XDMP-MUSTHAVEUPDATE when deploying modules with account that doesnt have admin role

[RobertSzkutak]

Hi,

Whenever I try to deploy modules with an account that's not admin I get the error XDMP-MUSTHAVEUPDATE

bobby@lionsden ~/projects/twitter
$ ./ml local deploy modules -v
source permissions: [{:capability=>"E", :role=>"twitter-role"}, {:capability=>"R", :role=>"twitter-role"}, {:capability=>"R", :role=>"rest-admin"}, {:capability=>"U", :role=>"rest-admin"}, {:capability=>"E", :role=>"rest-extension-user"}]
Using Batch commit: false
loading: /home/bobby/projects/twitter/src/lib/twitter.xqy => /lib/twitter.xqy
[PUT]   http://localhost:8044/insert?uri=%2Flib%2Ftwitter.xqy&perm=Etwitter-role&perm=Rtwitter-role&perm=Rrest-admin&perm=Urest-admin&perm=Erest-extension-user&tzoffset=-18000&dbname=twitter-modules
[GET]   http://localhost:8002/manage/LATEST/databases?format=xml
[POST]  http://localhost:8000/qconsole/endpoints/workspaces.xqy
Closing HTTP connection to localhost:8002
[POST]  http://localhost:8000/qconsole/endpoints/evaler.xqy?wsid=8992296078432323301&qid=5563066314083214850&action=eval&querytype=xquery&dirty=true&dbid=13208991071066605692
[DELETE]        http://localhost:8000/qconsole/endpoints/workspaces.xqy?wsid=8992296078432323301

Loaded 1 document from /home/bobby/projects/twitter/src to localhost:8044/twitter-modules at 09/17/2015 04:13:28 pm

[PUT]   http://localhost:8043/v1/config/properties
Using Batch commit: false
loading: /home/bobby/projects/twitter/rest-api/config/options/all.xml => /Default/twitter/rest-api/options/all.xml
[PUT]   http://localhost:8044/insert?uri=%2FDefault%2Ftwitter%2Frest-api%2Foptions%2Fall.xml&perm=Etwitter-role&perm=Rtwitter-role&tzoffset=-18000&dbname=twitter-modules
ERROR: 500 "Internal Server Error"
ERROR: 
    <html xmlns="http://www.w3.org/1999/xhtml">
      <head>
        <title>500 Internal Server Error</title>
          <meta name="robots" content="noindex,nofollow"/>
          <link rel="stylesheet" href="/error.css"/>
        </head>
      <body>
        <span class="error">
      <h1>500 Internal Server Error</h1>
      <dl>
        <dt>XDMP-MUSTHAVEUPDATE: Document must have at least one update permission. Assigned permissions: %1</dt>
        <dd></dd>
        <dt> [1.0-ml]</dt>
        <dd></dd>
      </dl>
    </span>
  </body>
</html>

I added this to line 231 of xcc.rb to make the error go away:

url << "&perm=Utwitter-role"

I have never written a single line of Ruby in my life before today so I apologize for not writing a proper fix as I was in a pinch to get this working for a customer. I've also tested this on a completely brand new roxy project to make sure that I didn't have any settings that were not default.

[grtjn]

I would probably have run into this when working on #438, but I think you are right. Non-admins must always add an update permission. Whether that should be for the app-role, not sure.

And no worries, thanks for the suggested fix. That makes looking for the root cause much easier..

[RobertSzkutak]

Hi Geert, I got a "proper" fix and I will submit a pull request shortly...

[RobertSzkutak]

Pull request submitted with a proper fix: #517

[grtjn]

Hi, ran a test with your code fix, but a) don't know what kind of roles/privs you assigned to that twitter-role, b) could it be that you are running a non-rest project? Otherwise I am pretty sure that line will get skipped because permissions are passed in from elsewhere..

[RobertSzkutak]

Just checked: app-type is set to rest in my build.properties file. That doesn't appear to be overwritten anywhere. (Are there other conditions that could cause it to be deployed differently?) twitter-role is app-name-role . Only unprotected-collections privilege has been added to Roxy default privs for it.

While this is from my local test case, my client was experiencing the exact same issue using app-type rest with a fresh pull from the latest dev branch. My fix also worked for him.

We created a new user and assign them only app-name-role and then attempt to deploy as that user. We then added rest-admin role to that user. We then added unprotected-collections to the app-name-role.

Happy to provide any other info that could be helpful.

[jmeekhof]

I can help test as well, as I'm the client experiencing the issue.

[grtjn]

Thnx, this helps. I was trying to reproduce without adding roles. But looks like deploy of rest artifacts doesnt work well without the rest-admin role..

[grtjn]

Debugged the issue. Deploy user indeed has to have rest-admin role to be able to successfully deploy rest artifacts. That makes kind of sense, but we prefer using privileges instead of roles, and therefore assign app-role permissions only to modules. Installation of rest artifacts however is done through the rest api, and get rest-style permissions. We typically overwrite those permissions afterwards.

[dmcassel]

@grtjn what's the status of this one?

[grtjn]

Not sure. @jmeekhof referenced this ticket in a commit, but not sure how it relates to the PR (#518) associated with this ticket.

[jmeekhof]

@grtjn You're correct, I should have referenced #518. I saw the error XDMP-MUSTHAVEUPDATE and associated with the wrong issue.

[bluetorch]

I ran into this problem today. Making the changes suggested in pull request #518 and @jmeekhof's commit fixed the problem.

[RobertSzkutak]

Closing as multiple PRs have been accepted to fix this