0

I have a configuration file in Marklogic modules database and what is the privilege needed for doing this

xdmp:invoke-function(function(){fn:doc('/config/context.xml')},<options xmlns="xdmp:eval"><database>{xdmp:modules-database()}</database></options>)

I am setting the following privileges

  • unprotected-collections
  • unprotected-uri
  • unprotected-collections
  • unprotected-uri
  • xdmp:spawn
  • xdmp:spawn-in
  • xdmp:spawn-transaction
  • xdmp:http-get
  • xdmp:http-head
  • xdmp:http-options
  • xdmp:http-delete
  • xdmp:http-post
  • xdmp:http-put
  • xdmp:eval
  • xdmp:eval-in
  • xdmp:spawn-transaction
  • xdmp:invoke
  • xdmp:invoke-in
  • xdmp:invoke-modules-change
  • xdmp:invoke-modules-change-file
  • xdmp:invoke-transaction
  • xdmp:xslt-eval
  • xdmp:xslt-eval-in
  • xdmp:xslt-eval-transaction
  • xdmp:load
  • xdmp:xslt-invoke
  • xdmp:xslt-invoke-in
  • xdmp:xslt-invoke-transaction

what other privileges I am missing, as if I login as rest-admin or admin everything works ??

Ravi
  • 1,179
  • 6
  • 13
  • Are you sure you're executing that statement as the user with those privileges? What error are you getting? – wst Jul 01 '16 at 14:46
  • I am getting no error.. all I get is empty.. but when I give the user "rest-admin" role, I can read it. so I was assuming I am missing some privilege that I am not assigning – Ravi Jul 01 '16 at 14:53
  • Ah, okay...are you sure that `/config/context.xml` is assigned a role with read permission that the user reading the document also has? – wst Jul 01 '16 at 14:56
  • The `/config/context.xml` is in modules database, and I loaded using ml-gradle, and I loaded other library files as well in the modules database, the user was able to execute the library calls.. do I need to give 'read' as well to the privilege, for the `kind` I gave only `execute`.. could this be the reason for not able to read the file ? – Ravi Jul 01 '16 at 15:05
  • 2
    Yes. Unless the user is admin, the document must have `read` permission for a role that the user also has. – wst Jul 01 '16 at 15:58
  • Yeah once in my gradle configuration I gave permission of rest-reader it worked.. Thanks, I will update with answer for specific gradle configuration – Ravi Jul 01 '16 at 16:10

2 Answers2

1

I was loading all the modules database (which included /config/context.xml) using ml-gradle. By default ml-gradle will load all the modules with rest-admin,read,rest-admin,update,rest-extension-user,execute

But it turns out we can overwrite (ML-Gradle:Make it easy to override module permissions) it using mlModulePermissions

Following is what I did in my gradle.properties file 

mlModulePermissions=rest-admin,read,rest-admin,update,rest-extension-user,execute,rest-reader
Ravi
  • 1,179
  • 6
  • 13
1

I think Ravi found the missing link himself, but for the sake of completeness:

That list of privileges is far too long. To be allowed to run xdmp:invoke-function with a non-admin user (also sometimes referenced as a least-privs user) the user only needs the xdmp:invoke privilege. To be allowed to use the <database> option of that function, you need the additional xdmp:eval-in privilege. The required privileges are usually very well documented on DMC. See for instance: http://docs.marklogic.com/xdmp:eval

But regardless of the privileges you grant a user, it still needs to have a role that has read access to the documents it is trying to read. Otherwise it will simply not see them. Assigning rest-admin role to a user just for the purpose of reading a config file is probably a bit too much. Assigning rest-reader role, and adding a document permission that grants read access for that role is better. Best though is probably to create an application-specific role, assign that to the user, and add a read document permission for that role.

HTH!

grtjn
  • 20,254
  • 1
  • 24
  • 35