Return-Path: X-Original-To: apmail-manifoldcf-user-archive@www.apache.org Delivered-To: apmail-manifoldcf-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4B4DA1160B for ; Wed, 11 Jun 2014 10:23:28 +0000 (UTC) Received: (qmail 37265 invoked by uid 500); 11 Jun 2014 10:23:28 -0000 Delivered-To: apmail-manifoldcf-user-archive@manifoldcf.apache.org Received: (qmail 37215 invoked by uid 500); 11 Jun 2014 10:23:28 -0000 Mailing-List: contact user-help@manifoldcf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@manifoldcf.apache.org Delivered-To: mailing list user@manifoldcf.apache.org Received: (qmail 37207 invoked by uid 99); 11 Jun 2014 10:23:28 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Jun 2014 10:23:28 +0000 X-ASF-Spam-Status: No, hits=2.5 required=5.0 tests=AC_DIV_BONANZA,FREEMAIL_REPLY,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of daddywri@gmail.com designates 209.85.160.176 as permitted sender) Received: from [209.85.160.176] (HELO mail-yk0-f176.google.com) (209.85.160.176) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 11 Jun 2014 10:23:24 +0000 Received: by mail-yk0-f176.google.com with SMTP id 131so3031904ykp.21 for ; Wed, 11 Jun 2014 03:22:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=Lj/4eJe1yL/IlEbYMyhyfNVnL//8GfHF0bz+h51xsac=; b=W/GKF1PFGep4CQl1hjIerqmhX9RtSbpE8PMq1RLZOSIMw3jZdW0Aeznpk/b69Ih4Al e68UUtiNFq1ZRb/6prxonmE6xFZ9WERNtv5TjkBURWALOG7NidyPmri3fHKWG67v2S1C XMR4686VaIWxfHrMuTGZEsJiIOyi+O4wol91rfzbL32evYM09x8ybShFPB3K0VwVO/a6 GgxVc2Uit0/8czKyjaubJJ2ZhfQNH0NvCr9DUqZ4aSBCSfa5Qu7l29m98sNrUyVBe4OX Xyci/1xRo/ZaF+R/Yul4XqFIDmyRdA2GME7MGJ8sMzPC+1yoBnmzv5UiuR4K/YzkaM6n 3pMw== MIME-Version: 1.0 X-Received: by 10.236.183.67 with SMTP id p43mr4252617yhm.115.1402482179643; Wed, 11 Jun 2014 03:22:59 -0700 (PDT) Received: by 10.170.197.73 with HTTP; Wed, 11 Jun 2014 03:22:59 -0700 (PDT) In-Reply-To: References: Date: Wed, 11 Jun 2014 06:22:59 -0400 Message-ID: Subject: Re: How to check Sharepoint ACLs into Solr using MCF 1.5.1. From: Karl Wright To: "user@manifoldcf.apache.org" Content-Type: multipart/alternative; boundary=bcaec52c5ead1f823604fb8cd42e X-Virus-Checked: Checked by ClamAV on apache.org --bcaec52c5ead1f823604fb8cd42e Content-Type: text/plain; charset=UTF-8 Looking at the REST api, it seems like it is not a true stateless REST api. Apparently, there is a session cookie required (?). For example, see: http://docs.alfresco.com/4.0/references/RESTful-RepositoryLoginticketGet.html That will (somewhat) complicate things; it's decidedly non-standard. Also, I don't see any way still to get access tokens given a user: http://docs.alfresco.com/4.0/references/RESTful-Person.html Do you see any way to do this? Karl On Wed, Jun 11, 2014 at 5:24 AM, lalit jangra wrote: > Thanks Karl, > > Sadly this confirms that neither CMIS nor Alfresco connectors support ACL > indexing and storage. I checked into Alfresco connector code but nothing > has been mentioned about ACL indexing & storage. > > Next alfresco does support REST based API very well and infact REST is > used in Alfresco all over the place. So we can definitely write some better > stuff here. For documentation around REST usage in alfresco, please refer > to below URLs. Latest version of alfresco is 4.2 and a lot has been changed > into it for almost everything to make things simpler and efficient. > > http://docs.alfresco.com/4.0/concepts/API-intro-4.html > http://wiki.alfresco.com/wiki/Repository_RESTful_API_Reference > > These pretty much cover features provided by REST into alfresco and we can > definitely start from here & do let me know for any more documentation. > Every alfresco instance supports REST based processing so testing REST is > not a tedious task. > > In the meantime i am checking GitHub to find if something is already > available. > > Regards. > > > On