You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@manifoldcf.apache.org by Antonio David Perez Morales <ap...@zaizi.com> on 2015/03/26 17:00:21 UTC
Solr indexing permissions even when disabling authorities for a
repository connection
Hi all
When using ManifoldCF, we are facing a strange behavior when disabling
authorities for a repository connection. Let me explain the steps:
1. Configure Alfresco repository connection with an authority group using
an Alfresco Authority Connection
2. Configure Solr Output Connector
3. Create a job using the repository and authority connections just
configured
4. Execute the job to index the content
After that, I can see in Solr the proper documents with the right
permissions. After that, I do the following:
1. Remove the authority group for the repository connection (using "None"
and saving)
2. Delete the job (documents are deleted)
3. Create another job with the same configuration for repository and output
connections
4. Execute the job
After that, I can see again in Solr the documents with the permissions.
After checking the source code of both, Alfresco repository (or any
repository connector with permission capabilities) simply creates a
RepositoryDocument for each document to process and adds the specific ACLs
for the specific permission type (document, share, parent, directory_). The
output connector (at least Solr Output Connector) takes the repository
document ACLs and builds the specific Solr fields for permissions.
I was expecting that since the base repository connector is the one which
manages the authority group for the repository, it (or Manifold framework)
should manage that to take the ACLs of the repository document into account
or not before being passed to the output connector (or transformation
connections if any). I mean I was expecting that if you put none as
authority group for a repository connection, then the base repository
connection or the framework should skip the ACLs set and put no_security.
Am I missing something or it is a real bug? if it is a bug I could fix it
and send a patch, but for that I would like to know what component is the
responsible to do that or if the framework should be changed.
regards
--
------------------------------
This message should be regarded as confidential. If you have received this
email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy
by an authorised signatory.
Zaizi Ltd is registered in England and Wales with the registration number
6440931. The Registered Office is Brook House, 229 Shepherds Bush Road,
London W6 7AN.
Re: Solr indexing permissions even when disabling authorities for a
repository connection
Posted by Karl Wright <da...@gmail.com>.
Hi Antonio,
Yes, I think that makes sense.
Karl
On Thu, Mar 26, 2015 at 12:51 PM, Antonio David Perez Morales <
aperez@zaizi.com> wrote:
> Hi Karls
>
> Thanks for your response.
>
> So it makes sense to change that behavior in the future, so, "no"
> authority group will mean "no adding ACLs" instead of no prepending
> anything on the specific ACL, right?
>
> Regards
>
> On Thu, Mar 26, 2015 at 5:36 PM, Karl Wright <da...@gmail.com> wrote:
>
>> Hi Antonio,
>>
>> A repository connector does not build its RepositoryDocument objects
>> based on its ManifoldCF environment. To do that would be a challenge, and
>> probably would introduce dependencies we really don't want.
>>
>> The access tokens themselves get qualified by the authority group name by
>> the output connector. It's done by calling a qualification method in
>> IOutputAddActivity. For historical reasons, that method chooses to
>> interpret *no* authority group as meaning *no* qualification of tokens.
>> The historical reason is deprecated but we never changed the behavior.
>> Even so, you'd need to change the way the output connectors themselves
>> behave if you want to change this. So it can't be done globally without
>> breaking backwards compatibility, until MCF 3.0.
>>
>> Thanks,
>> Karl
>>
>>
>> On Thu, Mar 26, 2015 at 12:00 PM, Antonio David Perez Morales <
>> aperez@zaizi.com> wrote:
>>
>>> Hi all
>>>
>>> When using ManifoldCF, we are facing a strange behavior when disabling
>>> authorities for a repository connection. Let me explain the steps:
>>>
>>> 1. Configure Alfresco repository connection with an authority group
>>> using an Alfresco Authority Connection
>>> 2. Configure Solr Output Connector
>>> 3. Create a job using the repository and authority connections just
>>> configured
>>> 4. Execute the job to index the content
>>>
>>> After that, I can see in Solr the proper documents with the right
>>> permissions. After that, I do the following:
>>>
>>> 1. Remove the authority group for the repository connection (using
>>> "None" and saving)
>>> 2. Delete the job (documents are deleted)
>>> 3. Create another job with the same configuration for repository and
>>> output connections
>>> 4. Execute the job
>>>
>>> After that, I can see again in Solr the documents with the permissions.
