Hi All, I am trying to configure security for my application and facing similar issues.
I am using xqmvc framework in my application, given read and execute to the default-role on url reqriter, default error page and the xqmvc framework code. 1) When it tries to load the login controller i.e. the first/default URL of the application it give XDMP-MODNOTFOUND exception, so it is unable to find the login controller. 2) Then I gave read and execute on the login controller to default-role, but now it is giving XDMP-MODNOTFOUND on other library modules which are imported in the login controller. 3) Then I gave read and execute on this library module to default-role, but now it is giving XDMP-MODNOTFOUND on the library modules which are imported in the library module in step 2 above. In this email chain Danny mentioned that "When your code is in a database, that document needs execute perms for everyone too..." This means all the modules in the database should have read and execute permission granted to the default-role. Can someone please explain why ? Regards, Balvinder -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Danny Sokolsky Sent: Thursday, April 15, 2010 7:57 PM To: General Mark Logic Developer Discussion Subject: RE: [MarkLogic Dev General] RE: Creating a "Simple" user And if you do not want to give the nobody user the spl-read role, create another role, you can just add an execute permission for the error handler and rewriter for the app-user role. This is a better way to do it, because you do not want nobody to have access to your database. -Danny -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Danny Sokolsky Sent: Thursday, April 15, 2010 11:53 AM To: General Mark Logic Developer Discussion Subject: RE: [MarkLogic Dev General] RE: Creating a "Simple" user Ah, this is the tricky part. You need to give the spl-read role to the nobody user (or whoever is the default user for the app server). Here is why: when the redirector runs, the request has not yet been authenticated, and so it runs as the default user (nobody by default). Try that and let us know. -Danny -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Lee, David Sent: Thursday, April 15, 2010 11:49 AM To: General Mark Logic Developer Discussion Subject: RE: [MarkLogic Dev General] RE: Creating a "Simple" user Yes its using a url rewriter, and ALL documents in the Modules database have execute permission to the reader. I used this code: for $d in doc() return xdmp:document-set-permissions( $d/base-uri() , ( xdmp:permission("spl-read","read") , xdmp:permission("spl-read","execute") , xdmp:permission("spl-write","insert") , xdmp:permission("spl-write","update") ) ) Anyplace to look ? Thanks for the help ! -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Danny Sokolsky Sent: Thursday, April 15, 2010 2:44 PM To: General Mark Logic Developer Discussion Subject: RE: [MarkLogic Dev General] RE: Creating a "Simple" user Are you using a redirector (URL rewriter)? When your code is in a database, that document needs execute perms for everyone too... Ditto for an error handler. -Danny -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Lee, David Sent: Thursday, April 15, 2010 11:40 AM To: General Mark Logic Developer Discussion Subject: RE: [MarkLogic Dev General] RE: Creating a "Simple" user Replying to the right thread this time !!! Sorry for the confusion/spam -------------- Still not working very well. I followed these directions and still cant get any user not assigned to the "admin" role to execute an xquery in the App server. Where would I find an error, warning or even fricken *clue* about what permissions or roles I'm missing ? The failure case is I get a 404 error if the user doesnt have admin role. So it appears to not even be attempting to execute the xquery, let alone getting at documents. The code is in the Modules database and I've added "execute" permission to the reader role. I tried checking all the boxes on the Roles page that seem to have anything to do with execution but no avail. I'm sure its something "simple" but no idea what ... -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Danny Sokolsky Sent: Friday, April 09, 2010 2:35 PM To: General Mark Logic Developer Discussion Subject: [MarkLogic Dev General] RE: Creating a "Simple" user Hi David, If it was *simple*, it would not be secure :) Remember that users do not have permissions, document have permissions, and permissions are tied to roles via a capability (read, update, insert, or execute). Privileges protect code access (and URI privileges protect creating documents in a URI space). So here is what I would recommend as a starting point: * create a role called "ReadsStuff" * create a user called "ReadsStuff" and grant that user the "ReadsStuff" role * create a role called "WritesStuff" * grant "WritesStuff" the "ReadsStuff" role * grant "WriteStuff" the any-uri privilege (allowing the creation of a URI in any space) as well as any execute privileges needed (for example, xdmp:invoke, etc). If you want to cheat here, just grant "WritesStuff" the admin role (but if you do this, remember that it is an admin user and can do anything) * create a user called "WritesStuff" and grant that user the "WritesStuff" role * when you load documents, load them as the "WritesStuff" user and give each document an update and insert permission for "WritesStuff" and a read permission for "ReadsStuff". For example, here is code to create a set of permissions to do this (as an option to xdmp:document-insert or xdmp:document-load): ( xdmp:permission("ReadsStuff", "read"), xdmp:permission("WritesStuff", "insert"), xdmp:permission("WritesStuff", "update") ) ) * for extra credit, make the above permissions default permissions for the WritesStuff user (then you do not need to explicitly type them when you create documents as this user). Now the "ReadsStuff" user can read those documents, and the "WritesStuff" user can both read and update the documents. You will probably also need to grant the "ReadsStuff" role some other execute permissions, depending on how your code is written. However if your code does not use any protected functions, this will not be needed (for example, if the page you were executing was simple fn:doc("/my-uri.xml") ) Sound simple? It actually is pretty simple, once you understand a few key concepts.... Let us know how it goes. -Danny From: [email protected] [mailto:[email protected]] On Behalf Of Lee, David Sent: Friday, April 09, 2010 4:41 AM To: General Mark Logic Developer Discussion Subject: [MarkLogic Dev General] Creating a "Simple" user I'm struggling on creating a user with the right roles and permissions to run a simple app. I read over the security and Admin documentation and still dont get it. I think my problem is that ML security is *too flexible* ! (no I'm not asking to change that :) I was sorta hoping for a default builtin role that would allow * Run any xquery script in the Modues DB for this App server * Read only on all documents * Dont allow "admin stuff" (like add users etc). Thats all, is that so hard ? I cant figure it out though ... There's just so many options, custom roles with permissions ... I wont enumerate them its hurting my brain just thinking about it. Could anyone suggest a *simple* way to just create a user that can execute anything not admin-ish and read-only all documents ? I was able to create a user and use digest authentictaion but so far have had to add the admin role or my web app doesnt even show up. ( I get a 404 ) Nothing in the access or error logs to tell me what the reason was. Thanks for any suggestions ... (besides RTFM .. I've done that, unless there is a FM that says *simply* what to do). ---------------------------------------- David A. Lee Senior Principal Software Engineer Epocrates, Inc. [email protected] 812-482-5224 _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general Elsevier Limited. Registered Office: The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom, Registration No. 1982084 (England and Wales). _______________________________________________ General mailing list [email protected] http://xqzone.com/mailman/listinfo/general
