7

I'm trying to specify permissions on documents in a MarkLogic 6 database using the rest api.

This is the permissions metadata I'm sending in (permissions.xml):

<rapi:metadata xmlns:rapi="http://marklogic.com/rest-api"
     xmlns:prop="http://marklogic.com/xdmp/property">
    <rapi:permissions>
        <rapi:permission>
            <rapi:role-name>arole</rapi:role-name>
            <rapi:capability>update</rapi:capability>
        </rapi:permission>
        <rapi:permission>
            <rapi:role-name>brole</rapi:role-name>
            <rapi:capability>read</rapi:capability>
        </rapi:permission>
    </rapi:permissions>
</rapi:metadata>

using this command:

curl --anyauth --user user:pass -X PUT -T permissions.xml \
    -H "Content-type: application/xml" \
    "http://localhost:8003/v1/documents?uri=/test/test.xml&category=permissions"

When I look at the permissions afterwards, I see:

arole (update)
brole (read)
rest-reader (read)
rest-writer (update)

I expect it to only have the permissions for arole and brole.

The documentation says, "If no permissions are explicitly set, documents you create with the MarkLogic REST API have a read permission for the rest-reader role and an update permission for the rest-writer role." (And yes, I know, this example doesn't create a new document. But it does the same thing if I add a new document and set permissions at the same time using a multipart content+metadata message through the rest api).

Setting permissions via the direct xquery calls (ex. xdmp:document-insert with permissions) using the same user and database works as expected.

How can I keep the rest api from adding these extra permissions?

EDIT:

There's a ticket in with MarkLogic, no target date or version that I know of yet.

In case someone else runs into this, they did give me a workaround: Create new roles (or change existing ones), and give them rest-reader and/or rest-writer 'execute' privileges instead of having them inherit the rest-reader/rest-writer roles, or having a user directly assigned the rest-reader/rest-writer roles.

Sofia
  • 771
  • 1
  • 8
  • 22
paloma
  • 335
  • 2
  • 11

2 Answers2

3

The internal function docmodupd:write-permissions always combines the input permissions with the output from xdmp:default-permissions. It does that to ensure that rest-reader can read the document, and rest-writer can update it. As far as I can tell there is no API to control this behavior.

If you have a strong use-case for omitting those extra permissions, contact support.

mblakele
  • 7,782
  • 27
  • 45
  • Just to make sure I'm understanding how the rest-reader role works with document permissions... this means that _all_ users who can access the rest api can see this document, right? – paloma Dec 04 '13 at 20:16
2

The easiest way to accomplish access via REST but NOT universal access to documents is to create custom roles that you can assign to users in place of the built-in roles. Add default read/write permissions to that role if desired (so that you don't have to specify the permissions on every document insert), along with the REST execute privilege(s) that you want the role to have (http://marklogic.com/xdmp/privileges/rest-writer, http://marklogic.com/xdmp/privileges/rest-reader). Don't assign the rest-reader or rest-writer built-in role to the custom role, just the execute privilege(s).

The custom roles will then be able to use all of the REST endpoints, but will NOT have universal access to all documents created via the REST interface. Searches and document GET requests will return only documents that the custom role has access to, and they won't be able to modify documents that their role does not have update permissions on.

cwhit
  • 136
  • 3