# Apache Shiro configuration for Fuseki security
# This integrates with OpenMetadata's authentication

[main]
# Allow anonymous read access, require auth for writes
anon = org.apache.shiro.web.filter.authc.AnonymousFilter
authcBasic = org.apache.shiro.web.filter.authc.BasicHttpAuthenticationFilter

# Use environment variables for credentials
[users]
# Default admin user - should be overridden in production
admin = ${FUSEKI_ADMIN_PASSWORD:-admin}, admin

# OpenMetadata service account for updates
openmetadata = ${FUSEKI_OPENMETADATA_PASSWORD:-openmetadata-secret}, writer

[roles]
admin = *
writer = update:*, upload:*, data:*

[urls]
/$/ping = anon
/$/stats/* = anon
/openmetadata/sparql = anon
/openmetadata/query = anon
/openmetadata/update = authcBasic, roles[writer]
/openmetadata/upload = authcBasic, roles[writer]
/openmetadata/data = authcBasic, roles[writer]
/** = authcBasic, roles[admin]