/getting-started, and the doc of the Forge configuration here https://nexus-forge.readthedocs.io/en/latest/interaction.html#forge
Paul Pawletta
@PaulPawletta
@alegrm Thank you! Notebook 11 was exactly what I was looking for.
Paul Pawletta
@PaulPawletta
Hi all. I'm running Nexus and Keycloak using docker swarm and I'm trying to set up ACLs for users. After creating a realm I'm able to create ACL for /org1 (still keeping all the rights for Annonymous at root - / ). Now when I try to modify the ACL at root using PATCH, I'm ending up removing all ACLs including Annonymous and the created ACLs for /org1. So I'm loosing all the permissions to do anything inside Nexus. How should I modify the ACLs at root level?
Screenshot 2020-09-21 at 17.52.08.png
Didac
@umbreak
As soon as you replace the ACLs for /, the previous Anonymous ACLs get overriden, yes. So whenever you change the ACLs, make sure you set an identity that you can login from
Paul Pawletta
@PaulPawletta
This is the response I'm receiving from http://localhost/v1/acls/org1?ancestors=true&self=false
And I'm not able to create anything now with my users from group1 (AuthorizationFailed -
"reason": "The supplied authentication is not authorized to access this resource."). Can you see anything that is wrong with my created ACLs?
Paul Pawletta
@PaulPawletta
In Nexus-Web I can login with my users from group1, but I loose all functionalities for reading and writing.
Didac
@umbreak
what do you get as a response from the identities endpoint when using your TOKEN?
curl -s -H "Authorization: Bearer $TOKEN" "https://{host}/v1/identities
Paul Pawletta
@PaulPawletta
Screenshot 2020-09-22 at 14.53.58.png
Didac
@umbreak
as you can see, there is nothing like group1 in this list, and you set ACLs in / for group1
When you did the first PATCH on / you should have done it for the identity:
"realm": "nexusdev",
"subject": "user1"
Paul Pawletta
@PaulPawletta
Thanks @umbreak that works! I guess my error is then related to how I configure the groups in keycloak
Didac
@umbreak

Yes. I guess the groups are not linked to the users correctly. When dealing with groups you have 2 options:

  • Adding the group information directly into the token. This is the most performant option if you don’t have too many groups in application. Otherwise don’t use it since the token is gonna get pretty big.
  • Using the /userinfo endpoint to fetch the group information.

I believe keycloack supports both, but I’m not well aware of the details. If you need some help with keycloak I could probably ask someone else on the team to help you. Let us know.

Paul Pawletta
@PaulPawletta
Exactly. The problem was the missing group information. Now it works with group ACLs. Thanks @umbreak ,we probably need help in the future for a proper production setup. For now I'm just playing :)
Paul Pawletta
@PaulPawletta

Hi everyone, we are planning on using BBN as a KG for our metadata at Charite Berlin. We envision a similar version to EBRAINS KG.
Right now, I'm looking for existing SHACL shapes that we could use and extend. I know about Neuroshapes, but it seems to me the metadata model for EBRAINS KG is more close to openMINDS v1. So my questions are:

  1. Are there any other SHACL constraints besides from Neuroshapes? e.g. Does anyone know what is used by EBRAINS KG?
  2. How is Neuroshapes related to openMINDS?
  3. Specifically is there SHACL shape that resembles a dataset as defined by openMINDS?

Thanks!

Anna
@annakristinkaufmann

Hi Paul!

Thanks a lot for getting in touch!

Regarding your questions:

  1. and 2. Unfortunately, we don't know details about the EBRAINS data model. Maybe best to get in touch with them directly!

