Oh right..
After a reboot it was not working anymore.
I forgot to mention that I was triggered by 'MUSTHAVEUPDATE' errors at document
creation, and 'SEC-PERMDENIED' at document updates. I had prepared some test
statements in CQ, and those revealed that xdmp:default-permissions() was indeed
returning an empty sequence. I restarted MarkLogic, that did not seem to make a
difference. I removed the documents again, did more updates with some other
user and now xdmp:default-permissions() does return the expected permissions.
Note: in the Admin interface the default permissions are always shown
correctly. It did seem to me that updating them from there (adding and removing
some unnecessary permission) made the xdmp:default-permissions() work properly
again as well.
Once the xdmp:default-permissions() works properly, and documents created in
meantime have been removed, things work normal again.
I cannot pinpoint what is the trigger, but will keep monitoring this. Here my
testcode:
xquery version "1.0-ml";
(: new query 11 :)
try { xdmp:document-delete('/mydoc.xml') } catch ($e) {};
xdmp:eval('
"
current user:",
xdmp:get-current-user(),
"
current roles:",
xdmp:get-current-roles(),
"
default-permissions:",
for $perm in xdmp:default-permissions()
return
xdmp:describe((string($perm//*:role-id), string($perm//*:capability))),
"
default-collections:",
xdmp:default-collections();
"
document-insert:",
try {
xdmp:document-insert("/mydoc.xml", <x/>, xdmp:default-permissions(),
xdmp:default-collections())
} catch ($e) { $e };
"
document-insert:",
try {
xdmp:document-insert("/mydoc.xml", <x/>, xdmp:default-permissions(),
xdmp:default-collections())
} catch ($e) { $e };
"
document-permissions:",
for $perm in xdmp:document-get-permissions("/mydoc.xml")
return
xdmp:describe((string($perm//*:role-id), string($perm//*:capability)));
"
document-collections:",
xdmp:document-get-collections("/mydoc.xml")
', (),
<options xmlns="xdmp:eval">
<isolation>different-transaction</isolation>
<user-id>{xdmp:user('test')}</user-id>
</options>)
PS: test is associated with a role that provides the default permissions
(read/update to the role itself) and the default collections (some protected
collections allowing that role read/update). There is actually also a URI
privilege applied, so to make the test case complete one needs a URI privilege
on / assigned to the test role as well..
Kind regards,
Geert
> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of
> Geert Josten
> Sent: dinsdag 24 februari 2009 23:59
> To: General Mark Logic Developer Discussion
> Subject: RE: [MarkLogic Dev General]
> Xdmp:default-permissions() not working?
>
> Good news,
>
> I have deleted all existing documents to make sure there were
> none with wrong permissions (read: no permissions). I was
> expecting no documents actually, we are still in development
> and I am developing with test scripts that have a clean
> footprint, or at least should have.
>
> I also restarted MarkLogic Server to make sure latest
> security config changes were available fully. Now all
> problems seem to have cleared.
>
> For your information, we are busy changing security settings
> on document storage (during development stage) from no
> security to full security (URI privilege, protected
> collection, default permissions and default collections). But
> I now have the impression that things got cluttered during
> migration. Perhaps the footprint was indeed not as clean as I
> thought, I'll need to take a closer look..
>
> Thanks for your patience.
>
> Best regards,
> Geert
>
>
> > -----Original Message-----
> > From: [email protected]
> > [mailto:[email protected]] On Behalf Of Geert
> > Josten
> > Sent: dinsdag 24 februari 2009 21:38
> > To: General Mark Logic Developer Discussion
> > Subject: RE: [MarkLogic Dev General]
> > Xdmp:default-permissions() not working?
> >
> > Michael,
> >
> > User-id option:
> >
> > xdmp:eval('(: some expression.. :)', (), <options
> > xmlns="xdmp:eval"><user-id>{xdmp:user('someuser')}</user-id></
> > options>)
> >
> > I tried to create a test case that shows my problems, but it seems
> > more complicated than I thought. I'll be in touch..