Wed, Jun 11, 2014 at 9:50 AM, Karl Wright wrote: > >> Hi Lalit, >> >> The best way to start is to describe the Alfresco server you are trying >> to crawl. What version? It matters a lot, as you will read below. >> >> The Alfresco connector was originally submitted by Piergiorgio Lucidi >> under the direction of SourceSense. My understanding is that he had no >> trouble getting access tokens with the connector, but unfortunately on the >> other end (mapping users to access tokens) the original Alfresco API's >> didn't do this. Since then, I believe, Alfresco has completely revamped >> their API's, and they have a REST-style API available to do the job (or so >> I am told). A company called Zaizi did some work on it and was supposed to >> contribute the updated connector, but for two releases that hasn't >> happened. But it is possible that the connector is in GitHub somewhere? >> >> In short, Alfresco is a bit of a mess, and I would very much like to get >> it repaired to a point where it is usable fully. >> >> If your instance has the REST API, and you can provide me with the REST >> API documentation for your Alfresco instance, I am happy to set up a branch >> to build an Alfresco REST connector from scratch (provided it looks like >> everything works the way it is supposed to). Building a connector in this >> way will take usually a couple of weeks, and you MUST have access to the >> instance you are trying to crawl, and be willing to test the connector >> against it and reiterate. There is a chance we'd fail, but with the >> documentation available in advance, the chances of that would be low. >> >> Thoughts? >> Karl >> >> >> On Wed, Jun 11, 2014 at 1:58 AM, lalit jangra >> wrote: >> >>> Thanks Karl, >>> >>> So its a show stopper now. >>> >>> As a fallback mechanism, i am looking for alfresco only connector for >>> ACL storing mechanism but can you confirm if alfresco specific connector >>> supports this feature or not. >>> >>> And finally if no all the ways, what would be the optimum way to start >>> implementing the same. >>> >>> Regards. >>> >>> >>> On Wed, Jun 11, 2014 at 12:47 AM, Karl Wright >>> wrote: >>> >>>> Hi Lalit, >>>> >>>> CMIS does not give a way for a user to query for ACLs, so repository >>>> document security is not supported for that connector. Documents indexed >>>> by CMIS are thus "wide open" and will not be restricted from being >>>> searchable by anybody. >>>> >>>> This is, unfortunately, a limitation of CMIS -- at least, CMIS at the >>>> time the connector was implemented. Feel free to submit patches to add >>>> security to the connector if the spec has evolved to the point where it is >>>> possible. >>>> >>>> Thanks, >>>> Karl >>>> >>>> >>>> >>>> On Tue, Jun 10, 2014 at 6:38 PM, lalit jangra >>> > wrote: >>>> >>>>> Thanks Karl, >>>>> >>>>> As per your suggestions, i am able to see ACLs into solr index (I made >>>>> stored="true" for ACLs in schema.xml) as below. I can see permissions for >>>>> Sharepoint as well as shared drive but for CMIS, i am not able to see any >>>>> permissions apart from default stored. Am i missing anything in CMIS? >>>>> >>>>> *Sharepoint*: >>>>> >>>>> >>>>> "allow_token_share": [ >>>>> >>>>> "__nosecurity__" >>>>> >>>>> ], >>>>> >>>>> "deny_token_share": [ >>>>> >>>>> "__nosecurity__" >>>>> >>>>> ] >>>>> >>>>> }, >>>>> >>>>> { >>>>> >>>>> "content_name": "Alfresco-in-an-Hour.pdf" >>>>> >>>>> "deny_token_document": [ >>>>> >>>>> "SP+Group:DEAD_AUTHORITY" >>>>> >>>>> ], >>>>> >>>>> "allow_token_document": [ >>>>> >>>>> "SP+Group:GTest+lalit+Portal+Visitors", >>>>> >>>>> "SP+Group:GTest+lalit+Portal+Owners", >>>>> >>>>> "SP+Group:GRestricted+Readers", >>>>> >>>>> "SP+Group:GTest+lalit+Administrators", >>>>> >>>>> "SP+Group:GTest+lalit+Portal+Members", >>>>> >>>>> "SP+Group:Uc%3A0%28.s%7Ctrue", >>>>> >>>>> "SP+Group:GHierarchy+Managers", >>>>> >>>>> "SP+Group:GApprovers", >>>>> >>>>> "SP+Group:GViewers", >>>>> >>>>> "SP+Group:GDesigners" >>>>> >>>>> ], >>>>> >>>>> >>>>> >>>>> *Share