  2. Maybe have a look at the neuroshapes dataset schema: https://github.com/INCF/neuroshapes/blob/8f3ce6d1de892990bab4f36179300ba485341d80/shapes/neurosciencegraph/datashapes/core/dataset/schema.json which extends the neuroshapes minds schema: https://github.com/INCF/neuroshapes/blob/8f3ce6d1de892990bab4f36179300ba485341d80/shapes/neurosciencegraph/commons/minds/schema.json

niksub
@niksub
Hello. I'm trying to install nexus on minikube, but got error because file missing - 404 https://bluebrainnexus.io/docs/getting-started/running-nexus/minikube/kg.yaml
niksub
@niksub

@bogdanromanx

Hello. I'm trying to install nexus on minikube, but got error because file missing - 404 https://bluebrainnexus.io/docs/getting-started/running-nexus/minikube/kg.yaml

Bogdan Roman
@bogdanromanx
mukul ashok joshi
@mukulajoshi_twitter
Trying to use Nexus with manual build (outside docker). Using Nexus Release 1.4.2 for Delta and Nexus-Web. Have manually installed and started Cassandra, ElasticSearch, Blazegraph. Trying to use Keycloak both as Broker and Identity Provider with Client set to the Nexus-Web. Have created a Realm in Delta using the Delta API with OpenIDConfig of the Realm created in Keycloak. And then started Nexus-Web with API Endpoint of Delta API. When I access the Nexus-Web page, the login menu drop down does not result in creating the button for the Identity Provider login. Tried setting the Client ID in the command line of Nexus-Web, but that also does not change anything. Is there anything missing or wrong in either the Keycloak setup or starting of Nexus-Web or any other API update for Delta? Any pointers will be much appreciated. Thanks
3 replies
Didac
@umbreak

@mukulajoshi_twitter what do you get when you perform the following request:

curl -s 'http://{endpoint}/v1/realms'

…where {endpoint} is the address (and port) where your nexus deployment is running.

Nexus Web displays the login options based on the response from that request
Didac
@umbreak
You can also just open nexus web on the browser and through the browser development tools Inspect element -> Network you can see there the requests nexus web is doing to the nexus delta (backend) component and check what’s the response to that realms request.
mukul ashok joshi
@mukulajoshi_twitter
@umbreak thanks. Yes, initially was not passing the API_Endpoint which showed requests failing in the Dev Tools Network tab. Then after passing the API_Endpoint can see this response when the /v1/realms gets invoked: *{"@context":["https://bluebrain.github.io/nexus/contexts/resource.json","https://bluebrain.github.io/nexus/contexts/iam.json","https://bluebrain.github.io/nexus/contexts/search.json"],"_total":1,"_results":[{"@id":"http://127.0.0.1:8080/v1/realms/keycloak","@type":"Realm","name":"Nexus Keycloak","openIdConfig":"http://127.0.0.1:8180/auth/realms/blue-brain-nexus/.well-known/openid-configuration","_label":"keycloak","_grantTypes":["password","clientCredentials","refreshToken","authorizationCode","implicit"],"_issuer":"http://127.0.0.1:8180/auth/realms/blue-brain-nexus","_authorizationEndpoint":"http://127.0.0.1:8180/auth/realms/blue-brain-nexus/protocol/openid-connect/auth","_tokenEndpoint":"http://127.0.0.1:8180/auth/realms/blue-brain-nexus/protocol/openid-connect/token","_userInfoEndpoint":"http://127.0.0.1:8180/auth/realms/blue-brain-nexus/protocol/openid-connect/userinfo","_revocationEndpoint":"http://127.0.0.1:8180/auth/realms/blue-brain-nexus/protocol/openid-connect/revoke","_endSessionEndpoint":"http://127.0.0.1:8180/auth/realms/blue-brain-nexus/protocol/openid-connect/logout","_rev":1,"_deprecated":false,"_createdAt":"2021-01-13T13:51:05.704Z","_createdBy":"http://127.0.0.1:8080/v1/anonymous","_updatedAt":"2021-01-13T13:51:05.704Z","_updatedBy":"http://127.0.0.1:8080/v1/anonymous"}]}*. I kind of tried to compare this with the response seen in the Sandbox environment, but did not see any glaring differences, though i could be wrong. Would be useful if you can give a look over and see if there anything patently wrong in the above response. Thanks
Nope. The login drop down in the header does not result in the button for Identity Provider login in the main section. Is it because the Broker and Identity Provider are the same? I can probably have 2 keycloak instances, one acting as Broker and the other as the Identity Provider
Didac
@umbreak
that shouldn’t be necessary
Bogdan Roman
@bogdanromanx
I remember seeing this before because of a browser caching issue
could you try to clear the cache and refresh the web page?