Hi Brent, I might have misunderstood your explanation. I thought you said that as soon as one could add privilege to any of its own roles, one could add privileges to any other role as well. But now I understand you meant that though it is can be limited to a certain set of roles (my roles), there are no further restrictions to which privileges are actually granted.
You could see that as a security leak, but it is a security function after all, to which access should be very limited at all time. It should be possible though to wrap the mentioned function in a function of your own, with its own exec priv, replacing the exec priv for sec:privilege-add-roles. To my knowledge amping your function should allow it to call sec:privilege-add-roles without the need for the exec priv. That way the sec function can only be accessed through your wrapper function.. After all this effort, I expect you still need to provide means to access the function I mentioned. So yes, you might find a dedicated web app for that purpose easier.. ;-) (though your custom function could still be usefull there as well) Kind regards, Geert > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Hartwig, Brent (CL Tech Sv) > Sent: vrijdag 5 februari 2010 14:58 > To: General Mark Logic Developer Discussion > Subject: [MarkLogic Dev General] RE: Multiple Security Databases > > Hi, Geert, > > Below are the results from the XQuery you provided. The > application admin is correctly not able to grant the admin > role. Coupled with a response from support, I understand > users can be prevented from granting roles they do not have > but, if able to grant one execute privilege, they are able to > grant any executive privilege, whether they have the > privilege being granted or not. I don't understand why this > is not considered a security bug. I'm being encouraged to > abandon the second security database and proceed with your > original idea of providing an API that allows an application > admin to maintain its users (but no more). I'm not sure what > will be my next step. I could modify sec:privilege-add-roles > to require the current user have the privilege they are > requesting to give to a role. This might make sense if this > is really the last hurdle. Thank you much. > > my-app-admin roles: > non-admin > my-app-admin > security-user-management > > Grant-my-roles roles: > security > > Test granting admin role: > Fail > > -Brent > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of > Geert Josten > Sent: Friday, February 05, 2010 2:45 AM > To: General Mark Logic Developer Discussion > Subject: [MarkLogic Dev General] RE: Multiple Security Databases > > Hi Brent, > > sec:privilege-add-roles uses xdmp:can-grant-roles function > underneath (you can see yourself when looking up the function > in security.xqy module). That function seems to work properly > for me (using 4.1-3). Did you make sure your user hasn't got > admin rights? > > (: executed as admin user against security database using CQ :) > > import module namespace sec="http://marklogic.com/xdmp/security"; at > "/MarkLogic/security.xqy"; > > "Test2 roles:", > sec:get-role-names( > xdmp:eval(' > xdmp:get-current-roles() > ', (), > <options > xmlns="xdmp:eval"><user-id>{xdmp:user("test2")}</user-id></options> > ) > )/string(), > > " > Grant-my-roles roles:", > sec:privilege-get-roles( > "http://marklogic.com/xdmp/privileges/grant-my-roles";, > "execute"), > > " > Test granting admin role:", > try { > xdmp:eval(' > xdmp:can-grant-roles("admin") > ', (), <options > xmlns="xdmp:eval"><user-id>{xdmp:user("test2")}</user-id></options>), > "succesfull" > } catch ($e) { > "fail" > } > > Kind regards, > Geert > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf > Of Hartwig, > > Brent (CL Tech Sv) > > Sent: donderdag 4 februari 2010 21:53 > > To: General Mark Logic Developer Discussion > > Subject: [MarkLogic Dev General] RE: Multiple Security Databases > > > > I was able to make some progress here but tripped on the last > > hurdle: user-a is able to grant an executive privilege to a > role that > > user-a does not have. > > > > This hole will not allow me to restrict a role to user management. > > > > Below are the executive privileges I am providing to user-a. > > When user-a has the grant-my-roles privilege, user-a is > able to grant > > any executive permission that user-a has or does not have (which is > > what I would only expect with grant-all-roles). When > user-a does not > > have the grant-my-roles privilege, user-a is unable to grant any > > executive privilege. > > > > This is in 4.1-4. I'll create a support ticket. > > > > import module "http://marklogic.com/xdmp/security"; at > > "/MarkLogic/security.xqy" > > define function add-privileges-to-roles() { let $add := ( > > (: non-admin :) > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > any-collection","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > any-uri","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > status", "execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > unprotected-collections","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > unprotected-uri","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdbc-eval","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdbc-insert","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdbc-invoke","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdbc-spawn","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-data-directory","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-document-get","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-document-load","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-eval","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-get","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-invoke","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-load","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-save","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-spawn","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-timestamp","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-username","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > debug-my-requests","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > profile-my-requests","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > cancel-my-requests","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-set-request-time-limit-my","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-add-response-header","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-email","execute","non-admin"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-value","execute","non-admin"), > > (: security-user-management, safe to provide to app when > providing > > a dedicated security database :) > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > admin-module-read","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > create-user","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-set-name","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-set-password","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-set-description","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > get-user-names","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > get-role-ids","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > get-role-names","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-set-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-add-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-remove-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-get-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-get-description","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-get-description","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > remove-user","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > create-role","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-get-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-set-name","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-set-description","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-set-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-add-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > remove