Hi Brent, sec:privilege-add-roles uses xdmp:can-grant-roles function underneath (you can see yourself when looking up the function in security.xqy module). That function seems to work properly for me (using 4.1-3). Did you make sure your user hasn't got admin rights?
(: executed as admin user against security database using CQ :) import module namespace sec="http://marklogic.com/xdmp/security"; at "/MarkLogic/security.xqy"; "Test2 roles:", sec:get-role-names( xdmp:eval(' xdmp:get-current-roles() ', (), <options xmlns="xdmp:eval"><user-id>{xdmp:user("test2")}</user-id></options> ) )/string(), " Grant-my-roles roles:", sec:privilege-get-roles( "http://marklogic.com/xdmp/privileges/grant-my-roles";, "execute"), " Test granting admin role:", try { xdmp:eval(' xdmp:can-grant-roles("admin") ', (), <options xmlns="xdmp:eval"><user-id>{xdmp:user("test2")}</user-id></options>), "succesfull" } catch ($e) { "fail" } Kind regards, Geert > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Hartwig, Brent (CL Tech Sv) > Sent: donderdag 4 februari 2010 21:53 > To: General Mark Logic Developer Discussion > Subject: [MarkLogic Dev General] RE: Multiple Security Databases > > I was able to make some progress here but tripped on the last > hurdle: user-a is able to grant an executive privilege to a > role that user-a does not have. > > This hole will not allow me to restrict a role to user management. > > Below are the executive privileges I am providing to user-a. > When user-a has the grant-my-roles privilege, user-a is able > to grant any executive permission that user-a has or does not > have (which is what I would only expect with > grant-all-roles). When user-a does not have the > grant-my-roles privilege, user-a is unable to grant any > executive privilege. > > This is in 4.1-4. I'll create a support ticket. > > import module "http://marklogic.com/xdmp/security"; at > "/MarkLogic/security.xqy" > define function add-privileges-to-roles() { let $add := ( > (: non-admin :) > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > any-collection","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > any-uri","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > status", "execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > unprotected-collections","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > unprotected-uri","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdbc-eval","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdbc-insert","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdbc-invoke","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdbc-spawn","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-data-directory","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-document-get","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-document-load","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-eval","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-get","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-invoke","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-load","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-save","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-spawn","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-timestamp","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-username","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > debug-my-requests","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > profile-my-requests","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > cancel-my-requests","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-set-request-time-limit-my","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-add-response-header","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-email","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-value","execute","non-admin"), > (: security-user-management, safe to provide to app when > providing a dedicated security database :) > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > admin-module-read","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > create-user","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-name","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-password","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-description","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > get-user-names","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > get-role-ids","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > get-role-names","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-add-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-remove-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-get-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-get-description","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-get-description","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-user","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > create-role","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-get-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-set-name","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-set-description","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-set-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-add-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-role","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-role-from-users","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-role-from-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-remove-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-role-from-privileges","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > create-privilege","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > privilege-set-name","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-privilege","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > privilege-get-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > privilege-set-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > privilege-add-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > privilege-remove-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > get-privilege","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > grant-my-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-default-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-set-default-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-get-default-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-get-default-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-get-default-collections","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-get-default-collections","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-default-collections","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-set-default-collections","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > protect-collection","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > unprotect-collection","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > collection-set-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > collection-add-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > collection-remove-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > collection-get-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-privileges","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-privileges","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-user-roles","execute", "security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-role-roles","execute", "security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-privilege-roles","execute", "security-user-management") > ) > return () > } > add-privileges-to-roles(); > > -Brent > > -----Original Message----- > From: Hartwig, Brent (CL Tech Sv) > Sent: Monday, February 01, 2010 10:47 AM > To: General Mark Logic Developer Discussion > Subject: RE: Multiple Security Databases > > Hi, Geert, > > Thank you for the response. The custom webapp is an > excellent idea I will pursue should an out-of-the-box > configuration not be secure. Below are more details on how I > believe MarkLogic will allow an application to > self-administer its users but not that of another > application. I hope to replace theory with practice later > today, sharing results soon thereafter. > > 1. Define the execute privileges and amps required to create > and maintain roles and users; grant these to an "application > admin" ML user. This is not to include the ability to access > the admin console or any database not configured to the entry > point app server (*-in privileges will be excluded). This > may be achieved with custom executive privileges required on > each app server. Some will be application specific; others, > like the admin console, will require an executive privilege > not granted to application admins. > > 2. Create a second security database > > 3. Create an HTTP or XDBC app server providing the > application admin the means to self-administer their security database > > 4. Change the security database of the application's main > app server(s) to the new security database. > > Thanks again. > > -Brent > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Geert Josten > Sent: Saturday, January 30, 2010 6:47 AM > To: General Mark Logic Developer Discussion > Subject: [MarkLogic Dev General] RE: Multiple Security Databases > > Hi Brent, > > Provinding access to a Security database, means that they can > mock about anyway they like, giving themselves admin rights > as well. Once you have admin rights, you can do anything > everywhere, throughout the whole cluster. I don't think that > is what you want. Or at least the risk for something like > this to happen is to large I would say.. > > I think you would be better off with a custom webapp > interface of your own, providing only the necessary > functionality, backed by a user that has just enough Amps to > do what it needs, and only through functions you provide > yourself. No direct access to the security API for instance.. > > HTH! > > Kind regards, > Geert > > > > > > Drs. G.P.H. Josten > Consultant > > > http://www.daidalos.nl/ > Daidalos BV > Source of Innovation > Hoekeindsehof 1-4 > 2665 JZ Bleiswijk > Tel.: +31 (0) 10 850 1200 > Fax: +31 (0) 10 850 1199 > http://www.daidalos.nl/ > KvK 27164984 > De informatie - verzonden in of met dit emailbericht - is > afkomstig van Daidalos BV en is uitsluitend bestemd voor de > geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen, > verzoeken wij u het te verwijderen. Aan dit bericht kunnen > geen rechten worden ontleend. > > > > From: [email protected] > > [mailto:[email protected]] On Behalf > Of Hartwig, > > Brent (CL Tech Sv) > > Sent: vrijdag 29 januari 2010 21:51 > > To: General Mark Logic Developer Discussion > > Subject: [MarkLogic Dev General] Multiple Security Databases > > > > Hello, > > > > > > > > In our MarkLogic 4.1-3 instance, we host various app servers and > > databases for multiple applications. We do so in a manner > where each > > application is only able to access their data. For most of > these, we > > create one ML user that serves as the application user. We were > > recently asked to support multiple roles and users for a single > > application, at which point we began researching how an application > > could self-administer their HTTP app server's security > without gaining > > control over another application's data or configuration. > > > > > > > > Hence the idea to provide a second security database, > dedicated to an > > application. > > > > > > > > I am interested in this group's experience and thoughts, including: > > > > > > > > 1. If there is a preferred alternative > > 2. If one should start with a new database or modify a > > copy of the first > > 3. If there are concerns with temporarily rewiring the > > admin console to initially reconfigure a copy of the first database > > > > > > > > I found a multiple security database warning > > <http://markmail.org/message/yrtchp7iuva3zxxj?q=%22create%22+% > > 22security+database%22+list:com%2Emarklogic%2Edeveloper%2Egene > > ral> posted by the highly revered Michael Blakeley a year > > ago. We do not presently use XQSync and all of our shared > > environments have the same OS. Nonetheless, I'd like to confirm if > > multiple security databases would preclude us from using XQSync. > > > > > > > > Many thanks for your thoughts and time. > > > > > > > > -Brent > > > > > > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