> >
> > Kind regards,
> > Geert
> >
> > > -----Original Message-----
> > > From: [email protected]
> > > [mailto:[email protected]] On Behalf
> > Of Michael
> > > Blakeley
> > > Sent: dinsdag 24 februari 2009 18:17
> > > To: General Mark Logic Developer Discussion
> > > Subject: Re: [MarkLogic Dev General]
> > > Xdmp:default-permissions() not working?
> > >
> > > Geert,
> > >
> > > Can you be more explicit about "the user-id option"?
> > >
> > > The cq window should tell you what user you're logged in
> as, in the
> > > title bar. For example, my copy of cq (svn HEAD) in firefox
> > 3.0.6 says
> > > "cq - [email protected]:8000", and I get the results I expect from
> > > xdmp:default-permissions():
> > >
> > > <sec:permission xmlns:sec="http://marklogic.com/xdmp/security";>
> > > <sec:capability>insert</sec:capability>
> > > <sec:role-id>18086402793777567391</sec:role-id>
> > > </sec:permission>
> > > <sec:permission xmlns:sec="http://marklogic.com/xdmp/security";>
> > > <sec:capability>update</sec:capability>
> > > <sec:role-id>18086402793777567391</sec:role-id>
> > > </sec:permission>
> > > <sec:permission xmlns:sec="http://marklogic.com/xdmp/security";>
> > > <sec:capability>read</sec:capability>
> > > <sec:role-id>18086402793777567391</sec:role-id>
> > > </sec:permission>
> > > <sec:permission xmlns:sec="http://marklogic.com/xdmp/security";>
> > > <sec:capability>read</sec:capability>
> > > <sec:role-id>16214968982484730623</sec:role-id>
> > > </sec:permission>
> > >
> > > -- Mike
> > >
> > > On 2009-02-23 23:46, Geert Josten wrote:
> > > > Hi there,
> > > >
> > > > I am running MarkLogic Server 4.0-1 on a WinXP laptop. I
> > > have added a user to the security database in MarkLogic
> > Server using
> > > the Admin interface and the describe feature tells me that
> > this user
> > > has default permissions (inherited from a custom defined
> > role). But an
> > > empty sequence is returned, when calling the
> > > xdmp:default-permissions() as this user. Also, when inserting
> > > documents, permissions are not automatically assigned
> > because of this,
> > > making the document inaccessible for the user itself.
> > > >
> > > > (Reproduced with cq using xdmp:eval and the user-id option..
> > > >
> > > > Is there an obvious reason this goes wrong? Or is it
> > > something that has been fixed in the latest releases? I
> > failed to find
> > > release notes on the latest patch versions.
> > > Are these available somewhere?
> > > >
> > > > Kind regards,
> > > > Geert
> > > >
> > > >
> > > > Drs. G.P.H. Josten
> > > > Consultant
> > > >
> > > >
> > > > http://www.daidalos.nl/
> > > > Daidalos BV
> > > > Source of Innovation
> > > > Hoekeindsehof 1-4
> > > > 2665 JZ Bleiswijk
> > > > Tel.: +31 (0) 10 850 1200
> > > > Fax: +31 (0) 10 850 1199
> > > > http://www.daidalos.nl/
> > > > KvK 27164984
> > > > De informatie - verzonden in of met dit emailbericht - is
> > > afkomstig van Daidalos BV en is uitsluitend bestemd voor de
> > > geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen,
> > > verzoeken wij u het te verwijderen. Aan dit bericht kunnen geen
> > > rechten worden ontleend.
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > General mailing list
> > > > [email protected]
> > > > http://xqzone.com/mailman/listinfo/general
> > >
> > > _______________________________________________
> > > General mailing list
> > > [email protected]
> > > http://xqzone.com/mailman/listinfo/general
> > > _______________________________________________
> > General mailing list
> > [email protected]
> > http://xqzone.com/mailman/listinfo/general
> > _______________________________________________
> General mailing list
> [email protected]
> http://xqzone.com/mailman/listinfo/general
> _______________________________________________
General mailing list
[email protected]
http://xqzone.com/mailman/listinfo/general