Drive:* >>>>> >>>>> { >>>>> >>>>> "deny_token_share": [ >>>>> >>>>> "AD+Group:DEAD_AUTHORITY" >>>>> >>>>> ], >>>>> >>>>> "content_name": "hello.txt", >>>>> >>>>> "content_modifier": "lalitjangra", >>>>> >>>>> "deny_token_document": [ >>>>> >>>>> "AD+Group:DEAD_AUTHORITY" >>>>> >>>>> ], >>>>> >>>>> "id": "file://///SDD/lalit/manifoldtest/hekko.txt", >>>>> >>>>> "allow_token_document": [ >>>>> >>>>> "AD+Group:S-1-5-18", >>>>> >>>>> "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12088", >>>>> >>>>> "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12147", >>>>> >>>>> "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12148", >>>>> >>>>> "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12149", >>>>> >>>>> "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12150", >>>>> >>>>> "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12217", >>>>> >>>>> "AD+Group:S-1-5-21-2630432783-15384281-2988178474-15154", >>>>> >>>>> "AD+Group:S-1-5-21-2630432783-15384281-2988178474-8005", >>>>> >>>>> "AD+Group:S-1-5-32-544" >>>>> >>>>> ], >>>>> >>>>> >>>>> >>>>> "allow_token_share": [ >>>>> >>>>> "AD+Group:S-1-1-0", >>>>> >>>>> "AD+Group:S-1-5-32-544" >>>>> >>>>> ], >>>>> >>>>> >>>>> >>>>> *CMIS *: >>>>> >>>>> >>>>> >>>>> "allow_token_share": [ >>>>> >>>>> "__nosecurity__" >>>>> >>>>> ], >>>>> >>>>> "deny_token_document": [ >>>>> >>>>> "__nosecurity__" >>>>> >>>>> ], >>>>> >>>>> "deny_token_share": [ >>>>> >>>>> "__nosecurity__" >>>>> >>>>> ], >>>>> >>>>> "allow_token_document": [ >>>>> >>>>> "__nosecurity__" >>>>> >>>>> ] >>>>> >>>>> >>>>> Regards. >>>>> >>>>> >>>>> On Tue, Jun 10, 2014 at 5:13 PM, Karl Wright >>>>> wrote: >>>>> >>>>>> Hi Lalit, >>>>>> >>>>>> You always use the Active Directory authority for Windows shared >>>>>> drive authorization. But you do not for SharePoint; you typically use >>>>>> SharePoint/Native and SharePoint/AD. You therefore should have a second >>>>>> authority group for SharePoint that is distinct from the one for Windows. >>>>>> >>>>>> Each access token is qualified with the name of the ManifoldCF >>>>>> authority group, so there is never any chance that they will collide. So >>>>>> it is perfectly fine to have multiple authority groups in a single >>>>>> installation, in fact we'd expect you to. >>>>>> >>>>>> As for the Solr plugin, you can either download it here: >>>>>> >>>>>> http://manifoldcf.apache.org/en_US/download.html >>>>>> >>>>>> ... or you will find that it is there in the bin distribution >>>>>> already, under the "integration" directory. Please have a look and read >>>>>> the README. >>>>>> >>>>>> Karl >>>>>> >>>>>> >>>>>> >>>>>> On Tue, Jun 10, 2014 at 11:41 AM, lalit jangra < >>>>>> lalit.j.jangra@gmail.com> wrote: >>>>>> >>>>>>> Thanks Karl, >>>>>>> >>>>>>> I am having two content repositories based on active directory >>>>>>> authentication : SharePoint 2010 and Windows Share Drive, so i am using >>>>>>> active directory as authority type in authority connection. All my >>>>>>> connections are working fine as well as job is running good but i am still >>>>>>> not able to see any ACL information in solr. >>>>>>> >>>>>>> Do i need to enable any configuration in solr to see the same? >>>>>>> >>>>>>> Also by Solr Plugin, is it a jar or connector which needs to be >>>>>>> placed inside solr application server or is it that i need to write custom >>>>>>> code to make search query permission aware? >>>>>>> >>>>>>> Can you please guide? >>>>>>> >>>>>>> Regards. >>>>>>> >>>>>>> >>>>>>> On Tue, Jun 10, 2014 at 1:59 PM, Karl Wright >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Lalit, >>>>>>>> >>>>>>>> (1) You need first to specify "SharePoint