I usual default to admin user. I have suspicion that admin user may ignore locks (similar to how admin user sees deleted fragments) ?
P.S. When a trigger fires, what role and permission does the trigger use? --- On Fri, 4/9/10, [email protected] <[email protected]> wrote: From: [email protected] <[email protected]> Subject: General Digest, Vol 70, Issue 24 To: [email protected] Date: Friday, April 9, 2010, 2:13 PM Send General mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://xqzone.com/mailman/listinfo/general or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of General digest..." Today's Topics: 1. RE: Re: Missing "Mimetypes Functions" documentation -- never mind! (Danny Sokolsky) 2. updates and locks (Paul M) 3. RE: RE: Creating a "Simple" user (Lee, David) 4. +Hi+ (Stylus Studio) 5. RE: RE: Creating a "Simple" user (Danny Sokolsky) ---------------------------------------------------------------------- Message: 1 Date: Fri, 9 Apr 2010 12:03:12 -0700 From: Danny Sokolsky <[email protected]> Subject: RE: [MarkLogic Dev General] Re: Missing "Mimetypes Functions" documentation -- never mind! To: General Mark Logic Developer Discussion <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="utf-8" And thanks for the report, the 4.0 doc links are now fixed and go to: http://developer.marklogic.com/pubs/4.0/apidocs/AdminLibraryMimetype.html -Danny From: [email protected] [mailto:[email protected]] On Behalf Of Chris Maloney Sent: Friday, April 09, 2010 7:56 AM To: [email protected] Subject: [MarkLogic Dev General] Re: Missing "Mimetypes Functions" documentation -- never mind! I see that I was looking at the 4.0 documentation instead of 4.1. Sorry for the noise. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://xqzone.marklogic.com/pipermail/general/attachments/20100409/602de3c7/attachment-0001.html ------------------------------ Message: 2 Date: Fri, 9 Apr 2010 12:26:51 -0700 (PDT) From: Paul M <[email protected]> Subject: [MarkLogic Dev General] updates and locks To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset="us-ascii" I have the following query: let $x := for $d in (1 to 10000000) return 1 let $d := fn:doc("/testlocking.xml")/val return (xdmp:request-timestamp(), fn:current-dateTime(),$d,xdmp:document-insert("/testlocking.xml",<val>{$d+1}</val>)) I verified that this is treated as an update query because xdmp:request-timestamp() returns empty. This is somewhat long running query. (6 -15 sec) When I execute the above query from a cq session, I execute the following from a different cq session: let $d := fn:doc("/testlocking.xml")/val return (xdmp:request-timestamp(),fn:current-dateTime(),$d,xdmp:document-insert("/testlocking.xml",<val>{$d -2}</val>)) The second query finishes first, as well as updates the document first. If the first query has a lock, how can the second update query finish first and touch the document first? -------------- next part -------------- An HTML attachment was scrubbed... URL: http://xqzone.marklogic.com/pipermail/general/attachments/20100409/7c2d7540/attachment-0001.html ------------------------------ Message: 3 Date: Fri, 9 Apr 2010 13:01:12 -0700 From: "Lee, David" <[email protected]> Subject: RE: [MarkLogic Dev General] RE: Creating a "Simple" user To: "General Mark Logic Developer Discussion" <[email protected]> Message-ID: <dd37f70d78609d4e9587d473fc61e0a717d58...@postoffice> Content-Type: text/plain; charset="iso-8859-1" OK, I will start from scratch (or nearly so because I have 20GB of documents I dont want to reload ... ) I think I can use xdmp:document-set-properties( ... ) What happens if documents have no permissions (like mine do, I just checked). Can you make a non-admin user that can read them ? Or do permissions *must* exist for any role but admin ? Also where would I look for errors ? I'm getting no errors in the ErrorLog but no output either. Thanks ! -David -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Danny Sokolsky Sent: Friday, April 09, 2010 2:35 PM To: General Mark Logic Developer Discussion Subject: [MarkLogic Dev General] RE: Creating a "Simple" user Hi David, If it was *simple*, it would not be secure :) Remember that users do not have permissions, document have permissions, and permissions are tied to roles via a capability (read, update, insert, or execute). Privileges protect code access (and URI privileges protect creating documents in a URI space). So here is what I would recommend as a starting point: * create a role called "ReadsStuff" * create a user called "ReadsStuff" and grant that user the "ReadsStuff" role * create a role called "WritesStuff" * grant "WritesStuff" the "ReadsStuff" role * grant "WriteStuff" the any-uri privilege (allowing the creation of a URI in any space) as well as any execute privileges needed (for example, xdmp:invoke, etc). If you want to cheat here, just grant "WritesStuff" the admin role (but if you do this, remember that it is an admin user and can do anything) * create a user called "WritesStuff" and grant that user the "WritesStuff" role * when you load documents, load them as the "WritesStuff" user and give each document an update and insert permission for "WritesStuff" and a read permission for "ReadsStuff". For example, here is code to create a set of permissions to do this (as an option to xdmp:document-insert or xdmp:document-load): ( xdmp:permission("ReadsStuff", "read"), xdmp:permission("WritesStuff", "insert"), xdmp:permission("WritesStuff", "update") ) ) * for extra credit, make the above permissions default permissions for the WritesStuff user (then you do not need to explicitly type them when you create documents as this user). Now the "ReadsStuff" user can read those documents, and the "WritesStuff" user can both read and update the documents. You will probably also need to grant the "ReadsStuff" role some other execute permissions, depending on how your code is written. However if your code does not use any protected functions, this will not be needed (for example, if the page you were executing was simple fn:doc("/my-uri.xml") ) Sound simple? It actually is pretty simple, once you understand a few key concepts.... Let us know how it goes. -Danny From: [email protected] [mailto:[email protected]] On Behalf Of Lee, David Sent: Friday, April 09, 2010 4:41 AM To: General Mark Logic Developer Discussion Subject: [MarkLogic Dev General] Creating a "Simple" user I'm struggling on creating a user with the right roles and permissions to run a simple app. I read over the security and Admin documentation and still dont get it. I think my problem is that ML security is *too flexible* ! (no I'm not asking to change that :) I was sorta hoping for a default builtin role that would allow * Run any xquery script in the Modues DB for this App server * Read only on all documents * Dont allow "admin stuff" (like add users etc). Thats all, is that so hard ? I cant figure it out though ... There's just so many options, custom roles with permissions ... I wont enumerate them its hurting my brain just thinking about it. Could anyone suggest a *simple* way to just create a user that can execute anything not admin-ish and read-only all documents ? I was able to create a user and use digest authentictaion but so far have had to add the admin role or my web app doesnt even show up. ( I get a 404 ) Nothing in the access or error logs to tell me what the reason was. Thanks for any suggestions ... (besides RTFM .. I've done that, unless there is a FM that says *simply* what to do). ---------------------------------------- David A. Lee Senior Principal Software Engineer Epocrates, Inc. [email protected] 812-482-5224 _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general ------------------------------ Message: 4 Date: Fri, 9 Apr 2010 21:51:59 +0100 From: Stylus Studio <[email protected]> Subject: [MarkLogic Dev General] +Hi+ To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=ISO-8859-1 http://www.kogensor.fewq.com/ijBQPl2Wsz.htm ------------------------------ Message: 5 Date: Fri, 9 Apr 2010 14:13:22 -0700 From: Danny Sokolsky <[email protected]> Subject: RE: [MarkLogic Dev General] RE: Creating a "Simple" user To: General Mark Logic Developer Discussion <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Yes, you can update your documents, but not setting properties, setting permissions (xdmp:document-set-permissions). Nevertheless, you will have to update every document if you want a non-admin user to see them. If a document has no permissions, only a user with the admin role can see the document. If you do a doc on a document that does not exist, it returns the empty sequence, so there would be no errors trying to access a document for which you do not have access (it is as if it does not exist). As a good practice, you should create all documents with at least one read permission and one update permission. xdmp:document-get-permissions will return the permissions on a document. -Danny -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Lee, David Sent: Friday, April 09, 2010 1:01 PM To: General Mark Logic Developer Discussion Subject: RE: [MarkLogic Dev General] RE: Creating a "Simple" user OK, I will start from scratch (or nearly so because I have 20GB of documents I dont want to reload ... ) I think I can use xdmp:document-set-properties( ... ) What happens if documents have no permissions (like mine do, I just checked). Can you make a non-admin user that can read them ? Or do permissions *must* exist for any role but admin ? Also where would I look for errors ? I'm getting no errors in the ErrorLog but no output either. Thanks ! -David -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Danny Sokolsky Sent: Friday, April 09, 2010 2:35 PM To: General Mark Logic Developer Discussion Subject: [MarkLogic Dev General] RE: Creating a "Simple" user Hi David, If it was *simple*, it would not be secure :) Remember that users do not have permissions, document have permissions, and permissions are tied to roles via a capability (read, update, insert, or execute). Privileges protect code access (and URI privileges protect creating documents in a URI space). So here is what I would recommend as a starting point: * create a role called "ReadsStuff" * create a user called "ReadsStuff" and grant that user the "ReadsStuff" role * create a role called "WritesStuff" * grant "WritesStuff" the "ReadsStuff" role * grant "WriteStuff" the any-uri privilege (allowing the creation of a URI in any space) as well as any execute privileges needed (for example, xdmp:invoke, etc). If you want to cheat here, just grant "WritesStuff" the admin role (but if you do this, remember that it is an admin user and can do anything) * create a user called "WritesStuff" and grant that user the "WritesStuff" role * when you load documents, load them as the "WritesStuff" user and give each document an update and insert permission for "WritesStuff" and a read permission for "ReadsStuff". For example, here is code to create a set of permissions to do this (as an option to xdmp:document-insert or xdmp:document-load): ( xdmp:permission("ReadsStuff", "read"), xdmp:permission("WritesStuff", "insert"), xdmp:permission("WritesStuff", "update") ) ) * for extra credit, make the above permissions default permissions for the WritesStuff user (then you do not need to explicitly type them when you create documents as this user). Now the "ReadsStuff" user can read those documents, and the "WritesStuff" user can both read and update the documents. You will probably also need to grant the "ReadsStuff" role some other execute permissions, depending on how your code is written. However if your code does not use any protected functions, this will not be needed (for example, if the page you were executing was simple fn:doc("/my-uri.xml") ) Sound simple? It actually is pretty simple, once you understand a few key concepts.... Let us know how it goes. -Danny From: [email protected] [mailto:[email protected]] On Behalf Of Lee, David Sent: Friday, April 09, 2010 4:41 AM To: General Mark Logic Developer Discussion Subject: [MarkLogic Dev General] Creating a "Simple" user I'm struggling on creating a user with the right roles and permissions to run a simple app. I read over the security and Admin documentation and still dont get it. I think my problem is that ML security is *too flexible* ! (no I'm not asking to change that :) I was sorta hoping for a default builtin role that would allow * Run any xquery script in the Modues DB for this App server * Read only on all documents * Dont allow "admin stuff" (like add users etc). Thats all, is that so hard ? I cant figure it out though ... There's just so many options, custom roles with permissions ... I wont enumerate them its hurting my brain just thinking about it. Could anyone suggest a *simple* way to just create a user that can execute anything not admin-ish and read-only all documents ? I was able to create a user and use digest authentictaion but so far have had to add the admin role or my web app doesnt even show up. ( I get a 404 ) Nothing in the access or error logs to tell me what the reason was. Thanks for any suggestions ... (besides RTFM .. I've done that, unless there is a FM that says *simply* what to do). ---------------------------------------- David A. Lee Senior Principal Software Engineer Epocrates, Inc. [email protected] 812-482-5224 _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general ------------------------------ _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general End of General Digest, Vol 70, Issue 24 ***************************************
_______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
