Hi Will, You already know at least one of the orphaned role ids, it is in the error message. If you suspect it is just one or two, you could use taskbot to crawl all docs, similar to below, and if doc-get-permissions turns up one of the orphaned id¹s, use xdmp:document-remove-permission to fix it..
Cheers On 12/9/16, 3:15 AM, "[email protected] on behalf of Will Thompson" <[email protected] on behalf of [email protected]> wrote: >I got a script working. I suspect there are faster/better ways to do >this, but for anyone who may need it in the future, this will resolve any >orphaned permissions. For a very large data set, you would probably need >to batch this: > >xquery version "1.0-ml"; > >let $uris := cts:uris((), 'limit=30000') >let $permissions-map := map:new(( > $uris ! map:entry(., xdmp:document-get-permissions(.)) > )) >let $orphaned-map := > xdmp:eval(' > xquery version "1.0-ml"; > import module namespace sec="http://marklogic.com/xdmp/security"; at > "/MarkLogic/security.xqy"; > declare variable $PERMISSIONS external; > map:new( > for $uri in map:keys($PERMISSIONS) > let $orphaned := > for $p in map:get($PERMISSIONS, $uri) > return try { > let $name := sec:get-role-names($p/sec:role-id) > return () > } > catch ($e) { > if ($e/error:code = "SEC-ROLEDNE") > then $p > else xdmp:rethrow() > } > where (exists($orphaned)) > return map:entry($uri, $orphaned) > ) > ', > (xs:QName('PERMISSIONS'), $permissions-map), > <options xmlns="xdmp:eval"> > <database>{xdmp:security-database()}</database> > </options>) >for $o in map:keys($orphaned-map) >let $permissions := map:get($orphaned-map, $o) >return xdmp:document-remove-permissions($o, $permissions) > >-W > >> On Dec 8, 2016, at 6:10 PM, Will Thompson <[email protected]> >>wrote: >> >> Hi Chris, >> >> That's entirely plausible and even likely. Do you know of an easy way >>to remove orphaned permissions? If there's not a shortcut, I could >>probably build a script to do it, but it seems like it might be messy: >>walk through every document in the db, try to lookup each doc's >>permissions, catch failed ones and delete them? >> >> -Will >> >>> On Dec 8, 2016, at 6:01 PM, Christopher Hamlin <[email protected]> >>>wrote: >>> >>> Hi, >>> >>> This is more of a guess than a suggestion. Let's call it a suggestive >>>guess. >>> >>> It looks like export-to-archive copies permissions. I'm not sure what >>>would happen if you had a permission (which has a role-id) and the role >>>with that id got removed. Maybe the above? >>> >>> - Chris >>> >>> On Thu, Dec 8, 2016 at 6:39 PM, Will Thompson <[email protected]> >>>wrote: >>> I am trying to export data from a Windows machine into an archive to >>>be imported into a Mac, but MLCP crashes. The error MLCP returns is >>>nearly 250 lines, but this part seemed possibly relevant: >>> >>> "...Caused by: com.marklogic.xcc.exceptions.XQueryException: >>>SEC-ROLEDNE: (err:FOER0000) Role does not exist: sec:role-id = >>>6626745612256060316 >>> [Session: user=wthompson, cb=#17033682864837852147 [ContentSource: >>>user=wthompson, cb={none} [provider: address=localhost/127.0.0.1:10003, >>>pool=4/64]]] [Client: XCC/8.0-1, Server: XDBC/8.0-6] >>> in /MarkLogic/security.xqy, on line 960..." >>> >>> The MLCP command is: >>> >>> mlcp.bat export >>> -host localhost -port 10003 -username wthompson -password ***** >>> -output_type archive -output_file_path /some/output/path >>>-directory_filter /some/dir/ >>> >>> This is on ML 8.0-6 with the latest MLCP binaries. Any suggestions? >>> >>> -Will >>> _______________________________________________ >>> General mailing list >>> [email protected] >>> Manage your subscription at: >>> http://developer.marklogic.com/mailman/listinfo/general >>> >>> _______________________________________________ >>> General mailing list >>> [email protected] >>> Manage your subscription at: >>> http://developer.marklogic.com/mailman/listinfo/general >> >> _______________________________________________ >> General mailing list >> [email protected] >> Manage your subscription at: >> http://developer.marklogic.com/mailman/listinfo/general > >_______________________________________________ >General mailing list >[email protected] >Manage your subscription at: >http://developer.marklogic.com/mailman/listinfo/general _______________________________________________ General mailing list [email protected] Manage your subscription at: http://developer.marklogic.com/mailman/listinfo/general