Native" as the authority >>>>>>>> type in your SharePoint repository connection. You'd use "Active >>>>>>>> directory" as the authority type only if you were using the "Active >>>>>>>> directory" authority. To be precise: >>>>>>>> >>>>>>>> - If you are using "SharePoint/Native", "SharePoint/AD", or any >>>>>>>> combination of these for your authority group, use "SharePoint native" >>>>>>>> authority type >>>>>>>> - If you are using "Active Directory", use "Active directory" as >>>>>>>> your authority type >>>>>>>> >>>>>>>> (2) You should see acl information get posted to Solr if you have >>>>>>>> everything configured right. >>>>>>>> (3) On the Solr side, you need to install and configure the >>>>>>>> appropriate Solr plugin. Each plugin comes with a README, which describes >>>>>>>> how to set up the schema on Solr to support security. >>>>>>>> >>>>>>>> Thanks! >>>>>>>> Karl >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Jun 10, 2014 at 8:51 AM, lalit jangra < >>>>>>>> lalit.j.jangra@gmail.com> wrote: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I am working on Apache MCF 1.5.1 indexing Sharepoint 2010 >>>>>>>>> repository storing index in Solr 4.6. >>>>>>>>> >>>>>>>>> For permissions, i followed below steps. >>>>>>>>> >>>>>>>>> 1. Created a new authority group called "SharePoint Group" in MCF. >>>>>>>>> 2. Created a new User Mapping connection called "SharePoint User >>>>>>>>> Mapping" using authority group "SharePoint Group" in step 1. For user >>>>>>>>> mapping, i used "Regular Expression" mapping and used default >>>>>>>>> expressions.When i save it, it says "Connection Working". >>>>>>>>> 3. Created a new Authority connection called "SharePoint Authority >>>>>>>>> Connection" and using "SharePoint Group"as in step1 as authority group >>>>>>>>> type, using "SharePoint User Mapping" as prerequisite, using my own domain >>>>>>>>> controller and other related details. When i save it, it says "Connection >>>>>>>>> Working". >>>>>>>>> >>>>>>>>> Next i have created a new repository connection for SharePoint >>>>>>>>> called "SharePoint Connection" selecting authority group called "SharePoint >>>>>>>>> Group" from pull down list , providing all relevant details for server , >>>>>>>>> and choosing authority type as "Active Directory". On saving, it worked >>>>>>>>> fine without any error. >>>>>>>>> >>>>>>>>> Finally i created a new SharePoint job providing following details. >>>>>>>>> 1. Connections : repository connection as "SharePoint Connection" >>>>>>>>> and output connection as "Solr Connection". >>>>>>>>> 2. Choosing paths for document library, shared documents, >>>>>>>>> announcements & lists. >>>>>>>>> 3. Selecting all metadata in metadata tab selecting all metadata. >>>>>>>>> 4. Mapped required metadata fields to solr schema fields. >>>>>>>>> 4. Enabled the security. >>>>>>>>> >>>>>>>>> Now i started the job and i can see SharePoint content getting >>>>>>>>> indexed and stored in solr. I can verify it using solr admin query console. >>>>>>>>> >>>>>>>>> But i am not seeing any additional ACL information. How can i >>>>>>>>> verify that ACL & permission information is also stored in Solr. Do i need >>>>>>>>> to change Solr configurations also? >>>>>>>>> >>>>>>>>> Please help. >>>>>>>>> >>>>>>>>> Regards, >>>>>>>>> Lalit Jangra. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Regards, >>>>>>> Lalit Jangra. >>>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Regards, >>>>> Lalit Jangra. >>>>> >>>> >>>> >>> >>> >>> -- >>> Regards, >>> Lalit Jangra. >>> >> >> > > > -- > Regards, > Lalit Jangra. > --bcaec52c5ead1f823604fb8cd42e Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Looking at the REST api, it seems like it i= s not a true stateless REST api.=C2=A0 Apparently, there is a session cooki= e required (?).=C2=A0 For example, see:

