I have a strange situation here. I am trying to build an application that sends http get request to the MarkLogic server. It hits the XQuery code that perform search:search("")
. I am passing empty query to the search so the default relevant results are returned.
And I am using Roxy for deployment.
When I call the typical Roxy deployment function by the command -
ml local deploy content.
It loads all the document and later when I hit localhost:7040, I get the results as expected. So far so good.
Now, I override Roxy's existing method deploy_content and define my new method that calls an XQuery function, which performs xdmp:document-load()
to load all the data to the content database. Here is the code snippet -
declare function loadTS:load($path) {
let $result :=
for $d in xdmp:filesystem-directory($path)//dir:entry
let $log := xdmp:log(fn:concat("$d-->",xdmp:describe($d)))
return xdmp:document-load($d//dir:pathname,
<options xmlns="xdmp:document-load">
<uri>{fn:concat("/",$d//dir:filename)}</uri>
<permissions>{xdmp:default-permissions()}</permissions>
<format>xml</format>
<collections>
<collection>all</collection>
</collections>
</options>)
return $result
};
Now, when I hit the application I get 0 result, while the same code works fine from query console. I think this is related to roles and privileges concept because when I provide the admin role to the newly created user from roxy I get the result as expected. I do not want to provide admin role to the default users that will be using my application later on. So what modification I need to do in terms of roles, privileges and authentication that will solve my problem?
Note: when I hit localhost:7040 it doesn't ask for authentication.
ml.app-role:xyz-role
Is there a function to get all the default permissions under this user's role.
This is the user used for app server as it's more a vanilla install.
The user used for query console is admin.
I ran the command xdmp:document-get-permissions()
to one of the load document but it returned empty sequence.
xdmp:document-get-permissions("/a-ha+Take-on-Me.xml")
.
authentication-method=application-level
David has made good points, but I think I know what is happening..
When you run
ml local deploy content
with an out of the box Roxy app, it uploads files to your content-db while explicitly setting document permissions for app-role. It applies at least read and update permissions, maybe also execute.If you override the built-in deploy content with custom code, and don't use Roxy internal methods like load_data, you have to apply those permissions yourself. Using
xdmp:default-permissions()
is probably not good enough, as by default Roxy deploys using admin, and that usually doesn't have default permissions defined, nor would it be likely that they would be read/update permissions for the app-role of the app you happen to be working with.Most elegant way out would be to use an app-specific upload user, with the correct default permissions. You would have to configure that yourself, and then somehow make sure Roxy uses it.
An easier way out is to replace
xdmp:default-permissions()
in yourloadTS:load
function with explicitxdmp:permission
calls, for either a hardcodedxyz-role
, or better$app-name || "-role"
where$app-name
would be loaded viasrc/app/config/config.xqy
, or you pass$app-name
through from your customdeploy_content
.HTH!