>>>
>>> After checking the source code of both, Alfresco repository (or any
>>> repository connector with permission capabilities) simply creates a
>>> RepositoryDocument for each document to process and adds the specific ACLs
>>> for the specific permission type (document, share, parent, directory_). The
>>> output connector (at least Solr Output Connector) takes the repository
>>> document ACLs and builds the specific Solr fields for permissions.
>>>
>>> I was expecting that since the base repository connector is the one
>>> which manages the authority group for the repository, it (or Manifold
>>> framework) should manage that to take the ACLs of the repository document
>>> into account or not before being passed to the output connector (or
>>> transformation connections if any). I mean I was expecting that if you put
>>> none as authority group for a repository connection, then the base
>>> repository connection or the framework should skip the ACLs set and put
>>> no_security.
>>>
>>> Am I missing something or it is a real bug? if it is a bug I could fix
>>> it and send a patch, but for that I would like to know what component is
>>> the responsible to do that or if the framework should be changed.
>>>
>>> regards
>>>
>>> ------------------------------
>>> This message should be regarded as confidential. If you have received
>>> this email in error please notify the sender and destroy it immediately.
>>> Statements of intent shall only become binding when confirmed in hard copy
>>> by an authorised signatory.
>>>
>>> Zaizi Ltd is registered in England and Wales with the registration
>>> number 6440931. The Registered Office is Brook House, 229 Shepherds Bush
>>> Road, London W6 7AN.
>>>
>>
>>
>
> ------------------------------
> This message should be regarded as confidential. If you have received this
> email in error please notify the sender and destroy it immediately.
> Statements of intent shall only become binding when confirmed in hard copy
> by an authorised signatory.
>
> Zaizi Ltd is registered in England and Wales with the registration number
> 6440931. The Registered Office is Brook House, 229 Shepherds Bush Road,
> London W6 7AN.
>
Re: Solr indexing permissions even when disabling authorities for a
repository connection
Posted by Antonio David Perez Morales <ap...@zaizi.com>.
Hi Karls
Thanks for your response.
So it makes sense to change that behavior in the future, so, "no" authority
group will mean "no adding ACLs" instead of no prepending anything on the
specific ACL, right?
Regards
On Thu, Mar 26, 2015 at 5:36 PM, Karl Wright <da...@gmail.com> wrote:
> Hi Antonio,
>
> A repository connector does not build its RepositoryDocument objects based
> on its ManifoldCF environment. To do that would be a challenge, and
> probably would introduce dependencies we really don't want.
>
> The access tokens themselves get qualified by the authority group name by
> the output connector. It's done by calling a qualification method in
> IOutputAddActivity. For historical reasons, that method chooses to
> interpret *no* authority group as meaning *no* qualification of tokens.
> The historical reason is deprecated but we never changed the behavior.
> Even so, you'd need to change the way the output connectors themselves
> behave if you want to change this. So it can't be done globally without
> breaking backwards compatibility, until MCF 3.0.
>
> Thanks,
> Karl
>
>
> On Thu, Mar 26, 2015 at 12:00 PM, Antonio David Perez Morales <
> aperez@zaizi.com> wrote:
>
>> Hi all
>>
>> When using ManifoldCF, we are facing a strange behavior when disabling
>> authorities for a repository connection. Let me explain the steps:
>>
>> 1. Configure Alfresco repository connection with an authority group using
>> an Alfresco Authority Connection
>> 2. Configure Solr Output Connector
>> 3. Create a job using the repository and authority connections just
>> configured
>> 4. Execute the job to index the content
>>
>> After that, I can see in Solr the proper documents with the right
>> permissions. After that, I do the following:
>>
>> 1. Remove the authority group for the repository connection (using "None"
>> and saving)
>> 2. Delete the job (documents are deleted)
>> 3. Create another job with the same configuration for repository and
>> output connections
>> 4. Execute the job
>>
>> After that, I can see again in Solr the documents with the permissions.
>>
>> After checking the source code of both, Alfresco repository (or any
>> repository connector with permission capabilities) simply creates a
>> RepositoryDocument for each document to process and adds the specific ACLs
>> for the specific permission type (document, share, parent, directory_). The
>> output connector (at least Solr Output Connector) takes the repository
>> document ACLs and builds the specific Solr fields for permissions.
