[MarkLogic Dev General] Create temporary user

Andreas Hubmer andreas.hubmer at ebcont.com
Mon Sep 18 07:25:33 PDT 2017


Thanks, this seems to be exactly what we were looking for. Much better than
creating a temporary user.

We'll use Amps to assign the xdmp:login privilege to the JWT checking code.
The session is not needed, we'll check the JWT each time.

Thanks,
Andreas


2017-09-18 15:27 GMT+02:00 Jason Hunter <Jason.Hunter at marklogic.com>:

> Great, so make sure those role names map to those held in MarkLogic and
> then you can use xdmp:login.  Notice how xdmp:login accepts a $role-names
> sequence of roles you want the user to have after logging in. It was added
> for just this use case.  You just need a single weak user that everybody
> can login as, with the user's power coming from the roles passed in there.
>
> The code checking the JWT and doing the login needs to have the xdmp:login
> privilege.  You may or may not want to set the session.  With JWT probably
> not.  I'd check the token on each go so you can use the JWT's precise time
> of expiration.
>
> -jh-
>
> On Sep 18, 2017, at 21:12, Andreas Hubmer <andreas.hubmer at ebcont.com>
> wrote:
>
> It is possible to add authorization information (roles) to the JWT.
> Example:
> {
>   "iss": "...",
>   "sub": "...",
>   "exp": ...,
>   "iat": ...,
>   "jti": "...",
>   "ver": "0.1",
>   "idp": "..",
>   "name": "Doe",
>   "firstName":"John",
>   "email":"john at doe.com",
>   "roles": ["role1", "role2"]
> }
>
>
>
> 2017-09-18 14:59 GMT+02:00 Jason Hunter <Jason.Hunter at marklogic.com>:
>
>> I understand that JWT will provide for authentication.  How do you intend
>> to do authorization?
>>
>> Meaning, how do you intend to know what roles the username given in the
>> JWT should have within MarkLogic?  Or do all authenticated users get the
>> same roles, or something?
>>
>> -jh-
>>
>> On Sep 18, 2017, at 15:07, Andreas Hubmer <andreas.hubmer at ebcont.com>
>> wrote:
>>
>> Justin,
>>
>> I'll answer for my colleague.
>> We'd like to use JSON Web Tokens (JWT) and extract the user roles from
>> the token.
>> The users are managed in an external system and similar to the LDAP
>> connection we want to avoid that every user has to be created/updated in
>> MarkLogic too.
>>
>> Amps do not give the same flexibility as a temporary user with an
>> arbitrary combination of roles.
>>
>> Thanks,
>> Andreas
>>
>> 2017-09-15 17:50 GMT+02:00 Justin Makeig <Justin.Makeig at marklogic.com>:
>>
>>> Andreas,
>>> Rather than describe your solution, can you explain the problem you’re
>>> trying to solve? Why do you think you need a temporary user? What
>>> permission/privilege challenge are you trying to address?
>>>
>>> You might also take a look at amps <https://docs.marklogic.com/gu
>>> ide/admin/security#id_81246>. An amp allows a security administrator to
>>> elevate the privileges of a specific function. This is beneficial in that
>>> the security is defined in configuration, not code.
>>>
>>> Justin
>>>
>>>
>>> --
>>> Justin Makeig
>>> Senior Director, Product Management
>>> MarkLogic
>>> jmakeig at marklogic.com
>>>
>>>
>>>
>>> > On Sep 15, 2017, at 4:29 AM, Andreas Holzgethan <
>>> andreas.holzgethan at ebcont.com> wrote:
>>> >
>>> > Hi @all,
>>> >
>>> > I need the possibility to create temporary user for a transaction.
>>> > I just found in the documentation that such a functionality is used
>>> when for example LDAP is configured as an external security.
>>> >
>>> > Could you please explain me how this is done there?
>>> >
>>> > My thirst thought was to create a user with the function
>>> "sec:create-user-with-role". At the end of the transaction I would just
>>> call the function "sec:remove-user".
>>> > Could you please give me feedback about this implementation?
>>> > Is such a implementation a big influence on the performance?
>>> >
>>> > Thanks!
>>> >
>>> > Best regards
>>> > Andreas Holzgethan
>>> >
>>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://developer.marklogic.com/pipermail/general/attachments/20170918/fc0f284e/attachment.html 


More information about the General mailing list