http://docs.a= lfresco.com/4.0/references/RESTful-RepositoryLoginticketGet.html

That will (somewhat) complicate things; it's decidedly non-st= andard.
Also, I don't see any way still to get access tokens given a= user:

http://docs.alfresco.com/4.0/references/RESTful-Person.html<= br>
Do you see any way to do this?

Karl


On Wed, Jun 11, 2014 at 5:24 AM, lalit jangra <= span dir=3D"ltr"><lalit.j.jangra@gmail.com> wrote:
Th= anks Karl,

Sadly this confirms that neither CMIS nor Alfresco = connectors support ACL indexing and storage. I checked into Alfresco connec= tor code but nothing has been mentioned about ACL indexing & storage.
Next alfresco does support REST based API very well and infact RE= ST is used in Alfresco all over the place. So we can definitely write some = better stuff here. For documentation around REST usage in alfresco, please = refer to below URLs. Latest version of alfresco is 4.2 and a lot has been c= hanged into it for almost everything to make things simpler and efficient.<= br>
http://docs.alfresco.com/4.0/concepts/API-intro-4.html http://wiki.alfresco.com/wiki/Repository_RESTful_API_Re= ference

These pretty much cover features provided by REST into alfresco a= nd we can definitely start from here & do let me know for any more docu= mentation. Every alfresco instance supports REST based processing so testin= g REST is not a tedious task.

In the meantime i am checking GitHub to find if something is alre= ady available.

Regards.
=


On Wed, Jun 11, 2014 at 9:50 AM, Karl Wright <daddywri@gmail.com>= wrote:
Hi Lalit,

The best w= ay to start is to describe the Alfresco server you are trying to crawl.=C2= =A0 What version?=C2=A0 It matters a lot, as you will read below.

The Alfresco connector was originally submitted by Piergiorgio Lucidi u= nder the direction of SourceSense.=C2=A0 My understanding is that he had no= trouble getting access tokens with the connector, but unfortunately on the= other end (mapping users to access tokens) the original Alfresco API's= didn't do this.=C2=A0 Since then, I believe, Alfresco has completely r= evamped their API's, and they have a REST-style API available to do the= job (or so I am told).=C2=A0 A company called Zaizi did some work on it an= d was supposed to contribute the updated connector, but for two releases th= at hasn't happened.=C2=A0 But it is possible that the connector is in G= itHub somewhere?

In short, Alfresco is a bit of a mess, and I would very much like= to get it repaired to a point where it is usable fully.

If yo= ur instance has the REST API, and you can provide me with the REST API docu= mentation for your Alfresco instance, I am happy to set up a branch to buil= d an Alfresco REST connector from scratch (provided it looks like everythin= g works the way it is supposed to).=C2=A0 Building a connector in this way = will take usually a couple of weeks, and you MUST have access to the instan= ce you are trying to crawl, and be willing to test the connector against it= and reiterate.=C2=A0 There is a chance we'd fail, but with the documen= tation available in advance, the chances of that would be low.

