manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: How to check Sharepoint ACLs into Solr using MCF 1.5.1.
Date Wed, 11 Jun 2014 14:34:17 GMT
Hi Lalit,

Looking at more up-to-date documentation here:
http://docs.alfresco.com/4.2/references/RESTful-PersonPersonGet.html

It would be great if you could try this operation with a known user against
an Alfresco implementation, and see what you get back in the user JSON.  I
think you could take these steps:

(1) Use a browser session to log into your alfresco instance UI
(2) Construct the described URL above in the same browser's URL field, and
fire it off
(3) Send me the resulting JSON

Thanks!
Karl

Karl


On Wed, Jun 11, 2014 at 6:22 AM, Karl Wright <daddywri@gmail.com> wrote:

> Looking at the REST api, it seems like it is not a true stateless REST
> api.  Apparently, there is a session cookie required (?).  For example, see:
>
>
> http://docs.alfresco.com/4.0/references/RESTful-RepositoryLoginticketGet.html
>
> That will (somewhat) complicate things; it's decidedly non-standard.
> Also, I don't see any way still to get access tokens given a user:
>
> http://docs.alfresco.com/4.0/references/RESTful-Person.html
>
> Do you see any way to do this?
>
> Karl
>
>
>
> On Wed, Jun 11, 2014 at 5:24 AM, lalit jangra <lalit.j.jangra@gmail.com>
> wrote:
>
>> Thanks Karl,
>>
>> Sadly this confirms that neither CMIS nor Alfresco connectors support ACL
>> indexing and storage. I checked into Alfresco connector code but nothing
>> has been mentioned about ACL indexing & storage.
>>
>> Next alfresco does support REST based API very well and infact REST is
>> used in Alfresco all over the place. So we can definitely write some better
>> stuff here. For documentation around REST usage in alfresco, please refer
>> to below URLs. Latest version of alfresco is 4.2 and a lot has been changed
>> into it for almost everything to make things simpler and efficient.
>>
>> http://docs.alfresco.com/4.0/concepts/API-intro-4.html
>> http://wiki.alfresco.com/wiki/Repository_RESTful_API_Reference
>>
>> These pretty much cover features provided by REST into alfresco and we
>> can definitely start from here & do let me know for any more documentation.
>> Every alfresco instance supports REST based processing so testing REST is
>> not a tedious task.
>>
>> In the meantime i am checking GitHub to find if something is already
>> available.
>>
>> Regards.
>>
>>
>> On Wed, Jun 11, 2014 at 9:50 AM, Karl Wright <daddywri@gmail.com> wrote:
>>
>>> Hi Lalit,
>>>
>>> The best way to start is to describe the Alfresco server you are trying
>>> to crawl.  What version?  It matters a lot, as you will read below.
>>>
>>> The Alfresco connector was originally submitted by Piergiorgio Lucidi
>>> under the direction of SourceSense.  My understanding is that he had no
>>> trouble getting access tokens with the connector, but unfortunately on the
>>> other end (mapping users to access tokens) the original Alfresco API's
>>> didn't do this.  Since then, I believe, Alfresco has completely revamped
>>> their API's, and they have a REST-style API available to do the job (or so
>>> I am told).  A company called Zaizi did some work on it and was supposed to
>>> contribute the updated connector, but for two releases that hasn't
>>> happened.  But it is possible that the connector is in GitHub somewhere?
>>>
>>> In short, Alfresco is a bit of a mess, and I would very much like to get
>>> it repaired to a point where it is usable fully.
>>>
>>> If your instance has the REST API, and you can provide me with the REST
>>> API documentation for your Alfresco instance, I am happy to set up a branch
>>> to build an Alfresco REST connector from scratch (provided it looks like
