Re: Which version of Solr have implements the Document Level Access Control

Karl Wright Thu, 05 May 2011 16:18:24 -0700

Try this.
Karl


On Thu, May 5, 2011 at 7:12 PM, Karl Wright <daddy...@gmail.com> wrote:
> It must mean we're somehow throwing an exception in the case where the
> user is missing.  I bet I know why - the CN lookup is failing instead.
>  I'll see if I can change it.
>
> Karl
>
> On Thu, May 5, 2011 at 6:43 PM, Kadri Atalay <atalay.ka...@gmail.com> wrote:
>> It works, only difference I see with previous one is: if a domain is
>> reachable, message usernotfound makes a better indicator, somehow we lost
>> that.
>>
>>
>> C:\OPT>testauthority
>>
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser";
>> UNREACHABLEAUTHORITY:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeuser@fakedomain";
>> UNREACHABLEAUTHORITY:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeu...@teqa.filetek.com";
>> UNREACHABLEAUTHORITY:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>
>> Previous one
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=fakeu...@teqa.filetek.com";
>> USERNOTFOUND:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>
>>
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_admin@teqa";
>> UNREACHABLEAUTHORITY:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com";
>> AUTHORIZED:TEQA-DC
>> TOKEN:TEQA-DC:S-1-5-32-545
>> TOKEN:TEQA-DC:S-1-5-32-544
>> TOKEN:TEQA-DC:S-1-5-32-555
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>> TOKEN:TEQA-DC:S-1-1-0
>>
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=kata...@teqa.filetek.com";
>> AUTHORIZED:TEQA-DC
>> TOKEN:TEQA-DC:S-1-5-32-545
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1473
>> TOKEN:TEQA-DC:S-1-1-0
>>
>> C:\OPT>curl
>> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay@fakedomain";
>> UNREACHABLEAUTHORITY:TEQA-DC
>> TOKEN:TEQA-DC:DEAD_AUTHORITY
>>
>>
>> On Thu, May 5, 2011 at 6:29 PM, Karl Wright <daddy...@gmail.com> wrote:
>>>
>>> I've cleaned things up slightly to restore the objectSid and also to
>>> fix an infinite loop ifyou have more than one comma in the escape
>>> expression.  I've attached the file, can you see if it works?
>>>
>>> Thanks,
>>> Karl
>>>
>>>
>>> On Thu, May 5, 2011 at 6:23 PM, Karl Wright <daddy...@gmail.com> wrote:
>>> > Thanks - we do need the user sid, so I will put that back.
>>> >
>>> > Also, I'd like to ask what you know about escaping the user name in
>>> > this expression:
>>> >
>>> > String searchFilter = "(&(objectClass=user)(sAMAccountName=" + userName
>>> > + "))";
>>> >
>>> > It seems to me that there is probably some escaping needed, but I
>>> > don't know what style.  Do you think it is the same (C-style, with \
>>> > escape) as for the other case?
>>> >
>>> > Karl
>>> >
>>> > On Thu, May 5, 2011 at 6:20 PM, Kadri Atalay <atalay.ka...@gmail.com>
>>> > wrote:
>>> >> Hi Karl,
>>> >>
>>> >>     String returnedAtts[]={"tokenGroups"} is ONLY returning the
>>> >> memberGroups,
>>> >>
>>> >> C:\OPT>curl
>>> >>
>>> >> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com";
>>> >> AUTHORIZED:TEQA-DC
>>> >> TOKEN:TEQA-DC:S-1-5-32-545
