manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lalit jangra <lalit.j.jan...@gmail.com>
Subject Re: How to query for content with ACLs?
Date Sun, 15 Jun 2014 19:53:34 GMT
Thanks Karl,

One way i found to get tokens associated with a document here is to use
"/query" debug request handler. When i use this, i found sample output as.
Here i can see that allow tokens are group names but earlier using
"/select" query handler these are SIDs of groups.

Do these make the gap we are tying to fill?

{

        "deny_token_document": [

          "SharepointAuthGroup:DEAD_AUTHORITY"

        ],

        "id": "http://testwaterportal/water/water/Lists/IWList/1_.000
<http://testirishwaterportal/irish-water/irish-water/Lists/IWList/1_.000>",

        "allow_token_document": [

          "SharepointAuthGroup:GApprovers",

          "SharepointAuthGroup:GDesigners",

          "SharepointAuthGroup:GHierarchy+Managers",

          "SharepointAuthGroup:GRestricted+Readers",

          "SharepointAuthGroup:GTest+Water+Administrators",

          "SharepointAuthGroup:GTest+Water+Portal+Members",

          "SharepointAuthGroup:GTest+Water+Portal+Owners",

          "SharepointAuthGroup:GTest+Water+Portal+Visitors",

          "SharepointAuthGroup:GViewers",

          "SharepointAuthGroup:Uc%3A0%28.s%7Ctrue"

        ],

        "content": [

          " \n \n  \n  \n  \n  \n  \n  \n  \n \n   "

        ],

        "_version_": 1471001711182086100,

        "allow_token_share": [

          "__nosecurity__"

        ],

        "deny_token_share": [

          "__nosecurity__"

        ]

      },


Regards.


On Sun, Jun 15, 2014 at 8:35 PM, Karl Wright <daddywri@gmail.com> wrote:

> Hi Lalit,
>
> What we need to do, whatever way we can, is to get the contents of the
> allow_token_document and deny_token_document fields for a single
> document.  You already provided the curl output from the authority
> service, but the question is why the query being generated does not
> match the document field.  Like I said before, I suspect that
> something in solr has recently changed and the token values are being
> corrupted.
>
> Thanks,
>
> Karl
>
> Sent from my Windows Phone
>
> -----Original Message-----
> From: lalit jangra
> Sent: 6/15/2014 2:38 PM
> To: Karl Wright
> Cc: user@manifoldcf.apache.org
> Subject: Re: How to query for content with ACLs?
>
>
>
> Hi Karl,
>
>
> Yes, after i changed authority group name i re-ran the job after
> deleting solr indexes under data folder to make it 100% sure. I could
> see the authority group been updated in new job which did not have any
> spaces or special characters. Also i froze configuration after your
> confirmation and using same throughout.
>
> Infact, i replicated everything in MCF 1.6.1 but getting same results
> there as well.
>
> Regards.
>
>
>
>
> On Sun, Jun 15, 2014 at 7:28 PM, Karl Wright <daddywri@gmail.com> wrote:
>
>
>
>
> Hi Lalit,
>
> The deny token part of the query is not the problem, because it will
> not match anything.
>
> After you changed the group name, did you rerun the SharePoint job?
> If not the acls will not be updated.
>
> It is essential that the tokens returned by curl match the tokens in
> the index exactly.  I suspect that is where the problem is.  Don't
> change anything about your configuration because that seems to be fine
> now.
>
> Thanks
> Karl
>
> Sent from my Windows Phone
>
>
>
> From: lalit jangra
> Sent: 6/15/2014 1:52 PM
> To: user@manifoldcf.apache.org
> Subject: Re: How to query for content with ACLs?
>
>
>
>
>
>
>
> Thanks Karl,
>
> I renamed authority group to avoid any spaces or special characters
> but still i am bugged by deny_tokens. For repository connection, i am
> using "Sharepoint" as authority type and for authority connection, i
> am using "Sharepoint/ActiveDirectory" as connection type which seems
> to be fine here. My user mapping connection converts from
> water.com\ljangra to ljangra@water.com as per need.
>
>
>
> Also one unusual thing i noticed now is that every time i am trying to
> create new user mapping connection or edit existing one, it waits for
> very long time and sometimes i need to redo it couple of time. Could
> it be any relation here?
>
>
>
>
> Solr.log after rendexing with deny token as DEAD_AUTHORITY.
>
>
> INFO  - 2014-06-15 18:36:21.624;
> org.apache.solr.update.processor.LogUpdateProcessor; [collection1]
> webapp=/solr path=/update/extract
>
> params={literal.content_name=pptexamples.ppt&literal.deny_token_document=SPKWGroup:DEAD_AUTHORITY&literal.DocIcon=ppt&literal.content%3Aname=/pptexamples.ppt&
> resource.name
> =pptexamples.ppt&literal.allow_token_document=SPKWGroup:GApprovers&literal.allow_token_document=SPKWGroup:GDesigners&literal.allow_token_document=SPKWGroup:GHierarchy%2BManagers&literal.allow_token_document=SPKWGroup:GRestricted%2BReaders&literal.allow_token_document=SPKWGroup:GTest%2BIrish%2BWater%2BAdministrators&literal.allow_token_document=SPKWGroup:GTest%2BIrish%2BWater%2BPortal%2BMembers&literal.allow_token_document=SPKWGroup:GTest%2BIrish%2BWater%2BPortal%2BOwners&literal.allow_token_document=SPKWGroup:GTest%2BIrish%2BWater%2BPortal%2BVisitors&literal.allow_token_document=SPKWGroup:GViewers&literal.allow_token_document=SPKWGroup:Uc%253A0%2528.s%257Ctrue&literal.FolderChildCount=0&version=2.2&literal.ItemChildCount=0&literal._dlc_DocId=N7JQZDZPVPT7-50-1&literal.content%3Alink=
> http://testirishwaterportal/irish-water/DocumentLibrary/pptexamples.ppt&literal.content%3Aparent=testirishwaterportal/irish-water/DocumentLibrary&literal.content_size=1371648&literal.Edit=0&literal.id=http://testirishwaterportal/irish-water/DocumentLibrary/pptexamples.ppt&literal.content%3AparentLink=http://testirishwaterportal/irish-water/DocumentLibrary&literal.LinkFilenameNoMenu=pptexamples.ppt&literal._dlc_DocIdUrl=http://testirishwaterportal/irish-water/_layouts/DocIdRedir.aspx?ID%3DN7JQZDZPVPT7-50-1,+N7JQZDZPVPT7-50-1&literal.Created=2014-06-04T16:55:09&literal._UIVersionString=1.0&literal.content%3Amimetype=application/vnd.ms-powerpoint&wt=xml&literal.Title=PPT+examples&literal.content%3Asource=Sharepoint&literal.Modified=2014-06-04T16:55:09&literal.Author=Lalit+Jangra&literal.LinkFilename=pptexamples.ppt&literal.lcf_metadata_id=1&literal.Editor=Lalit+Jangra&literal.ContentType=Document
> }
> {add=[
> http://testirishwaterportal/irish-water/DocumentLibrary/pptexamples.ppt
> (1470998806838378496)]} 0 1625
>
> While querying for content using '/select' request handler
>
>
> INFO  - 2014-06-15 18:38:03.957;
> org.apache.solr.mcf.ManifoldCFQParserPlugin$ManifoldCFQueryParser;
> Trying to match docs for user '[:ljangra@iwater.ie]'
>
> INFO  - 2014-06-15 18:38:04.363;
> org.apache.solr.mcf.ManifoldCFQParserPlugin$ManifoldCFQueryParser; Saw
> authority response AUTHORIZED:SPKWConnection
>
> INFO  - 2014-06-15 18:38:04.363; org.apache.solr.core.SolrCore;
> [collection1] webapp=/solr path=/select
>
> params={debugQuery=true&indent=true&q=*:*&_=1402853883932&wt=json&AuthenticatedUserName=
> ljangra@iwater.ie}
> hits=0 status=0 QTime=406
>
>
>
>
> My authority tokens in MCF
>
>
>
>
>
>
> AUTHORIZED:SPKWConnectionTOKEN:SPKWGroup:Ui%3A0%23.w%7Ciwater.ie%255cljangraTOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-32-545TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-513TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-13472TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-3182TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1619TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1813TOKEN:SPKWGroup:Ui%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-12149TOKEN:SPKWGroup:Uc%3A0%21.s%7Cwindows
>
>
>
> No mention of any deny_token but still while querying, i am getting
> same results with one allow token & one deny token which supersedes
> allow token giving me no results.
>
>
> "parsed_filter_queries": [
>
>       "ConstantScore(+((+allow_token_share:__nosecurity__
> +deny_token_share:__nosecurity__)
> allow_token_share:SPKWGroup:Ui%3A0%23.w%7Ciwater.ie%255cljangra
> -deny_token_share:SPKWGroup:Ui%3A0%23.w%7Ciwater.ie%255cljangra
> allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-32-545
> -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-32-545
>
> allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263
>
> -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263
>
> allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-513
>
> -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-513
>
> allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-13472
>
> -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-13472
>
> allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-3182
>
> -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-3182
>
> allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1619
>
> -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1619
>
> allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1813
>
> -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1813
>
> allow_token_share:SPKWGroup:Ui%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-12149
>
> -deny_token_share:SPKWGroup:Ui%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-12149
> allow_token_share:SPKWGroup:Uc%3A0%21.s%7Cwindows
> -deny_token_share:SPKWGroup:Uc%3A0%21.s%7Cwindows)
> +((+allow_token_document:__nosecurity__
> +deny_token_document:__nosecurity__)
> allow_token_document:SPKWGroup:Ui%3A0%23.w%7Ciwater.ie%255cljangra
> -deny_token_document:SPKWGroup:Ui%3A0%23.w%7Ciwater.ie%255cljangra
> allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-32-545
> -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-32-545
>
> allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263
>
> -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263
>
> allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-513
>
> -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-513
>
> allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-13472
>
> -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-13472
>
> allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-3182
>
> -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-3182
>
> allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1619
>
> -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1619
>
> allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1813
>
> -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1813
>
> allow_token_document:SPKWGroup:Ui%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-12149
>
> -deny_token_document:SPKWGroup:Ui%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-12149
> allow_token_document:SPKWGroup:Uc%3A0%21.s%7Cwindows
> -deny_token_document:SPKWGroup:Uc%3A0%21.s%7Cwindows))"
>
>
> Sincere Regards.
>
>
>
>
>
>
>
>
> On Sun, Jun 15, 2014 at 1:04 PM, Karl Wright <daddywri@gmail.com> wrote:
>
>
> If I'm right, the interim solution would be to just rename your
> authority group to something that does not have characters that need
> escaping in them.  If that works, then we know what the issue is, and
> I'll open a ticket and try to find a solution.
>
> Thanks,
> Karl
>
>
>
>
>
>
>
>
> On Sun, Jun 15, 2014 at 8:01 AM, Karl Wright <daddywri@gmail.com> wrote:
>
>
>
>
>
>
>
>
> Hi Lalit,
>
>
> I'm sorry, I was confused.
>
> The document ingest you included had only ONE deny_token_document
> value: literal.deny_token_document=SP%2BKW:DEAD_AUTHORITY .
>
> So even though you see a deny_token_document clause in the Solr query
> expression, it will not match *unless* your user has a DEAD_AUTHORITY
> token.  So that is not the problem.
>
> But what I do see is the following:
>
> SP+KW:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263
>
> Note the prefix; the prefix when indexing is SP%2BKW, while the prefix
> when searching is SP+KW.  I had discounted that because the [INFO] log
> from Solr is logging a URL and it is therefore URL encoded -- but it
> is possible now that since Solr no longer has Jetty involved, it may
> not be unencoding SP%2BKW back to SP+KW properly.  What do you see for
> the ACL field values in Luke?  Are they SP+KW?
>
> Karl
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Sun, Jun 15, 2014 at 7:48 AM, Karl Wright <daddywri@gmail.com> wrote:
>
>
>
>
>
> Hi Lalit,
>
> Ok, I think that everything on your end is now set up correctly.
>
>
> You should be able to see Windows documents on your search, if I am
> correct.  Do you see any?
>
> As for SharePoint, when a user has a deny token in ManifoldCF it takes
> precedence over any allow tokens.  But SharePoint does not current
> generate *any* deny tokens; it doesn't have those in the model.  So
> I'm wondering where those are coming from, and if there's a bug of
> some kind.
>
> Let me do some research and get back to you.
>
> Karl
>
>
>
>
>
>
>
>  On Sun, Jun 15, 2014 at 5:56 AM, lalit jangra <lalit.j.jangra@gmail.com>
> wrote:
>
>
>
>
>
> Hi Karl,
>
>
> My sincere apologies for going out a context here as i was confused &
> my limited knowledge of sharepoint and ACLs.
>
> After spending two more days and setting up everything from scratch
> couple of times, i am back into square one. The only thing which i
> could observe is that while indexing content into solr , i could see
> all ACL are getting indexed correctly.
>
>
>
> params={literal.content_name=/Alfresco-in-an-Hour.pdf&literal.deny_token_document=SP%2BKW:DEAD_AUTHORITY&literal.DocIcon=pdf&
> resource.name
> =Alfresco-in-an-Hour.pdf&literal.allow_token_document=SP%2BKW:GTest%2BIrish%2BWater%2BPortal%2BVisitors&literal.allow_token_document=SP%2BKW:GTest%2BIrish%2BWater%2BPortal%2BOwners&literal.allow_token_document=SP%2BKW:GRestricted%2BReaders&literal.allow_token_document=SP%2BKW:GTest%2BIrish%2BWater%2BAdministrators&literal.allow_token_document=SP%2BKW:GTest%2BIrish%2BWater%2BPortal%2BMembers&literal.allow_token_document=SP%2BKW:Uc%253A0%2528.s%257Ctrue&literal.allow_token_document=SP%2BKW:GHierarchy%2BManagers&literal.allow_token_document=SP%2BKW:GApprovers&literal.allow_token_document=SP%2BKW:GViewers&literal.allow_token_document=SP%2BKW:GDesigners&literal.content%3AmodifiedDate=2014-06-04T15:52:29.000Z&literal.FolderChildCount=0&version=2.2&literal.ItemChildCount=0&literal._dlc_DocId=N7JQZDZPVPT7-49-1&literal.content%3Alink=
> http://testirishwaterportal/irish-water/Shared%2520Documents/Alfresco-in-an-Hour.pdf&literal.ParentVersionString=&literal.content_source
>



-- 
Regards,
Lalit Jangra.

Mime
View raw message