>>> everything works the way it is supposed to).  Building a connector in this
>>> way will take usually a couple of weeks, and you MUST have access to the
>>> instance you are trying to crawl, and be willing to test the connector
>>> against it and reiterate.  There is a chance we'd fail, but with the
>>> documentation available in advance, the chances of that would be low.
>>>
>>> Thoughts?
>>> Karl
>>>
>>>
>>> On Wed, Jun 11, 2014 at 1:58 AM, lalit jangra <lalit.j.jangra@gmail.com>
>>> wrote:
>>>
>>>> Thanks Karl,
>>>>
>>>> So its a show stopper now.
>>>>
>>>> As a fallback mechanism, i am looking for alfresco only connector for
>>>> ACL storing mechanism but can you confirm if alfresco specific connector
>>>> supports this feature or not.
>>>>
>>>> And finally if no all the ways, what would be the optimum way to start
>>>> implementing the same.
>>>>
>>>> Regards.
>>>>
>>>>
>>>> On Wed, Jun 11, 2014 at 12:47 AM, Karl Wright <daddywri@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Lalit,
>>>>>
>>>>> CMIS does not give a way for a user to query for ACLs, so repository
>>>>> document security is not supported for that connector.  Documents indexed
>>>>> by CMIS are thus "wide open" and will not be restricted from being
>>>>> searchable by anybody.
>>>>>
>>>>> This is, unfortunately, a limitation of CMIS -- at least, CMIS at the
>>>>> time the connector was implemented.  Feel free to submit patches to add
>>>>> security to the connector if the spec has evolved to the point where
it is
>>>>> possible.
>>>>>
>>>>> Thanks,
>>>>> Karl
>>>>>
>>>>>
>>>>>
>>>>> On Tue, Jun 10, 2014 at 6:38 PM, lalit jangra <
>>>>> lalit.j.jangra@gmail.com> wrote:
>>>>>
>>>>>> Thanks Karl,
>>>>>>
>>>>>> As per your suggestions, i am able to see ACLs into solr index (I
>>>>>> made stored="true" for ACLs in schema.xml) as below. I can see permissions
>>>>>> for Sharepoint as well as shared drive but for CMIS, i am not able
to see
>>>>>> any permissions apart from default stored. Am i missing anything
in CMIS?
>>>>>>
>>>>>> *Sharepoint*:
>>>>>>
>>>>>>
>>>>>>         "allow_token_share": [
>>>>>>
>>>>>>           "__nosecurity__"
>>>>>>
>>>>>>         ],
>>>>>>
>>>>>>         "deny_token_share": [
>>>>>>
>>>>>>           "__nosecurity__"
>>>>>>
>>>>>>         ]
>>>>>>
>>>>>>       },
>>>>>>
>>>>>>       {
>>>>>>
>>>>>>         "content_name": "Alfresco-in-an-Hour.pdf"
>>>>>>
>>>>>>         "deny_token_document": [
>>>>>>
>>>>>>           "SP+Group:DEAD_AUTHORITY"
>>>>>>
>>>>>>         ],
>>>>>>
>>>>>>         "allow_token_document": [
>>>>>>
>>>>>>           "SP+Group:GTest+lalit+Portal+Visitors",
>>>>>>
>>>>>>           "SP+Group:GTest+lalit+Portal+Owners",
>>>>>>
>>>>>>           "SP+Group:GRestricted+Readers",
>>>>>>
>>>>>>           "SP+Group:GTest+lalit+Administrators",
>>>>>>
>>>>>>           "SP+Group:GTest+lalit+Portal+Members",
>>>>>>
>>>>>>           "SP+Group:Uc%3A0%28.s%7Ctrue",
>>>>>>
>>>>>>           "SP+Group:GHierarchy+Managers",
>>>>>>
>>>>>>           "SP+Group:GApprovers",
>>>>>>
>>>>>>           "SP+Group:GViewers",
>>>>>>
>>>>>>           "SP+Group:GDesigners"
>>>>>>
>>>>>>         ],
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Share Drive:*
>>>>>>
>>>>>>       {
>>>>>>
>>>>>>         "deny_token_share": [
>>>>>>
>>>>>>           "AD+Group:DEAD_AUTHORITY"
>>>>>>
>>>>>>         ],
>>>>>>
>>>>>>         "content_name": "hello.txt",
>>>>>>
>>>>>>         "content_modifier": "lalitjangra",
>>>>>>
>>>>>>         "deny_token_document": [
>>>>>>
>>>>>>           "AD+Group:DEAD_AUTHORITY"
>>>>>>
>>>>>>         ],
>>>>>>
>>>>>>                "id": "file://///SDD/lalit/manifoldtest/hekko.txt",
