Running REST extensions with least privs when using modules from src #300

grtjn · 2014-11-06T10:37:48Z

I had deployed a REST extension using admin, which was relying on a modules loaded from src/. I then tried accessing that REST extension using a least-privs user. That resulted in this misleading message:

<rapi:error xmlns:rapi="http://marklogic.com/rest-api"><rapi:status-code>400</rapi:status-code><rapi:status>Bad Request</rapi:status><rapi:message-code>XDMP-MODNOTFOUND</rapi:message-code><rapi:message>XDMP-MODNOTFOUND: (err:XQST0059) logger:dump-request-environment(), let $params := rest:process-request(conf:get-rsrc-exec-query-rule()) let $headers := eput:get-request-headers() let $method := eput:get-request-method($headers) let $body := if (fn:not($method = "POST")) then () else xdmp:get-request-body() return switch ($method) case "GET" return (xdmp:security-assert("http://marklogic.com/xdmp/privileges/rest-reader", "execute"), rsrcmodqry:exec-get($headers, $params, local:rsrcmod-callback#4)) case "POST" return (xdmp:security-assert("http://marklogic.com/xdmp/privileges/rest-writer", "execute"), rsrcmodqry:exec-post($headers, $params, $body, local:rsrcmod-callback#4)[fn:not(xdmp:get-response-code()[1] eq 204)]) default return fn:error((), "RESTAPI-INVALIDREQ", fn:concat("unsupported method ", $method, " for ", map:get($params, "name"))) -- Module /Users/gjosten/Library/MarkLogic/Modules/MarkLogic/rest-api/lib/endpoint-util.xqy not found</rapi:message></rapi:error>

I was able to get round this by running the following against the modules database:

for $uri in cts:uris()
where ends-with($uri, ".xqy")
return (
  $uri,
  xdmp:document-add-permissions($uri, (
    xdmp:permission("rest-extension-user", "execute"),
    xdmp:permission("rest-admin", "update"),
    xdmp:permission("rest-admin", "read")
  ))
)

Apparently we need to apply more permissions to modules by default in REST and Hybrid type applications..

Next to this, a 'permissions' properties, that lets you specify extra permissions for content and/or modules would be great..

grtjn · 2014-11-06T10:47:30Z

Temporary workaround, add this to deploy/app_specific.rb:

  # fix a deployment issue with modules not getting correct permissions
  alias_method :original_deploy_modules, :deploy_modules
  def deploy_modules()
    original_deploy_modules
    r = execute_query %Q{
      xquery version "1.0-ml";

      for $uri in cts:uris()
      where ends-with($uri, ".xqy")
      return (
        $uri,
        xdmp:document-add-permissions($uri, (
          xdmp:permission("rest-extension-user", "execute"),
          xdmp:permission("rest-admin", "update"),
          xdmp:permission("rest-admin", "read")
        ))
      )
    },
    { :db_name => @properties["ml.modules-db"] }
  end

dmcassel · 2014-11-06T12:29:49Z

Roxy gives permissions to the app-role in deploy_src() (server_config.rb).
I think the long-term fix is for that function to check for app-type =
hybrid or rest and add those permissions. Shouldn't be complicated, I'll
try to get to a PR sometime soon.

On Thu, Nov 6, 2014 at 5:47 AM, Geert notifications@github.com wrote:

Temporary workaround:

fix a deployment issue with modules not getting correct permissions

alias_method :original_deploy_modules, :deploy_modules
def deploy_modules()
original_deploy_modules
r = execute_query %Q{ xquery version "1.0-ml"; for $uri in cts:uris() where ends-with($uri, ".xqy") return ( $uri, xdmp:document-add-permissions($uri, ( xdmp:permission("rest-extension-user", "execute"), xdmp:permission("rest-admin", "update"), xdmp:permission("rest-admin", "read") )) ) },
{ :db_name => @properties["ml.modules-db"] }
end

—
Reply to this email directly or view it on GitHub
#300 (comment).

http://blog.davidcassel.net
http://www.linkedin.com/in/davidcassel

#300 adding REST-role permissions to normal code

paxtonhare · 2014-11-07T15:43:29Z

fixed in dev. thanks!

dmcassel self-assigned this Nov 6, 2014

dmcassel added a commit to dmcassel/roxy that referenced this issue Nov 6, 2014

marklogic-community#300 adding REST-role permissions to normal code

ae374fe

dmcassel mentioned this issue Nov 6, 2014

#300 adding REST-role permissions to normal code #301

Merged

paxtonhare added a commit that referenced this issue Nov 7, 2014

Merge pull request #301 from dmcassel/dev

70416a7

#300 adding REST-role permissions to normal code

paxtonhare closed this as completed Nov 7, 2014

paxtonhare added this to the 1.7.1 milestone Nov 7, 2014

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Running REST extensions with least privs when using modules from src #300

Running REST extensions with least privs when using modules from src #300

grtjn commented Nov 6, 2014

grtjn commented Nov 6, 2014

dmcassel commented Nov 6, 2014

fix a deployment issue with modules not getting correct permissions

paxtonhare commented Nov 7, 2014

Running REST extensions with least privs when using modules from src #300

Running REST extensions with least privs when using modules from src #300

Comments

grtjn commented Nov 6, 2014

grtjn commented Nov 6, 2014

dmcassel commented Nov 6, 2014

fix a deployment issue with modules not getting correct permissions

paxtonhare commented Nov 7, 2014