Thoughts?
Karl
=


On Wed, Jun 11, 2014 at 1:58 AM, lalit jangra <lalit.j.jangra@gm= ail.com> wrote:
Thanks Karl,

So its a show stopper now.

As= a fallback mechanism, i am looking for alfresco only connector for ACL sto= ring mechanism but can you confirm if alfresco specific connector supports = this feature or not.

And finally if no all the ways, what would be the optimum wa= y to start implementing the same.

Regards.


On Wed, Jun 1= 1, 2014 at 12:47 AM, Karl Wright <daddywri@gmail.com> wrote= :
Hi Lalit,

CMIS does not give a way for a user to query for A= CLs, so repository document security is not supported for that connector.= =C2=A0 Documents indexed by CMIS are thus "wide open" and will no= t be restricted from being searchable by anybody.

This is, unfortunately, a limitation of CMIS -- at least, CMIS at= the time the connector was implemented.=C2=A0 Feel free to submit patches = to add security to the connector if the spec has evolved to the point where= it is possible.

Thanks,
Karl


<= br>
On Tue, Jun 10, 2014 at 6:38 PM, lalit jangra= <lalit.j.jangra@gmail.com> wrote:
Thanks K= arl,

As per your suggestions, i am a= ble to see ACLs into solr index (I made stored=3D"true" for ACLs = in schema.xml) as below. I can see permissions for Sharepoint as well as sh= ared drive but for CMIS, i am not able to see any permissions apart from de= fault stored. Am i missing anything in CMIS?

Sharepoint:


=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "allow_token_share": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "__nosecurity__"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ],

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "deny_token_share": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "__nosecurity__"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ]

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 },

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 {

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "content_name": "Alfresco-in-an-Hour.pdf"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "deny_token_document": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "SP+Group:DEAD_AUTHORITY"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ],

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "allow_token_document": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "SP+Group:GTest+lalit+Portal+Visitors",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "SP+Group:GTest+lalit+Portal+Owners",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "SP+Group:GRestricted+Readers",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "SP+Group:GTest+lalit+Administrators",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "SP+Group:GTest+lalit+Portal+Members",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "SP+Group:Uc%3A0%28.s%7Ctrue",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "SP+Group:GHierarchy+Managers",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "SP+Group:GApprovers",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "SP+Group:GViewers",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "SP+Group:GDesigners"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ],

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 =

Share Drive:<= /span>


=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 {

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "deny_token_share": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:DEAD_AUTHORITY"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ],

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "content_name": "hello.txt",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "content_modifier": "lalitjangra",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "deny_token_document": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:DEAD_AUTHORITY"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ],

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "id": "file://///SDD/lalit/manifoldtest/hekko.txt&quo= t;,

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "allow_token_document": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-5-18",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12088",<= /p>

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12147",<= /p>

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12148",<= /p>

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12149",<= /p>

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12150",<= /p>

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-5-21-2630432783-15384281-2988178474-12217",<= /p>

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-5-21-2630432783-15384281-2988178474-15154",<= /p>

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-5-21-2630432783-15384281-2988178474-8005",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-5-32-544"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ],

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0"allow_token_share": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-1-0",

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "AD+Group:S-1-5-32-544"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ],

=C2=A0

=C2=A0CMIS :
<= /p>

=C2=A0

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 "allow_token_share": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "__nosecurity__"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ],

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "deny_token_document": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "__nosecurity__"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ],

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "deny_token_share": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "__nosecurity__"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ],

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 "allow_token_document": [

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0 "__nosecurity__"

=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0 ]


Regards.



On Tue, Jun 10, 2014 at 5:13 PM, Karl Wright <daddywri@gmail.com&g= t; wrote:
Hi Lalit,

You always use the Active Directory auth= ority for Windows shared drive authorization.=C2=A0 But you do not for Shar= ePoint; you typically use SharePoint/Native and SharePoint/AD.=C2=A0 You th= erefore should have a second authority group for SharePoint that is distinc= t from the one for Windows.

Each access token is qualified with the name of the ManifoldCF au= thority group, so there is never any chance that they will collide.=C2=A0 S= o it is perfectly fine to have multiple authority groups in a single instal= lation, in fact we'd expect you to.

