Hi Phil,

If you are using a different repository connection for the second Alfresco crawl, is it possible you may have misconfigured the connection to refer to the wrong authority group, or none at all?  All connections that you need to be authorized together need to be part of the same group.

Karl


On Sat, Dec 2, 2017 at 4:32 AM, Phillip Rhodes <motley.crue.fan@gmail.com> wrote:
Hello all, I thought I had this all figured out, but I built a new
environment and it's not behaving as expected.  Not sure if I changed
something I shouldn't have or if it was never really working, but
here's the situation:

1. I have an Alfresco server storing documents.   There are 65 docs in
the built in "sample" space, which defaults to allowing access to
everyone.
2. With the MCF SearchComponent installed into Solr, if I pass the
AuthenticatedUserName parameter with any value, I get back all 65
documents as expected.
3. I added another space in Alfresco that only allows access for 4
specific users... testuser1, testuser2, testuser3, and testuser4. If I
log into Alfresco as any of those users I can view and/or upload
content to the space.
4. I put 7 documents in that space, and re-indexed with MCF.
5. Solr now shows a total of 72 documents for the core in question.
6. But, if I pass AuthenticatedUserName=testuser1 with my query, I
still only see the 65 docs from the other space.
7. If I temporarily turn off the MCF SearchComponent in Solr, I can
see the docs from the "locked down" space.

I set the various token fields to stored="true" so I can see what is
getting stored, and here's what I see for one sample document (one
that isn't being returned with the SearchComponent enabled, but which
should be).

"allow_token_document":["Alfresco:testuser1", "Alfresco:testuser2",
"Alfresco:testuser3", "Alfresco:testuser4"],
"deny_token_document":["__nosecurity__"],
"deny_token_parent":["__nosecurity__"],
"allow_token_share":["__nosecurity__"],
"allow_token_parent":["__nosecurity__"],
"deny_token_share":["__nosecurity__"],

Two things jump out to me:

1. I don't have entries for those users in allow_token_share and
allow_token_parent (and I'm not sure why not.  This part seems to be a
black box from the perspective of configuring MCF to crawl Alfresco)

2. The "domain" part in the entries in allow_token_document is coming
up as "Alfresco".  I tried adding AuthenticatedUserDomain=Alfresco to
my queries, but that didn't make any difference.

Can anybody see what is is that I'm missing here?  Is there maybe
something I need to do either in MCF or in Alfresco to make sure those
allow_token_share and allow_token_parent entries get populated, or is
it something else?

Any thoughts / suggestions are greatly appreciated.


Phil



This message optimized for indexing by NSA PRISM