I got a script working. I suspect there are faster/better ways to do this, but
for anyone who may need it in the future, this will resolve any orphaned
permissions. For a very large data set, you would probably need to batch this:
xquery version "1.0-ml";
let $uris := cts:uris((), 'limit=30000')
let $permissions-map := map:new((
$uris ! map:entry(., xdmp:document-get-permissions(.))
))
let $orphaned-map :=
xdmp:eval('
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security"; at
"/MarkLogic/security.xqy";
declare variable $PERMISSIONS external;
map:new(
for $uri in map:keys($PERMISSIONS)
let $orphaned :=
for $p in map:get($PERMISSIONS, $uri)
return try {
let $name := sec:get-role-names($p/sec:role-id)
return ()
}
catch ($e) {
if ($e/error:code = "SEC-ROLEDNE")
then $p
else xdmp:rethrow()
}
where (exists($orphaned))
return map:entry($uri, $orphaned)
)
',
(xs:QName('PERMISSIONS'), $permissions-map),
<options xmlns="xdmp:eval">
<database>{xdmp:security-database()}</database>
</options>)
for $o in map:keys($orphaned-map)
let $permissions := map:get($orphaned-map, $o)
return xdmp:document-remove-permissions($o, $permissions)
-W
> On Dec 8, 2016, at 6:10 PM, Will Thompson <[email protected]> wrote:
>
> Hi Chris,
>
> That's entirely plausible and even likely. Do you know of an easy way to
> remove orphaned permissions? If there's not a shortcut, I could probably
> build a script to do it, but it seems like it might be messy: walk through
> every document in the db, try to lookup each doc's permissions, catch failed
> ones and delete them?
>
> -Will
>
>> On Dec 8, 2016, at 6:01 PM, Christopher Hamlin <[email protected]> wrote:
>>
>> Hi,
>>
>> This is more of a guess than a suggestion. Let's call it a suggestive guess.
>>
>> It looks like export-to-archive copies permissions. I'm not sure what would
>> happen if you had a permission (which has a role-id) and the role with that
>> id got removed. Maybe the above?
>>
>> - Chris
>>
>> On Thu, Dec 8, 2016 at 6:39 PM, Will Thompson <[email protected]> wrote:
>> I am trying to export data from a Windows machine into an archive to be
>> imported into a Mac, but MLCP crashes. The error MLCP returns is nearly 250
>> lines, but this part seemed possibly relevant:
>>
>> "...Caused by: com.marklogic.xcc.exceptions.XQueryException: SEC-ROLEDNE:
>> (err:FOER0000) Role does not exist: sec:role-id = 6626745612256060316
>> [Session: user=wthompson, cb=#17033682864837852147 [ContentSource:
>> user=wthompson, cb={none} [provider: address=localhost/127.0.0.1:10003,
>> pool=4/64]]] [Client: XCC/8.0-1, Server: XDBC/8.0-6]
>> in /MarkLogic/security.xqy, on line 960..."
>>
>> The MLCP command is:
>>
>> mlcp.bat export
>> -host localhost -port 10003 -username wthompson -password *****
>> -output_type archive -output_file_path /some/output/path -directory_filter
>> /some/dir/
>>
>> This is on ML 8.0-6 with the latest MLCP binaries. Any suggestions?
>>
>> -Will
>> _______________________________________________
>> General mailing list
>> [email protected]
>> Manage your subscription at:
>> http://developer.marklogic.com/mailman/listinfo/general
>>
>> _______________________________________________
>> General mailing list
>> [email protected]
>> Manage your subscription at:
>> http://developer.marklogic.com/mailman/listinfo/general
>
> _______________________________________________
> General mailing list
> [email protected]
> Manage your subscription at:
> http://developer.marklogic.com/mailman/listinfo/general
_______________________________________________
General mailing list
[email protected]
Manage your subscription at:
http://developer.marklogic.com/mailman/listinfo/general