>>
>> I was expecting that since the base repository connector is the one which
>> manages the authority group for the repository, it (or Manifold framework)
>> should manage that to take the ACLs of the repository document into account
>> or not before being passed to the output connector (or transformation
>> connections if any). I mean I was expecting that if you put none as
>> authority group for a repository connection, then the base repository
>> connection or the framework should skip the ACLs set and put no_security.
>>
>> Am I missing something or it is a real bug? if it is a bug I could fix it
>> and send a patch, but for that I would like to know what component is the
>> responsible to do that or if the framework should be changed.
>>
>> regards
>>
>> ------------------------------
>> This message should be regarded as confidential. If you have received
>> this email in error please notify the sender and destroy it immediately.
>> Statements of intent shall only become binding when confirmed in hard copy
>> by an authorised signatory.
>>
>> Zaizi Ltd is registered in England and Wales with the registration number
>> 6440931. The Registered Office is Brook House, 229 Shepherds Bush Road,
>> London W6 7AN.
>>
>
>
--
------------------------------
This message should be regarded as confidential. If you have received this
email in error please notify the sender and destroy it immediately.
Statements of intent shall only become binding when confirmed in hard copy
by an authorised signatory.
Zaizi Ltd is registered in England and Wales with the registration number
6440931. The Registered Office is Brook House, 229 Shepherds Bush Road,
London W6 7AN.
Re: Solr indexing permissions even when disabling authorities for a
repository connection
Posted by Karl Wright <da...@gmail.com>.
Hi Antonio,
A repository connector does not build its RepositoryDocument objects based
on its ManifoldCF environment. To do that would be a challenge, and
probably would introduce dependencies we really don't want.
The access tokens themselves get qualified by the authority group name by
the output connector. It's done by calling a qualification method in
IOutputAddActivity. For historical reasons, that method chooses to
interpret *no* authority group as meaning *no* qualification of tokens.
The historical reason is deprecated but we never changed the behavior.
Even so, you'd need to change the way the output connectors themselves
behave if you want to change this. So it can't be done globally without
breaking backwards compatibility, until MCF 3.0.
Thanks,
Karl
On Thu, Mar 26, 2015 at 12:00 PM, Antonio David Perez Morales <
aperez@zaizi.com> wrote:
> Hi all
>
> When using ManifoldCF, we are facing a strange behavior when disabling
> authorities for a repository connection. Let me explain the steps:
>
> 1. Configure Alfresco repository connection with an authority group using
> an Alfresco Authority Connection
> 2. Configure Solr Output Connector
> 3. Create a job using the repository and authority connections just
> configured
> 4. Execute the job to index the content
>
> After that, I can see in Solr the proper documents with the right
> permissions. After that, I do the following:
>
> 1. Remove the authority group for the repository connection (using "None"
> and saving)
> 2. Delete the job (documents are deleted)
> 3. Create another job with the same configuration for repository and
> output connections
> 4. Execute the job
>
> After that, I can see again in Solr the documents with the permissions.
>
> After checking the source code of both, Alfresco repository (or any
> repository connector with permission capabilities) simply creates a
> RepositoryDocument for each document to process and adds the specific ACLs
> for the specific permission type (document, share, parent, directory_). The
> output connector (at least Solr Output Connector) takes the repository
> document ACLs and builds the specific Solr fields for permissions.
>
> I was expecting that since the base repository connector is the one which
> manages the authority group for the repository, it (or Manifold framework)
> should manage that to take the ACLs of the repository document into account
> or not before being passed to the output connector (or transformation
> connections if any). I mean I was expecting that if you put none as
> authority group for a repository connection, then the base repository
> connection or the framework should skip the ACLs set and put no_security.
>
> Am I missing something or it is a real bug? if it is a bug I could fix it
> and send a patch, but for that I would like to know what component is the
> responsible to do that or if the framework should be changed.
>
> regards
>
> ------------------------------
> This message should be regarded as confidential. If you have received this
> email in error please notify the sender and destroy it immediately.
> Statements of intent shall only become binding when confirmed in hard copy
> by an authorised signatory.
>
> Zaizi Ltd is registered in England and Wales with the registration number
> 6440931. The Registered Office is Brook House, 229 Shepherds Bush Road,
> London W6 7AN.
>