>>> >> TOKEN:TEQA-DC:S-1-5-32-544
>>> >> TOKEN:TEQA-DC:S-1-5-32-555
>>> >> TOKEN:TEQA-DC:S-1-5-21-
>>> >> 1212545812-2858578934-3563067286-1124
>>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> >> TOKEN:TEQA-DC:S-1-1-0
>>> >>
>>> >> but,
>>> >>
>>> >> -    String returnedAtts[] = {"tokenGroups","objectSid"}; is returning
>>> >> memberGroups AND SID for that user.
>>> >>
>>> >> C:\OPT>curl
>>> >>
>>> >> "http://localhost:8345/mcf-authority-service/UserACLs?username=katalay_ad...@teqa.filetek.com";
>>> >> AUTHORIZED:TEQA-DC
>>> >> TOKEN:TEQA-DC:S-1-5-32-545
>>> >> TOKEN:TEQA-DC:S-1-5-32-544
>>> >> TOKEN:TEQA-DC:S-1-5-32-555
>>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1124
>>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-512
>>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-513
>>> >> TOKEN:TEQA-DC:S-1-5-21-1212545812-2858578934-3563067286-1480
>>> >> TOKEN:TEQA-DC:S-1-1-0
>>> >>
>>> >> Since we are only interested in the member groups, tokenGroups is
>>> >> sufficient, but if you also need user SID then you might keep the
>>> >> objectSID
>>> >> as well.
>>> >>
>>> >> Thanks
>>> >>
>>> >> Kadri
>>> >>
>>> >>
>>> >> On Thu, May 5, 2011 at 6:01 PM, Karl Wright <daddy...@gmail.com> wrote:
>>> >>>
>>> >>> I am curious about the following change, which does not seem correct:
>>> >>>
>>> >>>
>>> >>>     //Specify the attributes to return
>>> >>> -    String returnedAtts[] = {"tokenGroups","objectSid"};
>>> >>> +    String returnedAtts[]={"tokenGroups"};
>>> >>>     searchCtls.setReturningAttributes(returnedAtts);
>>> >>>
>>> >>> Karl
>>> >>>
>>> >>>
>>> >>> On Thu, May 5, 2011 at 5:36 PM, Kadri Atalay <atalay.ka...@gmail.com>
>>> >>> wrote:
>>> >>> > Karl,
>>> >>> >
>>> >>> > The ActiveDirectoryAuthority.java is attached.
>>> >>> >
>>> >>> > I'm not sure about clicking "Grant ASF License", or how to do that
>>> >>> > from
>>> >>> > Tortoise.
>>> >>> > But, you got my consent for granting the ASF license.
>>> >>> >
>>> >>> > Thanks
>>> >>> >
>>> >>> > Kadri
>>> >>> >
>>> >>> >
>>> >>> > On Thu, May 5, 2011 at 5:28 PM, Karl Wright <daddy...@gmail.com>
>>> >>> > wrote:
>>> >>> >>
>>> >>> >> You may attach the whole ActiveDirectoryAuthority.java file to the
>>> >>> >> ticket if you prefer.  But you must click the "Grant ASF License"
>>> >>> >> button.
>>> >>> >>
>>> >>> >> Karl
>>> >>> >>
>>> >>> >> On Thu, May 5, 2011 at 5:24 PM, Kadri Atalay
>>> >>> >> <atalay.ka...@gmail.com>
>>> >>> >> wrote:
>>> >>> >> > Karl,
>>> >>> >> >
>>> >>> >> > I'm using the Tortoise SVN, and new to SVN..
>>> >>> >> > Do you know how to do this with Tortoise ?
>>> >>> >> > Otherwise, I can just send the source code directly to you.
>>> >>> >> > BTW, there are some changes in the ParseUser method also, you can
>>> >>> >> > see
>>> >>> >> > all
>>> >>> >> > when you run the diff.
>>> >>> >> >
>>> >>> >> > Thanks
>>> >>> >> >
>>> >>> >> > Kadri
>>> >>> >> >
>>> >>> >
>>> >>> >
>>> >>
>>> >>
>>> >
>>
>>
>

ActiveDirectoryAuthority.java
Description: Binary data

Re: Which version of Solr have implements the Document Level Access Control

Reply via email to