search

joemfb / mlpm

a MarkLogic package manager
5 stars 2 forks source link

Provide permissions on deploy #10

Open grtjn opened 8 years ago

grtjn commented 8 years ago

Would be nice if we could deploy mlpm packages with specific doc permissions. I'm thinking though it uses REST api, which doesn't support that (yet). I filed an RFE for that. In meantime one could do something like:

  alias_method :original_deploy_modules, :deploy_modules

  def deploy_modules
    deploy_packages
    original_deploy_modules
    fix_permissions
  end

  def deploy_packages
    password_prompt
    system %Q!mlpm deploy -u #{ @ml_username } \
                          -p #{ @ml_password } \
                          -H #{ @properties['ml.server'] } \
                          -P #{ @properties['ml.app-port'] }!
  end

  def fix_permissions
    # and apply correct permissions
    r = execute_query %Q{
      xquery version "1.0-ml";

      for $uri in cts:uris()
      return (
        $uri,
        xdmp:document-set-permissions($uri, (
          xdmp:permission("#{@properties["ml.app-name"]}-role", "read"),
          xdmp:permission("#{@properties["ml.app-name"]}-role", "execute")
        ))
      )
    },
    { :db_name => @properties["ml.modules-db"] }
  end
joemfb commented 8 years ago

The defaults should work fine, since mlpm deploy uses the REST API directly, and ml,app-role should inherit from rest-reader. Do you want to further restrict access via the app-role permissions?

grtjn commented 8 years ago

App-role doesn't inherit rest roles by default. And it allows for  stricter security to use rest privs instead..

joemfb commented 8 years ago

You're right, but it should ;)

If you're assigning either a REST role or some set of REST privileges to your app-user, what's the use-case for installing your modules with permissions other than the REST API defaults?

grtjn commented 8 years ago

True, that would be a sensible default.. for rest type roxy apps..

If not inheriting a rest role (but just privs), you still need a role with exec permissions applied to mods and rest extensions. And if you replace rest role permissions at the same time, you make sure no other rest role user can abuse the app. Especially when combined with uri privs and protected collections only assigned to app-role and not to rest roles..

Sent from Samsung Mobile