manifoldcf-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phillip Rhodes <>
Subject Re: ManifoldCF + Alfresco + Solr security filtering problem
Date Sat, 02 Dec 2017 10:09:45 GMT
FWIW, I only have one repository connection defined, and only one
authority group.


This message optimized for indexing by NSA PRISM

On Sat, Dec 2, 2017 at 4:55 AM, Karl Wright <> wrote:
> Hi Phil,
> If you are using a different repository connection for the second Alfresco
> crawl, is it possible you may have misconfigured the connection to refer to
> the wrong authority group, or none at all?  All connections that you need to
> be authorized together need to be part of the same group.
> Karl
> On Sat, Dec 2, 2017 at 4:32 AM, Phillip Rhodes <>
> wrote:
>> Hello all, I thought I had this all figured out, but I built a new
>> environment and it's not behaving as expected.  Not sure if I changed
>> something I shouldn't have or if it was never really working, but
>> here's the situation:
>> 1. I have an Alfresco server storing documents.   There are 65 docs in
>> the built in "sample" space, which defaults to allowing access to
>> everyone.
>> 2. With the MCF SearchComponent installed into Solr, if I pass the
>> AuthenticatedUserName parameter with any value, I get back all 65
>> documents as expected.
>> 3. I added another space in Alfresco that only allows access for 4
>> specific users... testuser1, testuser2, testuser3, and testuser4. If I
>> log into Alfresco as any of those users I can view and/or upload
>> content to the space.
>> 4. I put 7 documents in that space, and re-indexed with MCF.
>> 5. Solr now shows a total of 72 documents for the core in question.
>> 6. But, if I pass AuthenticatedUserName=testuser1 with my query, I
>> still only see the 65 docs from the other space.
>> 7. If I temporarily turn off the MCF SearchComponent in Solr, I can
>> see the docs from the "locked down" space.
>> I set the various token fields to stored="true" so I can see what is
>> getting stored, and here's what I see for one sample document (one
>> that isn't being returned with the SearchComponent enabled, but which
>> should be).
>> "allow_token_document":["Alfresco:testuser1", "Alfresco:testuser2",
>> "Alfresco:testuser3", "Alfresco:testuser4"],
>> "deny_token_document":["__nosecurity__"],
>> "deny_token_parent":["__nosecurity__"],
>> "allow_token_share":["__nosecurity__"],
>> "allow_token_parent":["__nosecurity__"],
>> "deny_token_share":["__nosecurity__"],
>> Two things jump out to me:
>> 1. I don't have entries for those users in allow_token_share and
>> allow_token_parent (and I'm not sure why not.  This part seems to be a
>> black box from the perspective of configuring MCF to crawl Alfresco)
>> 2. The "domain" part in the entries in allow_token_document is coming
>> up as "Alfresco".  I tried adding AuthenticatedUserDomain=Alfresco to
>> my queries, but that didn't make any difference.
>> Can anybody see what is is that I'm missing here?  Is there maybe
>> something I need to do either in MCF or in Alfresco to make sure those
>> allow_token_share and allow_token_parent entries get populated, or is
>> it something else?
>> Any thoughts / suggestions are greatly appreciated.
>> Phil
>> This message optimized for indexing by NSA PRISM

View raw message