Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id A0263200D4D for ; Sun, 3 Dec 2017 21:19:05 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 9E802160C1A; Sun, 3 Dec 2017 20:19:05 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id BD48A160BF8 for ; Sun, 3 Dec 2017 21:19:04 +0100 (CET) Received: (qmail 26269 invoked by uid 500); 3 Dec 2017 20:19:04 -0000 Mailing-List: contact dev-help@manifoldcf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@manifoldcf.apache.org Delivered-To: mailing list dev@manifoldcf.apache.org Received: (qmail 26258 invoked by uid 99); 3 Dec 2017 20:19:03 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Dec 2017 20:19:03 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 2AB39C04B1 for ; Sun, 3 Dec 2017 20:19:03 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -99.21 X-Spam-Level: X-Spam-Status: No, score=-99.21 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100, WEIRD_PORT=0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id t8zntQPyAnPJ for ; Sun, 3 Dec 2017 20:19:02 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 5E8955F2A8 for ; Sun, 3 Dec 2017 20:19:01 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 829E4E0140 for ; Sun, 3 Dec 2017 20:19:00 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 36DBB255C1 for ; Sun, 3 Dec 2017 20:19:00 +0000 (UTC) Date: Sun, 3 Dec 2017 20:19:00 +0000 (UTC) From: "Phillip Rhodes (JIRA)" To: dev@manifoldcf.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (CONNECTORS-1473) Authority Service doesn't return same set of tokens for user at query time as the set used for ingestion, when using Alfresco MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Sun, 03 Dec 2017 20:19:05 -0000 [ https://issues.apache.org/jira/browse/CONNECTORS-1473?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16276072#comment-16276072 ] Phillip Rhodes edited comment on CONNECTORS-1473 at 12/3/17 8:18 PM: --------------------------------------------------------------------- I'm talking about the allow_token_document field. In Alfresco I have granted permissions to a folder for individual discrete users (as opposed to a group), and at ingestion time I see (correctly, as I understand it) tokens for those individual users. "allow_token_document":["Alfresco:testuser1", "Alfresco:testuser2", "Alfresco:testuser3", "Alfresco:testuser4"], But at query time, when sending, say, testuser1, to the authority service, you don't get back an access token for the *user*, only the groups that user is in. That is, I get this: AUTHORIZED:Alfresco+Authority+Connection TOKEN:Alfresco:GROUP_EVERYONE where I think the result should be: AUTHORIZED:Alfresco+Authority+Connection TOKEN:Alfresco:GROUP_EVERYONE TOKEN:Alfresco:testuser1 And so you don't get any search results even though the user actually has permission to that content. was (Author: sprhodes): I'm talking about the allow_token_document field. In Alfresco I have granted permissions to a folder for individual discrete users (as opposed to a group), and at ingestion time I see (correctly, as I understand it) tokens for those individual users. "allow_token_document":["Alfresco:testuser1", "Alfresco:testuser2", "Alfresco:testuser3", "Alfresco:testuser4"], But at query time, when sending, say, testuser1, to the authority service, you don't get back an access token for the *user*, only the groups that user is in. And so you don't get any search results even though the user actually has permission to that content. > Authority Service doesn't return same set of tokens for user at query time as the set used for ingestion, when using Alfresco > ----------------------------------------------------------------------------------------------------------------------------- > > Key: CONNECTORS-1473 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1473 > Project: ManifoldCF > Issue Type: Bug > Components: Alfresco webscript connector > Environment: Alfresco: > Installed Schema 6022 > Installed Version 4.2.0 (4576) > Server Schema 6022 > Server Version 4.2.0 (4576) > ManifoldCF - built from source using the latest sources about a month ago > Solr - 6.6.0 > Reporter: Phillip Rhodes > Assignee: Karl Wright > Fix For: ManifoldCF 2.9 > > Attachments: CONNECTORS-1473.patch > > > Using ManifoldCF to index content from Alfresco into Solr, and using the MCF SearchComponent to restrict access on the Solr side, I'm seeing the following unusual behavior: > 1. I have an Alfresco server storing documents. There are 65 docs in > the built in "sample" space, which defaults to allowing access to > everyone. > 2. With the MCF SearchComponent installed into Solr, if I pass the > AuthenticatedUserName parameter with any value, I get back all 65 > documents as expected. > 3. I added another space in Alfresco that only allows access for 4 > specific users... testuser1, testuser2, testuser3, and testuser4. If I > log into Alfresco as any of those users I can view and/or upload > content to the space. > 4. I put 7 documents in that space, and re-indexed with MCF. > 5. Solr now shows a total of 72 documents for the core in question. > 6. But, if I pass AuthenticatedUserName=testuser1 with my query, I > still only see the 65 docs from the other space. > 7. If I temporarily turn off the MCF SearchComponent in Solr, I can > see the docs from the "locked down" space. > I set the various token fields to stored="true" so I can see what is > getting stored, and here's what I see for one sample document (one > that isn't being returned with the SearchComponent enabled, but which > should be). > "allow_token_document":["Alfresco:testuser1", "Alfresco:testuser2", > "Alfresco:testuser3", "Alfresco:testuser4"], > "deny_token_document":["__nosecurity__"], > "deny_token_parent":["__nosecurity__"], > "allow_token_share":["__nosecurity__"], > "allow_token_parent":["__nosecurity__"], > "deny_token_share":["__nosecurity__"], > Note that at ingestion time, tokens were created of the form Alfresco:username for the specific individual users which were granted access to the "secure" folder. > However, if I make a direct request to the MCF UserACL's endpoint for, say, testuser1, like this: > http://manifoldcf.fogbeam.link:8345/mcf-authority-service/UserACLs?username=testuser1 > I get back: > AUTHORIZED:Alfresco+Authority+Connection > TOKEN:Alfresco:GROUP_EVERYONE > which explains why I can see the documents from the public folder, because they all have an allow_token_document for Alfresco:GROUP_EVERYONE. But note that what I don't get back here is the token for the specific user testuser1, which would match what was stored during ingestion. -- This message was sent by Atlassian JIRA (v6.4.14#64029)