Menu
I'm trying to specify permissions on documents in a MarkLogic 6 database using the rest api.
This is the permissions metadata I'm sending in (permissions.xml):
<rapi:metadata xmlns:rapi="http://marklogic.com/rest-api"
xmlns:prop="http://marklogic.com/xdmp/property">
<rapi:permissions>
<rapi:permission>
<rapi:role-name>arole</rapi:role-name>
<rapi:capability>update</rapi:capability>
</rapi:permission>
<rapi:permission>
<rapi:role-name>brole</rapi:role-name>
<rapi:capability>read</rapi:capability>
</rapi:permission>
</rapi:permissions>
</rapi:metadata>
using this command:
curl --anyauth --user user:pass -X PUT -T permissions.xml \
-H "Content-type: application/xml" \
"http://localhost:8003/v1/documents?uri=/test/test.xml&category=permissions"
When I look at the permissions afterwards, I see:
arole (update)
brole (read)
rest-reader (read)
rest-writer (update)
I expect it to only have the permissions for arole and brole.
The documentation says, "If no permissions are explicitly set, documents you create with the MarkLogic REST API have a read permission for the rest-reader role and an update permission for the rest-writer role." (And yes, I know, this example doesn't create a new document. But it does the same thing if I add a new document and set permissions at the same time using a multipart content+metadata message through the rest api).
Setting permissions via the direct xquery calls (ex. xdmp:document-insert with permissions) using the same user and database works as expected.
How can I keep the rest api from adding these extra permissions?
EDIT:
There's a ticket in with MarkLogic, no target date or version that I know of yet.
In case someone else runs into this, they did give me a workaround: Create new roles (or change existing ones), and give them rest-reader and/or rest-writer 'execute' privileges instead of having them inherit the rest-reader/rest-writer roles, or having a user directly assigned the rest-reader/rest-writer roles.
635
MarkLogic's REST API allows you to create, read, update, and delete documents (CRUD), as well as search documents and perform analytics on the values they contain.
Summary. Create an instance of the MarkLogic REST API, including an HTTP app server, required modules, and optionally a content database. This request is only available on port 8002.
Which of the following is NOT a way to communicate with MarkLogic? "Directories are hierarchical in structure (like a filesystem directory structure). Collections do not have this requirement.
The internal function docmodupd:write-permissions always combines the input permissions with the output from xdmp:default-permissions. It does that to ensure that rest-reader can read the document, and rest-writer can update it. As far as I can tell there is no API to control this behavior.
If you have a strong use-case for omitting those extra permissions, contact support.
79
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
