[MarkLogic Dev General] Create temporary user
andreas.hubmer at ebcont.com
Mon Sep 18 07:25:33 PDT 2017
Thanks, this seems to be exactly what we were looking for. Much better than
creating a temporary user.
We'll use Amps to assign the xdmp:login privilege to the JWT checking code.
The session is not needed, we'll check the JWT each time.
2017-09-18 15:27 GMT+02:00 Jason Hunter <Jason.Hunter at marklogic.com>:
> Great, so make sure those role names map to those held in MarkLogic and
> then you can use xdmp:login. Notice how xdmp:login accepts a $role-names
> sequence of roles you want the user to have after logging in. It was added
> for just this use case. You just need a single weak user that everybody
> can login as, with the user's power coming from the roles passed in there.
> The code checking the JWT and doing the login needs to have the xdmp:login
> privilege. You may or may not want to set the session. With JWT probably
> not. I'd check the token on each go so you can use the JWT's precise time
> of expiration.
> On Sep 18, 2017, at 21:12, Andreas Hubmer <andreas.hubmer at ebcont.com>
> It is possible to add authorization information (roles) to the JWT.
> "iss": "...",
> "sub": "...",
> "exp": ...,
> "iat": ...,
> "jti": "...",
> "ver": "0.1",
> "idp": "..",
> "name": "Doe",
> "email":"john at doe.com",
> "roles": ["role1", "role2"]
> 2017-09-18 14:59 GMT+02:00 Jason Hunter <Jason.Hunter at marklogic.com>:
>> I understand that JWT will provide for authentication. How do you intend
>> to do authorization?
>> Meaning, how do you intend to know what roles the username given in the
>> JWT should have within MarkLogic? Or do all authenticated users get the
>> same roles, or something?
>> On Sep 18, 2017, at 15:07, Andreas Hubmer <andreas.hubmer at ebcont.com>
>> I'll answer for my colleague.
>> We'd like to use JSON Web Tokens (JWT) and extract the user roles from
>> the token.
>> The users are managed in an external system and similar to the LDAP
>> connection we want to avoid that every user has to be created/updated in
>> MarkLogic too.
>> Amps do not give the same flexibility as a temporary user with an
>> arbitrary combination of roles.
>> 2017-09-15 17:50 GMT+02:00 Justin Makeig <Justin.Makeig at marklogic.com>:
>>> Rather than describe your solution, can you explain the problem you’re
>>> trying to solve? Why do you think you need a temporary user? What
>>> permission/privilege challenge are you trying to address?
>>> You might also take a look at amps <https://docs.marklogic.com/gu
>>> ide/admin/security#id_81246>. An amp allows a security administrator to
>>> elevate the privileges of a specific function. This is beneficial in that
>>> the security is defined in configuration, not code.
>>> Justin Makeig
>>> Senior Director, Product Management
>>> jmakeig at marklogic.com
>>> > On Sep 15, 2017, at 4:29 AM, Andreas Holzgethan <
>>> andreas.holzgethan at ebcont.com> wrote:
>>> > Hi @all,
>>> > I need the possibility to create temporary user for a transaction.
>>> > I just found in the documentation that such a functionality is used
>>> when for example LDAP is configured as an external security.
>>> > Could you please explain me how this is done there?
>>> > My thirst thought was to create a user with the function
>>> "sec:create-user-with-role". At the end of the transaction I would just
>>> call the function "sec:remove-user".
>>> > Could you please give me feedback about this implementation?
>>> > Is such a implementation a big influence on the performance?
>>> > Thanks!
>>> > Best regards
>>> > Andreas Holzgethan
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the General