I was able to make some progress here but tripped on the last hurdle: user-a is able to grant an executive privilege to a role that user-a does not have.
This hole will not allow me to restrict a role to user management. Below are the executive privileges I am providing to user-a. When user-a has the grant-my-roles privilege, user-a is able to grant any executive permission that user-a has or does not have (which is what I would only expect with grant-all-roles). When user-a does not have the grant-my-roles privilege, user-a is unable to grant any executive privilege. This is in 4.1-4. I'll create a support ticket. import module "http://marklogic.com/xdmp/security"; at "/MarkLogic/security.xqy" define function add-privileges-to-roles() { let $add := ( (: non-admin :) sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/any-collection","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/any-uri","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/status";, "execute","non-admin"), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/unprotected-collections","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/unprotected-uri","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdbc-eval","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdbc-insert","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdbc-invoke","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdbc-spawn","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-data-directory","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-document-get","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-document-load","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-eval","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-get","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-invoke","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-load","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-save","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-spawn","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-timestamp","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-username","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/debug-my-requests","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/profile-my-requests","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/cancel-my-requests","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-set-request-time-limit-my","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-add-response-header","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-email","execute","non-admin";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-value","execute","non-admin";), (: security-user-management, safe to provide to app when providing a dedicated security database :) sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/admin-module-read","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/create-user","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-set-name","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-set-password","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-set-description","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/get-user-names","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/get-role-ids","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/get-role-names","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-set-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-add-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-remove-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-get-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-get-description","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-get-description","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/remove-user","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/create-role","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-get-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-set-name","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-set-description","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-set-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-add-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/remove-role","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/remove-role-from-users","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/remove-role-from-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-remove-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/remove-role-from-privileges","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/create-privilege","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/privilege-set-name","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/remove-privilege","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/privilege-get-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/privilege-set-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/privilege-add-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/privilege-remove-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/get-privilege","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/grant-my-roles","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-set-default-permissions","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-set-default-permissions","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-get-default-permissions","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-get-default-permissions","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-get-default-collections","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-get-default-collections","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-set-default-collections","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-set-default-collections","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/protect-collection","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/unprotect-collection","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/collection-set-permissions","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/collection-add-permissions","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/collection-remove-permissions","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/collection-get-permissions","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/user-privileges","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/role-privileges","execute","security-user-management";), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-user-roles","execute";, "security-user-management"), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-role-roles","execute";, "security-user-management"), sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/xdmp-privilege-roles","execute";, "security-user-management") ) return () } add-privileges-to-roles(); -Brent -----Original Message----- From: Hartwig, Brent (CL Tech Sv) Sent: Monday, February 01, 2010 10:47 AM To: General Mark Logic Developer Discussion Subject: RE: Multiple Security Databases Hi, Geert, Thank you for the response. The custom webapp is an excellent idea I will pursue should an out-of-the-box configuration not be secure. Below are more details on how I believe MarkLogic will allow an application to self-administer its users but not that of another application. I hope to replace theory with practice later today, sharing results soon thereafter. 1. Define the execute privileges and amps required to create and maintain roles and users; grant these to an "application admin" ML user. This is not to include the ability to access the admin console or any database not configured to the entry point app server (*-in privileges will be excluded). This may be achieved with custom executive privileges required on each app server. Some will be application specific; others, like the admin console, will require an executive privilege not granted to application admins. 2. Create a second security database 3. Create an HTTP or XDBC app server providing the application admin the means to self-administer their security database 4. Change the security database of the application's main app server(s) to the new security database. Thanks again. -Brent -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Geert Josten Sent: Saturday, January 30, 2010 6:47 AM To: General Mark Logic Developer Discussion Subject: [MarkLogic Dev General] RE: Multiple Security Databases Hi Brent, Provinding access to a Security database, means that they can mock about anyway they like, giving themselves admin rights as well. Once you have admin rights, you can do anything everywhere, throughout the whole cluster. I don't think that is what you want. Or at least the risk for something like this to happen is to large I would say.. I think you would be better off with a custom webapp interface of your own, providing only the necessary functionality, backed by a user that has just enough Amps to do what it needs, and only through functions you provide yourself. No direct access to the security API for instance.. HTH! Kind regards, Geert > Drs. G.P.H. Josten Consultant http://www.daidalos.nl/ Daidalos BV Source of Innovation Hoekeindsehof 1-4 2665 JZ Bleiswijk Tel.: +31 (0) 10 850 1200 Fax: +31 (0) 10 850 1199 http://www.daidalos.nl/ KvK 27164984 De informatie - verzonden in of met dit emailbericht - is afkomstig van Daidalos BV en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen, verzoeken wij u het te verwijderen. Aan dit bericht kunnen geen rechten worden ontleend. > From: [email protected] > [mailto:[email protected]] On Behalf Of > Hartwig, Brent (CL Tech Sv) > Sent: vrijdag 29 januari 2010 21:51 > To: General Mark Logic Developer Discussion > Subject: [MarkLogic Dev General] Multiple Security Databases > > Hello, > > > > In our MarkLogic 4.1-3 instance, we host various app servers > and databases for multiple applications. We do so in a > manner where each application is only able to access their > data. For most of these, we create one ML user that serves > as the application user. We were recently asked to support > multiple roles and users for a single application, at which > point we began researching how an application could > self-administer their HTTP app server's security without > gaining control over another application's data or configuration. > > > > Hence the idea to provide a second security database, > dedicated to an application. > > > > I am interested in this group's experience and thoughts, including: > > > > 1. If there is a preferred alternative > 2. If one should start with a new database or modify a > copy of the first > 3. If there are concerns with temporarily rewiring the > admin console to initially reconfigure a copy of the first database > > > > I found a multiple security database warning > <http://markmail.org/message/yrtchp7iuva3zxxj?q=%22create%22+% > 22security+database%22+list:com%2Emarklogic%2Edeveloper%2Egene > ral> posted by the highly revered Michael Blakeley a year > ago. We do not presently use XQSync and all of our shared > environments have the same OS. Nonetheless, I'd like to > confirm if multiple security databases would preclude us from > using XQSync. > > > > Many thanks for your thoughts and time. > > > > -Brent > > _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
