Hi, Geert, Below are the results from the XQuery you provided. The application admin is correctly not able to grant the admin role. Coupled with a response from support, I understand users can be prevented from granting roles they do not have but, if able to grant one execute privilege, they are able to grant any executive privilege, whether they have the privilege being granted or not. I don't understand why this is not considered a security bug. I'm being encouraged to abandon the second security database and proceed with your original idea of providing an API that allows an application admin to maintain its users (but no more). I'm not sure what will be my next step. I could modify sec:privilege-add-roles to require the current user have the privilege they are requesting to give to a role. This might make sense if this is really the last hurdle. Thank you much.
my-app-admin roles: non-admin my-app-admin security-user-management Grant-my-roles roles: security Test granting admin role: Fail -Brent -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Geert Josten Sent: Friday, February 05, 2010 2:45 AM To: General Mark Logic Developer Discussion Subject: [MarkLogic Dev General] RE: Multiple Security Databases Hi Brent, sec:privilege-add-roles uses xdmp:can-grant-roles function underneath (you can see yourself when looking up the function in security.xqy module). That function seems to work properly for me (using 4.1-3). Did you make sure your user hasn't got admin rights? (: executed as admin user against security database using CQ :) import module namespace sec="http://marklogic.com/xdmp/security"; at "/MarkLogic/security.xqy"; "Test2 roles:", sec:get-role-names( xdmp:eval(' xdmp:get-current-roles() ', (), <options xmlns="xdmp:eval"><user-id>{xdmp:user("test2")}</user-id></options> ) )/string(), " Grant-my-roles roles:", sec:privilege-get-roles( "http://marklogic.com/xdmp/privileges/grant-my-roles";, "execute"), " Test granting admin role:", try { xdmp:eval(' xdmp:can-grant-roles("admin") ', (), <options xmlns="xdmp:eval"><user-id>{xdmp:user("test2")}</user-id></options>), "succesfull" } catch ($e) { "fail" } Kind regards, Geert > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Hartwig, Brent (CL Tech Sv) > Sent: donderdag 4 februari 2010 21:53 > To: General Mark Logic Developer Discussion > Subject: [MarkLogic Dev General] RE: Multiple Security Databases > > I was able to make some progress here but tripped on the last > hurdle: user-a is able to grant an executive privilege to a > role that user-a does not have. > > This hole will not allow me to restrict a role to user management. > > Below are the executive privileges I am providing to user-a. > When user-a has the grant-my-roles privilege, user-a is able > to grant any executive permission that user-a has or does not > have (which is what I would only expect with > grant-all-roles). When user-a does not have the > grant-my-roles privilege, user-a is unable to grant any > executive privilege. > > This is in 4.1-4. I'll create a support ticket. > > import module "http://marklogic.com/xdmp/security"; at > "/MarkLogic/security.xqy" > define function add-privileges-to-roles() { let $add := ( > (: non-admin :) > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > any-collection","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > any-uri","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > status", "execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > unprotected-collections","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > unprotected-uri","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdbc-eval","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdbc-insert","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdbc-invoke","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdbc-spawn","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-data-directory","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-document-get","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-document-load","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-eval","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-get","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-invoke","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-load","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-save","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-spawn","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-timestamp","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-username","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > debug-my-requests","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > profile-my-requests","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > cancel-my-requests","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-set-request-time-limit-my","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-add-response-header","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-email","execute","non-admin"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-value","execute","non-admin"), > (: security-user-management, safe to provide to app when > providing a dedicated security database :) > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > admin-module-read","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > create-user","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-name","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-password","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-description","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > get-user-names","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > get-role-ids","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > get-role-names","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-add-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-remove-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-get-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-get-description","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-get-description","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-user","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > create-role","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-get-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-set-name","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-set-description","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-set-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-add-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-role","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-role-from-users","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-role-from-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-remove-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-role-from-privileges","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > create-privilege","