>>>>>>
>>>>>>         "allow_token_document": [
>>>>>>
>>>>>>           "AD+Group:S-1-5-18",
>>>>>>
>>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12088",
>>>>>>
>>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12147",
>>>>>>
>>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12148",
>>>>>>
>>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12149",
>>>>>>
>>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12150",
>>>>>>
>>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12217",
>>>>>>
>>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-15154",
>>>>>>
>>>>>>           "AD+Group:S-1-5-21-2630432783-15384281-2988178474-8005",
>>>>>>
>>>>>>           "AD+Group:S-1-5-32-544"
>>>>>>
>>>>>>         ],
>>>>>>
>>>>>>
>>>>>>
>>>>>>         "allow_token_share": [
>>>>>>
>>>>>>           "AD+Group:S-1-1-0",
>>>>>>
>>>>>>           "AD+Group:S-1-5-32-544"
>>>>>>
>>>>>>         ],
>>>>>>
>>>>>>
>>>>>>
>>>>>>  *CMIS *:
>>>>>>
>>>>>>
>>>>>>
>>>>>>                 "allow_token_share": [
>>>>>>
>>>>>>           "__nosecurity__"
>>>>>>
>>>>>>         ],
>>>>>>
>>>>>>         "deny_token_document": [
>>>>>>
>>>>>>           "__nosecurity__"
>>>>>>
>>>>>>         ],
>>>>>>
>>>>>>         "deny_token_share": [
>>>>>>
>>>>>>           "__nosecurity__"
>>>>>>
>>>>>>         ],
>>>>>>
>>>>>>         "allow_token_document": [
>>>>>>
>>>>>>           "__nosecurity__"
>>>>>>
>>>>>>         ]
>>>>>>
>>>>>>
>>>>>> Regards.
>>>>>>
>>>>>>
>>>>>> On Tue, Jun 10, 2014 at 5:13 PM, Karl Wright <daddywri@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Lalit,
>>>>>>>
>>>>>>> You always use the Active Directory authority for Windows shared
>>>>>>> drive authorization.  But you do not for SharePoint; you typically
use
>>>>>>> SharePoint/Native and SharePoint/AD.  You therefore should have
a second
>>>>>>> authority group for SharePoint that is distinct from the one
for Windows.
>>>>>>>
>>>>>>> Each access token is qualified with the name of the ManifoldCF
>>>>>>> authority group, so there is never any chance that they will
collide.  So
>>>>>>> it is perfectly fine to have multiple authority groups in a single
>>>>>>> installation, in fact we'd expect you to.
>>>>>>>
>>>>>>> As for the Solr plugin, you can either download it here:
>>>>>>>
>>>>>>> http://manifoldcf.apache.org/en_US/download.html
>>>>>>>
>>>>>>> ... or you will find that it is there in the bin distribution
>>>>>>> already, under the "integration" directory.  Please have a look
and read
>>>>>>> the README.
>>>>>>>
>>>>>>> Karl
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Tue, Jun 10, 2014 at 11:41 AM, lalit jangra <
>>>>>>> lalit.j.jangra@gmail.com> wrote:
>>>>>>>
>>>>>>>> Thanks Karl,
>>>>>>>>
>>>>>>>> I am having two content repositories based on active directory
>>>>>>>> authentication : SharePoint 2010 and Windows Share Drive,
so i am using
>>>>>>>> active directory as authority type in authority connection.
All my
>>>>>>>> connections are working fine as well as job is running good
but i am still
>>>>>>>> not able to see any ACL information in solr.
>>>>>>>>
>>>>>>>> Do i need to enable any configuration in solr to see the
same?
>>>>>>>>
>>>>>>>> Also by Solr Plugin, is it a jar or connector which needs
to be
>>>>>>>> placed inside solr application server or is it that i need
to write custom
>>>>>>>> code to make search query permission aware?
>>>>>>>>
>>>>>>>> Can you please guide?
>>>>>>>>
>>>>>>>> Regards.
>>>>>>>>
>>>>>>>>
>>>>>>>> On Tue, Jun 10, 2014 at 1:59 PM, Karl Wright <daddywri@gmail.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi Lalit,
>>>>>>>>>
>>>>>>>>> (1) You need first to specify "SharePoint Native" as
the authority
