Great, so make sure those role names map to those held in MarkLogic and then you can use xdmp:login. Notice how xdmp:login accepts a $role-names sequence of roles you want the user to have after logging in. It was added for just this use case. You just need a single weak user that everybody can login as, with the user's power coming from the roles passed in there.
The code checking the JWT and doing the login needs to have the xdmp:login privilege. You may or may not want to set the session. With JWT probably not. I'd check the token on each go so you can use the JWT's precise time of expiration. -jh- On Sep 18, 2017, at 21:12, Andreas Hubmer <[email protected]<mailto:[email protected]>> wrote: It is possible to add authorization information (roles) to the JWT. Example: { "iss": "...", "sub": "...", "exp": ..., "iat": ..., "jti": "...", "ver": "0.1", "idp": "..", "name": "Doe", "firstName":"John", "email":"[email protected]<mailto:[email protected]>", "roles": ["role1", "role2"] } 2017-09-18 14:59 GMT+02:00 Jason Hunter <[email protected]<mailto:[email protected]>>: I understand that JWT will provide for authentication. How do you intend to do authorization? Meaning, how do you intend to know what roles the username given in the JWT should have within MarkLogic? Or do all authenticated users get the same roles, or something? -jh- On Sep 18, 2017, at 15:07, Andreas Hubmer <[email protected]<mailto:[email protected]>> wrote: Justin, I'll answer for my colleague. We'd like to use JSON Web Tokens (JWT) and extract the user roles from the token. The users are managed in an external system and similar to the LDAP connection we want to avoid that every user has to be created/updated in MarkLogic too. Amps do not give the same flexibility as a temporary user with an arbitrary combination of roles. Thanks, Andreas 2017-09-15 17:50 GMT+02:00 Justin Makeig <[email protected]<mailto:[email protected]>>: Andreas, Rather than describe your solution, can you explain the problem you’re trying to solve? Why do you think you need a temporary user? What permission/privilege challenge are you trying to address? You might also take a look at amps <https://docs.marklogic.com/guide/admin/security#id_81246>. An amp allows a security administrator to elevate the privileges of a specific function. This is beneficial in that the security is defined in configuration, not code. Justin -- Justin Makeig Senior Director, Product Management MarkLogic [email protected]<mailto:[email protected]> > On Sep 15, 2017, at 4:29 AM, Andreas Holzgethan > <[email protected]<mailto:[email protected]>> wrote: > > Hi @all, > > I need the possibility to create temporary user for a transaction. > I just found in the documentation that such a functionality is used when for > example LDAP is configured as an external security. > > Could you please explain me how this is done there? > > My thirst thought was to create a user with the function > "sec:create-user-with-role". At the end of the transaction I would just call > the function "sec:remove-user". > Could you please give me feedback about this implementation? > Is such a implementation a big influence on the performance? > > Thanks! > > Best regards > Andreas Holzgethan > -- Andreas Hubmer Senior IT Consultant EBCONT enterprise technologies GmbH _______________________________________________ General mailing list [email protected]<mailto:[email protected]> Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
_______________________________________________ General mailing list [email protected] Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
