manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karl Wright <daddy...@gmail.com>
Subject Re: Solr Plugin
Date Thu, 20 Nov 2014 19:47:21 GMT
Hi Alejandro,

Since you did not specify a token return column I would expect an exception
to be tossed when you try to get the tokens in your authority.
Specifically:


            Object oToken =
row.getValue(JDBCConstants.tokenReturnColumnName);
            if (oToken == null)
              throw new ManifoldCFException("Bad token query; doesn't
return $(TOKENCOLUMN) column.  Try using quotes around $(TOKENCOLUMN)
variable, e.g. \"$(TOKENCOLUMN)\".");
            String token = JDBCConnection.readAsString(oToken);

I can't explain why you are not seeing this exception, if the queries you
supplied are in fact how you configured the UI.

Karl


On Thu, Nov 20, 2014 at 2:37 PM, Alejandro Calbazana <acalbazana@gmail.com>
wrote:

> Hi Karl,
>
> Sure.  I set up 2 auth connectors as JDBC.  In my example, I am dummying
> up auth tokens for each,  The user is coming from a live table:
>
> AuthConn1 is defined as:
>
> User ID query: SELECT system_userid AS "$(IDCOLUMN)" FROM master.users
> WHERE userid = UPPER($(USERNAME))
> Auth token query: SELECT 1 from dual;
>
> AuthConn2 is defined as:
> User ID query: SELECT system_userid AS "$(IDCOLUMN)" FROM master.users
> WHERE userid = UPPER($(USERNAME))
> Auth token query: SELECT 2 from dual;
>
> Here is example output using the above setup:
>
> acalbaza@acalbaza-virtual-machine ~/src $ curl
> http://localhost:8345/mcf/UserACLs?username=THOLLY2
> AUTHORIZED:authConn2
> TOKEN:authGroup:1
> AUTHORIZED:authConn1
> TOKEN:authGroup:1
>
> I would expect:
>
> AUTHORIZED:authConn2
> TOKEN:authGroup:2
> AUTHORIZED:authConn1
> TOKEN:authGroup:1
>
> Thanks,
>
> Alejandro
>
>
> On Thu, Nov 20, 2014 at 2:21 PM, Karl Wright <daddywri@gmail.com> wrote:
>
>> Hi Alejandro,
>>
>> I'm having a bit of trouble from your email figuring out what your
>> authorities are each doing.
>>
>> Within an authority group, each authority is consulted, and the list of
>> tokens returned are added together.  So, for instance, if your authority
>> group "mygroup" has two authorities in it A and B, both authorities are
>> called, and the results are aggregated.  So if A returned tokens "A1" and
>> "A2", and B returned tokens "B1" and "B2, you should see:
>>
>> TOKEN:mygroup:A1
>> TOKEN:mygroup:A2
>> TOKEN:mygroup:B1
>> TOKEN:mygroup:B2
>>
>> The tokens returned are qualified with the authority group name, so there
>> should definitely be a difference if you put authorities in one group vs.
>> another.
>>
>> If I am not understanding the problem, please help by describing what the
>> individual authorities in your group are supposed to be returning.
>>
>> Thanks,
>> Karl
>>
>>
>> On Thu, Nov 20, 2014 at 2:09 PM, Alejandro Calbazana <
>> acalbazana@gmail.com> wrote:
>>
>>> Hi Karl,
>>>
>>> It looks like the Solr plugin is doing what it is supposed to.  I had
>>> content that was not marked with any auth tokens.
>>>
>>> I do have a question about auth groups.  I noticed something that I did
>>> not expect.  I added mutiple auth connectors to an auth group.  Each one
>>> has a different underlying query.  The idea here is that each auth
>>> connector returns a different set of tokens depending on the query.  What
>>> I'm seeing is that the results are duplicated across auth connectors in the
>>> group.  Is this what should happen?
>>>
>>> Here is an example of what I'm getting back:
>>>
>>> AUTHORIZED:authConn1
>>> TOKEN:authGroup:A127839-1411291
>>> TOKEN:authGroup:A127839-1413366
>>> TOKEN:authGroup:A127839-1413038
>>> AUTHORIZED:authConn2
>>> TOKEN:authGroup:A127839-1411291
>>> TOKEN:authGroup:A127839-1413366
>>> TOKEN:authGroup:A127839-1413038
>>>
>>> What I expect:
>>>
>>> AUTHORIZED:authConn1
>>> TOKEN:authGroup:A127839-1411291
>>> AUTHORIZED:authConn2
>>> TOKEN:authGroup:A127839-1411291
>>> TOKEN:authGroup:A127839-1413366
>>> TOKEN:authGroup:A127839-1413038