>>>>>>>>> type in your SharePoint repository connection.  You'd
use "Active
>>>>>>>>> directory" as the authority type only if you were using
the "Active
>>>>>>>>> directory" authority.  To be precise:
>>>>>>>>>
>>>>>>>>> - If you are using "SharePoint/Native", "SharePoint/AD",
or any
>>>>>>>>> combination of these for your authority group, use "SharePoint
native"
>>>>>>>>> authority type
>>>>>>>>> - If you are using "Active Directory", use "Active directory"
as
>>>>>>>>> your authority type
>>>>>>>>>
>>>>>>>>> (2) You should see acl information get posted to Solr
if you have
>>>>>>>>> everything configured right.
>>>>>>>>> (3) On the Solr side, you need to install and configure
the
>>>>>>>>> appropriate Solr plugin.  Each plugin comes with a README,
which describes
>>>>>>>>> how to set up the schema on Solr to support security.
>>>>>>>>>
>>>>>>>>> Thanks!
>>>>>>>>> Karl
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Tue, Jun 10, 2014 at 8:51 AM, lalit jangra <
>>>>>>>>> lalit.j.jangra@gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> I am working on Apache MCF 1.5.1 indexing Sharepoint
2010
>>>>>>>>>> repository storing index in Solr 4.6.
>>>>>>>>>>
>>>>>>>>>> For permissions, i followed below steps.
>>>>>>>>>>
>>>>>>>>>> 1. Created a new authority group called "SharePoint
Group" in MCF.
>>>>>>>>>> 2. Created a new User Mapping connection called "SharePoint
User
>>>>>>>>>> Mapping" using authority group "SharePoint Group"
in step 1. For user
>>>>>>>>>> mapping, i used "Regular Expression" mapping and
used default
>>>>>>>>>> expressions.When i save it, it says "Connection Working".
>>>>>>>>>> 3. Created a new Authority connection called "SharePoint
>>>>>>>>>> Authority Connection" and using "SharePoint Group"as
in step1 as authority
>>>>>>>>>> group type, using "SharePoint User Mapping" as prerequisite,
using my own
>>>>>>>>>> domain controller and other related details. When
i save it, it says
>>>>>>>>>> "Connection Working".
>>>>>>>>>>
>>>>>>>>>> Next i have created a new repository connection for
SharePoint
>>>>>>>>>> called "SharePoint Connection" selecting authority
group called "SharePoint
>>>>>>>>>> Group"  from pull down list ,  providing all relevant
details for server ,
>>>>>>>>>> and choosing authority type as "Active Directory".
On saving, it worked
>>>>>>>>>> fine without any error.
>>>>>>>>>>
>>>>>>>>>> Finally i created a new SharePoint job providing
following
>>>>>>>>>> details.
>>>>>>>>>> 1. Connections : repository connection as "SharePoint
Connection"
>>>>>>>>>> and output connection as "Solr Connection".
>>>>>>>>>>  2. Choosing paths for document library, shared documents,
>>>>>>>>>> announcements & lists.
>>>>>>>>>> 3. Selecting all metadata in metadata tab selecting
all metadata.
>>>>>>>>>> 4. Mapped required metadata fields to solr schema
fields.
>>>>>>>>>> 4. Enabled the security.
>>>>>>>>>>
>>>>>>>>>> Now i started the job and i can see SharePoint content
getting
>>>>>>>>>> indexed and stored in solr. I can verify it using
solr admin query console.
>>>>>>>>>>
>>>>>>>>>> But i am not seeing any additional ACL information.
How can i
>>>>>>>>>> verify that ACL & permission information is also
stored in Solr. Do i need
>>>>>>>>>> to change Solr configurations also?
>>>>>>>>>>
>>>>>>>>>> Please help.
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Lalit Jangra.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> Regards,
>>>>>>>> Lalit Jangra.
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Regards,
>>>>>> Lalit Jangra.
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Regards,
>>>> Lalit Jangra.
>>>>
>>>
>>>
>>
>>
>> --
>> Regards,
>> Lalit Jangra.
>>
>
>

Mime
View raw message