project-lux / lux-marklogic

Code, issues, and resources related to LUX MarkLogic
Other
3 stars 2 forks source link

Enable the tenant deployer role to run copyRestApiOptions #243

Closed brent-hartwig closed 2 months ago

brent-hartwig commented 3 months ago

[!NOTE] Deployment task only. UAT is not necessary.

At present, /Default/lux-request-group-1/rest-api/options/lux-options.xml's document permissions prevent non-admins from executing the copyRestApiOptions Gradle task, which is wired to mlLoadModules. The scope of this ticket is to enable the tenant deployer role to successfully run the copyRestApiOptions task.

Ideally, we will find ML Gradle provides a way to specify the document permissions of https://github.com/project-lux/lux-marklogic/blob/main/src/main/ml-modules/options/lux-options.xml.

This issue is only an issue because of trying to do the right thing: #212

brent-hartwig commented 3 months ago

From https://github.com/marklogic/ml-gradle/wiki/How-modules-are-loaded#specifying-collections-and-permissions-for-modules:

As of 3.0.0, custom collections and permissions can be specified for each directory of modules under src/main/ml-modules/root (this does not apply to options, services, or transforms, as the MarkLogic REST API applies specific collections and permissions to those modules).

Given lux-options.xml is in the options directory, the above won't work for us.

brent-hartwig commented 3 months ago

A colleague suggested creating a Gradle task of type CopySearchOptionsTask per these instructions; however, it doesn't get around the document permissions issue. If the tenant role was granted one that inherits the rest-reader-internal role, it would have worked.

Instead, went with his second suggestion: an MLCP task. Works like a charm. The tenant's deployer role has sufficient privileges to run the task that replaces copyRestApiOptions: importRestApiOptions. Implemented in PR https://github.com/project-lux/lux-marklogic/pull/246 and https://github.com/project-lux/lux-marklogic/pull/247, both of which were merged into release1.22.

roamye commented 2 months ago

Approved by UAT 8/7

cc: @prowns

brent-hartwig commented 2 months ago

OK to close. No additional validation required.