>>>
>>> It doesn't even matter if the auth connectors are placed in separate
>>> groups.
>>>
>>> Thanks,
>>>
>>> Alejandro
>>>
>>>
>>> On Fri, Nov 7, 2014 at 12:43 PM, Karl Wright <daddywri@gmail.com> wrote:
>>>
>>>> My suspicion, FWIW, is that you may either not have made all the solr
>>>> schema field additions required, or you need to reindex because you added
>>>> the security fields after running MCF.  But first let's be sure MCF is
>>>> doing what you expect first.
>>>>
>>>> Karl
>>>>
>>>>
>>>> On Fri, Nov 7, 2014 at 12:37 PM, Karl Wright <daddywri@gmail.com>
>>>> wrote:
>>>>
>>>>> Hi Alejandro,
>>>>>
>>>>> The best way to see if an authority is working as expected is to use
>>>>> curl, as follows:
>>>>>
>>>>> curl http://localhost:8345/mcf-authority-service/UserACLs?user=
>>>>> <username>
>>>>>
>>>>> Can you do that in your case and post the tokens?  Thanks!
>>>>>
>>>>> Karl
>>>>>
>>>>>
>>>>> On Fri, Nov 7, 2014 at 12:22 PM, Alejandro Calbazana <
>>>>> acalbazana@gmail.com> wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> I've now have content indexed with auth tokens (thanks Karl).  I'm
>>>>>> working out the Solr plugin so that I can enforce security.  It looks
like
>>>>>> I have things lined up properly on the Solr side as I can see that
Solr
>>>>>> calls out to MCF to get auth tokens for the authorized user on incoming
>>>>>> queries.  However, I also notice that I'm getting results back for
>>>>>> unauthorized users.
>>>>>>
>>>>>> From the Solr side:
>>>>>>
>>>>>>
>>>>>> 84665 [qtp2011579990-13] INFO
>>>>>> org.apache.solr.mcf.ManifoldCFSearchComponent  – Trying to match
docs for
>>>>>> user '[:ACALBAZA]'
>>>>>> 84754 [qtp2011579990-13] INFO
>>>>>> org.apache.solr.mcf.ManifoldCFSearchComponent  – Saw authority
response
>>>>>> AUTHORIZED:authGroupConnector
>>>>>> 84758 [qtp2011579990-13] INFO  org.apache.solr.core.SolrCore  –
>>>>>> [collection1] webapp=/solr path=/custom
>>>>>> params={q=DE&AuthenticatedUserName=ACALBAZA} hits=116 status=0
QTime=93
>>>>>> 84814 [qtp2011579990-11] INFO  org.apache.solr.core.SolrCore  –
>>>>>> [collection1] webapp=/solr path=/admin/file
>>>>>> params={file=/velocity/main.css&contentType=text/css} status=0
QTime=0
>>>>>> 84815 [qtp2011579990-14] INFO  org.apache.solr.core.SolrCore  –
>>>>>> [collection1] webapp=/solr path=/admin/file
>>>>>> params={file=/velocity/jquery.autocomplete.css&contentType=text/css}
>>>>>> status=0 QTime=0
>>>>>> 84824 [qtp2011579990-13] INFO  org.apache.solr.core.SolrCore  –
>>>>>> [collection1] webapp=/solr path=/admin/file
>>>>>> params={file=/velocity/jquery.autocomplete.js&contentType=text/javascript}
>>>>>> status=0 QTime=1
>>>>>> 87632 [qtp2011579990-11] INFO
>>>>>> org.apache.solr.mcf.ManifoldCFSearchComponent  – Trying to match
docs for
>>>>>> user '[:FOO]'
>>>>>> 87636 [qtp2011579990-11] INFO
>>>>>> org.apache.solr.mcf.ManifoldCFSearchComponent  – Saw authority
response
>>>>>> USERNOTFOUND:authGroupConnector
>>>>>> 87637 [qtp2011579990-11] INFO  org.apache.solr.core.SolrCore  –
>>>>>> [collection1] webapp=/solr path=/custom
>>>>>> params={q=DE&AuthenticatedUserName=FOO} hits=59 status=0 QTime=5
>>>>>> 87683 [qtp2011579990-14] INFO  org.apache.solr.core.SolrCore  –
>>>>>> [collection1] webapp=/solr path=/admin/file
>>>>>> params={file=/velocity/main.css&contentType=text/css} status=0
QTime=0
>>>>>> 87684 [qtp2011579990-13] INFO  org.apache.solr.core.SolrCore  –
>>>>>> [collection1] webapp=/solr path=/admin/file
>>>>>> params={file=/velocity/jquery.autocomplete.css&contentType=text/css}
>>>>>> status=0 QTime=0
>>>>>> 87684 [qtp2011579990-11] INFO  org.apache.solr.core.SolrCore  –
>>>>>> [collection1] webapp=/solr path=/admin/file
>>>>>> params={file=/velocity/jquery.autocomplete.js&contentType=text/javascript}
>>>>>> status=0 QTime=0
>>>>>>
>>>>>> Any hints appreciated.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Alejandro
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>

Mime
View raw message