Uploaded image for project: 'ManifoldCF'
  1. ManifoldCF
  2. CONNECTORS-1473

Authority Service doesn't return same set of tokens for user at query time as the set used for ingestion, when using Alfresco

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • ManifoldCF 2.9
    • Alfresco webscript connector
    • None

    • Alfresco:
      Installed Schema 6022
      Installed Version 4.2.0 (4576)
      Server Schema 6022
      Server Version 4.2.0 (4576)

      ManifoldCF - built from source using the latest sources about a month ago

      Solr - 6.6.0

    Description

      Using ManifoldCF to index content from Alfresco into Solr, and using the MCF SearchComponent to restrict access on the Solr side, I'm seeing the following unusual behavior:

      1. I have an Alfresco server storing documents. There are 65 docs in
      the built in "sample" space, which defaults to allowing access to
      everyone.
      2. With the MCF SearchComponent installed into Solr, if I pass the
      AuthenticatedUserName parameter with any value, I get back all 65
      documents as expected.
      3. I added another space in Alfresco that only allows access for 4
      specific users... testuser1, testuser2, testuser3, and testuser4. If I
      log into Alfresco as any of those users I can view and/or upload
      content to the space.
      4. I put 7 documents in that space, and re-indexed with MCF.
      5. Solr now shows a total of 72 documents for the core in question.
      6. But, if I pass AuthenticatedUserName=testuser1 with my query, I
      still only see the 65 docs from the other space.
      7. If I temporarily turn off the MCF SearchComponent in Solr, I can
      see the docs from the "locked down" space.

      I set the various token fields to stored="true" so I can see what is
      getting stored, and here's what I see for one sample document (one
      that isn't being returned with the SearchComponent enabled, but which
      should be).

      "allow_token_document":["Alfresco:testuser1", "Alfresco:testuser2",
      "Alfresco:testuser3", "Alfresco:testuser4"],
      "deny_token_document":["__nosecurity__"],
      "deny_token_parent":["__nosecurity__"],
      "allow_token_share":["__nosecurity__"],
      "allow_token_parent":["__nosecurity__"],
      "deny_token_share":["__nosecurity__"],

      Note that at ingestion time, tokens were created of the form Alfresco:username for the specific individual users which were granted access to the "secure" folder.

      However, if I make a direct request to the MCF UserACL's endpoint for, say, testuser1, like this:

      http://manifoldcf.fogbeam.link:8345/mcf-authority-service/UserACLs?username=testuser1

      I get back:

      AUTHORIZED:Alfresco+Authority+Connection
      TOKEN:Alfresco:GROUP_EVERYONE

      which explains why I can see the documents from the public folder, because they all have an allow_token_document for Alfresco:GROUP_EVERYONE. But note that what I don't get back here is the token for the specific user testuser1, which would match what was stored during ingestion.

      Attachments

        1. CONNECTORS-1473.patch
          2 kB
          Karl Wright

        Activity

          People

            kwright@metacarta.com Karl Wright
            sprhodes Phillip Rhodes
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: