paloma paloma - 3 months ago 8
reST (reStructuredText) Question

Setting permissions on a document using MarkLogic's REST API

I'm trying to specify permissions on documents in a MarkLogic 6 database using the rest api.

This is the permissions metadata I'm sending in (

permissions.xml
):

<rapi:metadata xmlns:rapi="http://marklogic.com/rest-api"
xmlns:prop="http://marklogic.com/xdmp/property">
<rapi:permissions>
<rapi:permission>
<rapi:role-name>arole</rapi:role-name>
<rapi:capability>update</rapi:capability>
</rapi:permission>
<rapi:permission>
<rapi:role-name>brole</rapi:role-name>
<rapi:capability>read</rapi:capability>
</rapi:permission>
</rapi:permissions>
</rapi:metadata>


using this command:

curl --anyauth --user user:pass -X PUT -T permissions.xml \
-H "Content-type: application/xml" \
"http://localhost:8003/v1/documents?uri=/test/test.xml&category=permissions"


When I look at the permissions afterwards, I see:

arole (update)
brole (read)
rest-reader (read)
rest-writer (update)


I expect it to only have the permissions for arole and brole.

The documentation says, "If no permissions are explicitly set, documents you create with the MarkLogic REST API have a read permission for the rest-reader role and an update permission for the rest-writer role." (And yes, I know, this example doesn't create a new document. But it does the same thing if I add a new document and set permissions at the same time using a multipart content+metadata message through the rest api).

Setting permissions via the direct xquery calls (ex.
xdmp:document-insert
with permissions) using the same user and database works as expected.

How can I keep the rest api from adding these extra permissions?

EDIT:

There's a ticket in with MarkLogic, no target date or version that I know of yet.

In case someone else runs into this, they did give me a workaround: Create new roles (or change existing ones), and give them rest-reader and/or rest-writer 'execute' privileges instead of having them inherit the rest-reader/rest-writer roles, or having a user directly assigned the rest-reader/rest-writer roles.

Answer

The internal function docmodupd:write-permissions always combines the input permissions with the output from xdmp:default-permissions. It does that to ensure that rest-reader can read the document, and rest-writer can update it. As far as I can tell there is no API to control this behavior.

If you have a strong use-case for omitting those extra permissions, contact support.

Comments