How to configure granular privileges in MarkLogic to permit updates to the configurations of a specific database only, while excluding all others?

Question

I'm seeking guidance on configuring granular privileges in MarkLogic to allow updates to database configurations for a specific database only, excluding others.

For example, I have a user named 'custom-rest-admin' with the roles rest-writer, rest-admin, and manage-admin assigned for a specific REST API. The database in question is named MY_DATABASE_NAME. Using the following command, I successfully updated the database properties:

curl --anyauth --user custom-rest-admin:pass -X PUT -d@"./database-config.json" -i -H "Content-type: application/json" "http://localhost:8002/manage/v2/databases/MY_DATABASE_NAME/properties"

However, due to the broad scope of the manage-admin role, I found that I could also update properties for other databases, as demonstrated here:

curl --anyauth --user custom-rest-admin:pass -X PUT -d@"./database-config.json" -i -H "Content-type: application/json" "http://localhost:8002/manage/v2/databases/OTHER_DATABASE_NAME/properties"

I've reviewed the section on Granular Privileges in MarkLogic's documentation but haven't found specific guidance on this scenario: MarkLogic Granular Privileges.

Could someone provide instructions or code examples on how to achieve this level of granularity?

Answer 1

Instead of granting manage-admin role, can create an appropriate fine-grained privilege, assign it to some role, and then assign that role to the user.

Find the ID of the MY_DATABASE_NAME database that you want to grant privileges for, and use it to grant a privilege with that ID.

For example, if the MY_DATABASE_NAME ID was 123456, then grant:

http://marklogic.com/xdmp/privileges/admin/database/123456

https://docs.marklogic.com/11.0/guide/security-guide/en/granular-privileges/categories-of-granularity/privileges-to-administer-a-specific-resource.html

A privilege of this category grants a user an ability to administer a specific resource (for example, a database with the specified identifier). This privilege is granted by suffixing the administrator privilege for that kind of resource (for example, "database") with the specific identifier (for example, database-ID ), which results in the specific privilege (for example, http://marklogic.com/xdmp/privileges/admin/database/database-ID). This privilege may imply the privilege to read and write a portion of a configuration file. It also grants the ability to call various built-in functions for specific resources (for example, http://marklogic.com/xdmp/privileges/xdmp-forest-clear/forest/forest-ID privilege allows calls to xdmp:forest-clear() for that forest identifier).

• http://marklogic.com/xdmp/privileges/admin/database/database-ID

Answer 2

Updated: Access to the /manage/v2 endpoint is not permitted without the manage-admin role. Instead, the XQuery code examples found on this MarkLogic documentation page were helpful. When setting the privilege, specifying the database name also worked.

{
  "privilege-name": "my-database-updater",
  "action": "http://marklogic.com/xdmp/privileges/admin/database/MY_DATABASE_NAME",
  "kind": "execute"
}

---

Thanks Mads. I already tried that but it doesn't seem to work for me.

Is the update endpoint still the same or is there a rest-api endpoint instead?

curl --anyauth --user custom-rest-admin:pass -X PUT -d@"./database-config.json" -i -H "Content-type: application/json" "http://localhost:8002/manage/v2/databases/MY_DATABASE_NAME/properties"

I found my database ID using this command:

curl --anyauth --user admin:pass -X GET -i -H "Content-type: application/json" "http://localhost:8002/manage/v2/databases/MY_DATABASE_NAME?view=status&format=json"

Defined my custom privilege using the database ID and I've assigned the privilege to the user's role:

{
  "privilege-name": "my-database-updater",
  "action": "http://marklogic.com/xdmp/privileges/admin/database/2415296184985150668",
  "kind": "execute"
}

The database-config.json I tested is this simple one:

{
  "trailing-wildcard-searches": true,
  "range-element-index": [
    {
      "scalar-type": "string",
      "namespace-uri": "",
      "localname": "type",
      "collation": "http://marklogic.com/collation/",
      "range-value-positions": false,
      "invalid-values": "reject"
    }
  ]
}