As for the Solr plugin, you can either download it here:

<= a href=3D"http://manifoldcf.apache.org/en_US/download.html" target=3D"_blan= k">http://manifoldcf.apache.org/en_US/download.html

... or= you will find that it is there in the bin distribution already, under the = "integration" directory.=C2=A0 Please have a look and read the RE= ADME.

Karl


On Tue, Jun 10, 2014 at 11:41 AM, lalit ja= ngra <lalit.j.jangra@gmail.com> wrote:
Thanks Karl,

I am having two content repositories based on a= ctive directory authentication : SharePoint 2010 and Windows Share Drive, s= o i am using active directory as authority type in authority connection. Al= l my connections are working fine as well as job is running good but i am s= till not able to see any ACL information in solr.

Do i need to enable any configuration in solr to see the sam= e?

Also by Solr Plugin, is it a jar or connector which ne= eds to be placed inside solr application server or is it that i need to wri= te custom code to make search query permission aware?

Can you please guide?

Regards.


= On Tue, Jun 10, 2014 at 1:59 PM, Karl Wright <daddywri@gmail.com>= wrote:
Hi Lalit,

(1) You need first to specify "SharePoin= t Native" as the authority type in your SharePoint repository connecti= on.=C2=A0 You'd use "Active directory" as the authority type = only if you were using the "Active directory" authority.=C2=A0 To= be precise:

- If you are using "SharePoint/Native", "SharePoin= t/AD", or any combination of these for your authority group, use "= ;SharePoint native" authority type
- If you are using "A= ctive Directory", use "Active directory" as your authority t= ype

(2) You should see acl information get posted= to Solr if you have everything configured right.
(3) On the = Solr side, you need to install and configure the appropriate Solr plugin.= =C2=A0 Each plugin comes with a README, which describes how to set up the s= chema on Solr to support security.

Thanks!
Karl



On Tue, Jun 10, 2014 at 8:51 AM, lalit jangra <lalit.j.jangra@gmail= .com> wrote:
Hello,

I am wor= king on Apache MCF 1.5.1 indexing Sharepoint 2010 repository storing index = in Solr 4.6.

For permissions, i followed below steps.

1. Created a new authority group called "SharePoint Group&qu= ot; in MCF.
2. Created a new User Mapping connection called "= SharePoint User Mapping" using authority group "SharePoint Group&= quot; in step 1. For user mapping, i used "Regular Expression" ma= pping and used default expressions.When i save it, it says "Connection= Working".
3. Created a new Authority connection called "SharePoint Authority Con= nection" and using "SharePoint Group"as in step1 as authori= ty group type, using "SharePoint User Mapping" as prerequisite, = using my own domain controller and other related details. When i save it, i= t says "Connection Working".

Next i have created a new repository connection for SharePoint ca= lled "SharePoint Connection" selecting authority group called &qu= ot;SharePoint Group"=C2=A0 from pull down list ,=C2=A0 providing all r= elevant details for server , and choosing authority type as "Active D= irectory". On saving, it worked fine without any error.

Finally i created a new SharePoint job providing following detail= s.
1. Connections : repository connection as "SharePoint Conn= ection" and output connection as "Solr Connection".
2. Choosing paths for document library, shared documents, announcements &am= p; lists.
3. Selecting all metadata in metadata tab selecting all = metadata.
4. Mapped required metadata fields to solr schema fields= .
4. Enabled the security.

Now i started the job = and i can see SharePoint content getting indexed and stored in solr. I can = verify it using solr admin query console.

But i am not se= eing any additional ACL information. How can i verify that ACL & permis= sion information is also stored in Solr. Do i need to change Solr configura= tions also?

Please help.
=C2=A0
Regards,
Lalit Jangr= a.




= --
Regards,
Lalit Jangra.




= --
Regards,
Lalit Jangra.



= --
Regards,
Lalit Jangra.



--
Regards,
Lalit Jangra. <= /div>
--bcaec52c5ead1f823604fb8cd42e--