-role","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > remove-role-from-users","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > remove-role-from-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-remove-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > remove-role-from-privileges","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > create-privilege","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > privilege-set-name","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > remove-privilege","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > privilege-get-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > privilege-set-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > privilege-add-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > privilege-remove-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > get-privilege","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > grant-my-roles","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-set-default-permissions","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-set-default-permissions","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-get-default-permissions","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-get-default-permissions","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-get-default-collections","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-get-default-collections","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-set-default-collections","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-set-default-collections","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > protect-collection","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > unprotect-collection","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > collection-set-permissions","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > collection-add-permissions","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > > collection-remove-permissions","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > collection-get-permissions","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > user-privileges","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > role-privileges","execute","security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-user-roles","execute", "security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-role-roles","execute", "security-user-management"), > > > > sec:privilege-add-roles("http://marklogic.com/xdmp/privileges/ > > xdmp-privilege-roles","execute", "security-user-management") > > ) > > return () > > } > > add-privileges-to-roles(); > > > > -Brent > > > > -----Original Message----- > > From: Hartwig, Brent (CL Tech Sv) > > Sent: Monday, February 01, 2010 10:47 AM > > To: General Mark Logic Developer Discussion > > Subject: RE: Multiple Security Databases > > > > Hi, Geert, > > > > Thank you for the response. The custom webapp is an > excellent idea I > > will pursue should an out-of-the-box configuration not be secure. > > Below are more details on how I believe MarkLogic will allow an > > application to self-administer its users but not that of another > > application. I hope to replace theory with practice later today, > > sharing results soon thereafter. > > > > 1. Define the execute privileges and amps required to create and > > maintain roles and users; grant these to an "application admin" ML > > user. This is not to include the ability to access the > admin console > > or any database not configured to the entry point app server (*-in > > privileges will be excluded). This may be achieved with custom > > executive privileges required on each app server. Some will be > > application specific; others, like the admin console, will > require an > > executive privilege not granted to application admins. > > > > 2. Create a second security database > > > > 3. Create an HTTP or XDBC app server providing the > application admin > > the means to self-administer their security database > > > > 4. Change the security database of the application's main app > > server(s) to the new security database. > > > > Thanks again. > > > > -Brent > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Geert > > Josten > > Sent: Saturday, January 30, 2010 6:47 AM > > To: General Mark Logic Developer Discussion > > Subject: [MarkLogic Dev General] RE: Multiple Security Databases > > > > Hi Brent, > > > > Provinding access to a Security database, means that they can mock > > about anyway they like, giving themselves admin rights as > well. Once > > you have admin rights, you can do anything everywhere, > throughout the > > whole cluster. I don't think that is what you want. Or at least the > > risk for something like this to happen is to large I would say.. > > > > I think you would be better off with a custom webapp > interface of your > > own, providing only the necessary functionality, backed by > a user that > > has just enough Amps to do what it needs, and only through > functions > > you provide yourself. No direct access to the security API for > > instance.. > > > > HTH! > > > > Kind regards, > > Geert > > > > > > > > > > > Drs. G.P.H. Josten > > Consultant > > > > > > http://www.daidalos.nl/ > > Daidalos BV > > Source of Innovation > > Hoekeindsehof 1-4 > > 2665 JZ Bleiswijk > > Tel.: +31 (0) 10 850 1200 > > Fax: +31 (0) 10 850 1199 > > http://www.daidalos.nl/ > > KvK 27164984 > > De informatie - verzonden in of met dit emailbericht - is afkomstig > > van Daidalos BV en is uitsluitend bestemd voor de geadresseerde. > > Indien u dit bericht onbedoeld hebt ontvangen, verzoeken > wij u het te > > verwijderen. Aan dit bericht kunnen geen rechten worden ontleend. > > > > > > > From: [email protected] > > > [mailto:[email protected]] On Behalf > > Of Hartwig, > > > Brent (CL Tech Sv) > > > Sent: vrijdag 29 januari 2010 21:51 > > > To: General Mark Logic Developer Discussion > > > Subject: [MarkLogic Dev General] Multiple Security Databases > > > > > > Hello, > > > > > > > > > > > > In our MarkLogic 4.1-3 instance, we host various app servers and > > > databases for multiple applications. We do so in a manner > > where each > > > application is only able to access their data. For most of > > these, we > > > create one ML user that serves as the application user. We were > > > recently asked to support multiple roles and users for a single > > > application, at which point we began researching how an > application > > > could self-administer their HTTP app server's security > > without gaining > > > control over another application's data or configuration. > > > > > > > > > > > > Hence the idea to provide a second security database, > > dedicated to an > > > application. > > > > > > > > > > > > I am interested in this group's experience and thoughts, > including: > > > > > > > > > > > > 1. If there is a preferred alternative > > > 2. If one should start with a new database or modify a > > > copy of the first > > > 3. If there are concerns with temporarily rewiring the > > > admin console to initially reconfigure a copy of the > first database > > > > > > > > > > > > I found a multiple security database warning > > > <http://markmail.org/message/yrtchp7iuva3zxxj?q=%22create%22+% > > > 22security+database%22+list:com%2Emarklogic%2Edeveloper%2Egene > > > ral> posted by the highly revered Michael Blakeley a year > > > ago. We do not presently use XQSync and all of our shared > > > environments have the same OS. Nonetheless, I'd like to > confirm if > > > multiple security databases would preclude us from using XQSync. > > > > > > > > > > > > Many thanks for your thoughts and time. > > > > > > > > > > > > -Brent > > > > > > > > > > _______________________________________________ > > General mailing list > > [email protected] > > http://xqzone.com/mailman/listinfo/general > > _______________________________________________ > > General mailing list > > [email protected] > > http://xqzone.com/mailman/listinfo/general > > > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > _______________________________________________ > General mailing list > [email protected] > http://xqzone.com/mailman/listinfo/general > _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