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > privilege-set-name","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > remove-privilege","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > privilege-get-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > privilege-set-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > privilege-add-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > privilege-remove-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > get-privilege","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > grant-my-roles","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-default-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-set-default-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-get-default-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-get-default-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-get-default-collections","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-get-default-collections","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-set-default-collections","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-set-default-collections","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > protect-collection","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > unprotect-collection","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > collection-set-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > collection-add-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > collection-remove-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > collection-get-permissions","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > user-privileges","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > role-privileges","execute","security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-user-roles","execute", "security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-role-roles","execute", "security-user-management"), > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > xdmp-privilege-roles","execute", "security-user-management") > ) > return () > } > add-privileges-to-roles(); > > -Brent > > -----Original Message----- > From: Hartwig, Brent (CL Tech Sv) > Sent: Monday, February 01, 2010 10:47 AM > To: General Mark Logic Developer Discussion > Subject: RE: Multiple Security Databases > > Hi, Geert, > > Thank you for the response. The custom webapp is an > excellent idea I will pursue should an out-of-the-box > configuration not be secure. Below are more details on how I > believe MarkLogic will allow an application to > self-administer its users but not that of another > application. I hope to replace theory with practice later > today, sharing results soon thereafter. > > 1. Define the execute privileges and amps required to create > and maintain roles and users; grant these to an "application > admin" ML user. This is not to include the ability to access > the admin console or any database not configured to the entry > point app server (*-in privileges will be excluded). This > may be achieved with custom executive privileges required on > each app server. Some will be application specific; others, > like the admin console, will require an executive privilege > not granted to application admins. > > 2. Create a second security database > > 3. Create an HTTP or XDBC app server providing the > application admin the means to self-administer their security database > > 4. Change the security database of the application's main > app server(s) to the new security database. > > Thanks again. > > -Brent > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Geert Josten > Sent: Saturday, January 30, 2010 6:47 AM > To: General Mark Logic Developer Discussion > Subject: [MarkLogic Dev General] RE: Multiple Security Databases > > Hi Brent, > > Provinding access to a Security database, means that they can > mock about anyway they like, giving themselves admin rights > as well. Once you have admin rights, you can do anything > everywhere, throughout the whole cluster. I don't think that > is what you want. Or at least the risk for something like > this to happen is to large I would say.. > > I think you would be better off with a custom webapp > interface of your own, providing only the necessary > functionality, backed by a user that has just enough Amps to > do what it needs, and only through functions you provide > yourself. No direct access to the security API for instance.. > > HTH! > > Kind regards, > Geert > > > > > > Drs. G.P.H. Josten > Consultant > > > http://www.daidalos.nl/ > Daidalos BV > Source of Innovation > Hoekeindsehof 1-4 > 2665 JZ Bleiswijk > Tel.: +31 (0) 10 850 1200 > Fax: +31 (0) 10 850 1199 > http://www.daidalos.nl/ > KvK 27164984 > De informatie - verzonden in of met dit emailbericht - is > afkomstig van Daidalos BV en is uitsluitend bestemd voor de > geadresseerde. Indien u dit bericht onbedoeld hebt ontvangen, > verzoeken wij u het te verwijderen. Aan dit bericht kunnen > geen rechten worden ontleend. > > > > From: [email protected] > > [mailto:[email protected]] On Behalf > Of Hartwig, > > Brent (CL Tech Sv) > > Sent: vrijdag 29 januari 2010 21:51 > > To: General Mark Logic Developer Discussion > > Subject: [MarkLogic Dev General] Multiple Security Databases > > > > Hello, > > > > > > > > In our MarkLogic 4.1-3 instance, we host various app servers and > > databases for multiple applications. We do so in a manner > where each > > application is only able to access their data. For most of > these, we > > create one ML user that serves as the application user. We were > > recently asked to support multiple roles and users for a single > > application, at which point we began researching how an application > > could self-administer their HTTP app server's security > without gaining > > control over another application's data or configuration. > > > > > > > > Hence the idea to provide a second security database, > dedicated to an > > application. > > > > > > > > I am interested in this group's experience and thoughts, including: > > > > > > > > 1. If there is a preferred alternative > > 2. If one should start with a new database or modify a > > copy of the first > > 3. If there are concerns with temporarily rewiring the > > admin console to initially reconfigure a copy of the first database > > > > > > > > I found a multiple security database warning > > <http://markmail.org/message/yrtchp7iuva3zxxj?q=%22create%22+% > > 22security+database%22+list:com%2Emarklogic%2Edeveloper%2Egene > > ral> posted by the highly revered Michael Blakeley a year > > ago. We do not presently use XQSync and all of our shared > > environments have the same OS. Nonetheless, I'd like to confirm if > > multiple security databases would preclude us from using XQSync. > > > > > > > > Many thanks for your thoughts and time. > > > > > > > > -Brent > > > > > > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
