Hi Lalit, What we need to do, whatever way we can, is to get the contents of the allow_token_document and deny_token_document fields for a single document. You already provided the curl output from the authority service, but the question is why the query being generated does not match the document field. Like I said before, I suspect that something in solr has recently changed and the token values are being corrupted.
Thanks, Karl Sent from my Windows Phone -----Original Message----- From: lalit jangra Sent: 6/15/2014 2:38 PM To: Karl Wright Cc: [email protected] Subject: Re: How to query for content with ACLs? Hi Karl, Yes, after i changed authority group name i re-ran the job after deleting solr indexes under data folder to make it 100% sure. I could see the authority group been updated in new job which did not have any spaces or special characters. Also i froze configuration after your confirmation and using same throughout. Infact, i replicated everything in MCF 1.6.1 but getting same results there as well. Regards. On Sun, Jun 15, 2014 at 7:28 PM, Karl Wright <[email protected]> wrote: Hi Lalit, The deny token part of the query is not the problem, because it will not match anything. After you changed the group name, did you rerun the SharePoint job? If not the acls will not be updated. It is essential that the tokens returned by curl match the tokens in the index exactly. I suspect that is where the problem is. Don't change anything about your configuration because that seems to be fine now. Thanks Karl Sent from my Windows Phone From: lalit jangra Sent: 6/15/2014 1:52 PM To: [email protected] Subject: Re: How to query for content with ACLs? Thanks Karl, I renamed authority group to avoid any spaces or special characters but still i am bugged by deny_tokens. For repository connection, i am using "Sharepoint" as authority type and for authority connection, i am using "Sharepoint/ActiveDirectory" as connection type which seems to be fine here. My user mapping connection converts from water.com\ljangra to [email protected] as per need. Also one unusual thing i noticed now is that every time i am trying to create new user mapping connection or edit existing one, it waits for very long time and sometimes i need to redo it couple of time. Could it be any relation here? Solr.log after rendexing with deny token as DEAD_AUTHORITY. INFO - 2014-06-15 18:36:21.624; org.apache.solr.update.processor.LogUpdateProcessor; [collection1] webapp=/solr path=/update/extract params={literal.content_name=pptexamples.ppt&literal.deny_token_document=SPKWGroup:DEAD_AUTHORITY&literal.DocIcon=ppt&literal.content%3Aname=/pptexamples.ppt&resource.name=pptexamples.ppt&literal.allow_token_document=SPKWGroup:GApprovers&literal.allow_token_document=SPKWGroup:GDesigners&literal.allow_token_document=SPKWGroup:GHierarchy%2BManagers&literal.allow_token_document=SPKWGroup:GRestricted%2BReaders&literal.allow_token_document=SPKWGroup:GTest%2BIrish%2BWater%2BAdministrators&literal.allow_token_document=SPKWGroup:GTest%2BIrish%2BWater%2BPortal%2BMembers&literal.allow_token_document=SPKWGroup:GTest%2BIrish%2BWater%2BPortal%2BOwners&literal.allow_token_document=SPKWGroup:GTest%2BIrish%2BWater%2BPortal%2BVisitors&literal.allow_token_document=SPKWGroup:GViewers&literal.allow_token_document=SPKWGroup:Uc%253A0%2528.s%257Ctrue&literal.FolderChildCount=0&version=2.2&literal.ItemChildCount=0&literal._dlc_DocId=N7JQZDZPVPT7-50-1&literal.content%3Alink=http://testirishwaterportal/irish-water/DocumentLibrary/pptexamples.ppt&literal.content%3Aparent=testirishwaterportal/irish-water/DocumentLibrary&literal.content_size=1371648&literal.Edit=0&literal.id=http://testirishwaterportal/irish-water/DocumentLibrary/pptexamples.ppt&literal.content%3AparentLink=http://testirishwaterportal/irish-water/DocumentLibrary&literal.LinkFilenameNoMenu=pptexamples.ppt&literal._dlc_DocIdUrl=http://testirishwaterportal/irish-water/_layouts/DocIdRedir.aspx?ID%3DN7JQZDZPVPT7-50-1,+N7JQZDZPVPT7-50-1&literal.Created=2014-06-04T16:55:09&literal._UIVersionString=1.0&literal.content%3Amimetype=application/vnd.ms-powerpoint&wt=xml&literal.Title=PPT+examples&literal.content%3Asource=Sharepoint&literal.Modified=2014-06-04T16:55:09&literal.Author=Lalit+Jangra&literal.LinkFilename=pptexamples.ppt&literal.lcf_metadata_id=1&literal.Editor=Lalit+Jangra&literal.ContentType=Document} {add=[http://testirishwaterportal/irish-water/DocumentLibrary/pptexamples.ppt (1470998806838378496)]} 0 1625 While querying for content using '/select' request handler INFO - 2014-06-15 18:38:03.957; org.apache.solr.mcf.ManifoldCFQParserPlugin$ManifoldCFQueryParser; Trying to match docs for user '[:[email protected]]' INFO - 2014-06-15 18:38:04.363; org.apache.solr.mcf.ManifoldCFQParserPlugin$ManifoldCFQueryParser; Saw authority response AUTHORIZED:SPKWConnection INFO - 2014-06-15 18:38:04.363; org.apache.solr.core.SolrCore; [collection1] webapp=/solr path=/select params={debugQuery=true&indent=true&q=*:*&_=1402853883932&wt=json&[email protected]} hits=0 status=0 QTime=406 My authority tokens in MCF AUTHORIZED:SPKWConnectionTOKEN:SPKWGroup:Ui%3A0%23.w%7Ciwater.ie%255cljangraTOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-32-545TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-513TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-13472TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-3182TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1619TOKEN:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1813TOKEN:SPKWGroup:Ui%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-12149TOKEN:SPKWGroup:Uc%3A0%21.s%7Cwindows No mention of any deny_token but still while querying, i am getting same results with one allow token & one deny token which supersedes allow token giving me no results. "parsed_filter_queries": [ "ConstantScore(+((+allow_token_share:__nosecurity__ +deny_token_share:__nosecurity__) allow_token_share:SPKWGroup:Ui%3A0%23.w%7Ciwater.ie%255cljangra -deny_token_share:SPKWGroup:Ui%3A0%23.w%7Ciwater.ie%255cljangra allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-32-545 -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-32-545 allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263 -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263 allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-513 -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-513 allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-13472 -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-13472 allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-3182 -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-3182 allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1619 -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1619 allow_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1813 -deny_token_share:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1813 allow_token_share:SPKWGroup:Ui%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-12149 -deny_token_share:SPKWGroup:Ui%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-12149 allow_token_share:SPKWGroup:Uc%3A0%21.s%7Cwindows -deny_token_share:SPKWGroup:Uc%3A0%21.s%7Cwindows) +((+allow_token_document:__nosecurity__ +deny_token_document:__nosecurity__) allow_token_document:SPKWGroup:Ui%3A0%23.w%7Ciwater.ie%255cljangra -deny_token_document:SPKWGroup:Ui%3A0%23.w%7Ciwater.ie%255cljangra allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-32-545 -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-32-545 allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263 -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263 allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-513 -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-513 allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-13472 -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-13472 allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-3182 -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-3182 allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1619 -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1619 allow_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1813 -deny_token_document:SPKWGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1813 allow_token_document:SPKWGroup:Ui%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-12149 -deny_token_document:SPKWGroup:Ui%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-12149 allow_token_document:SPKWGroup:Uc%3A0%21.s%7Cwindows -deny_token_document:SPKWGroup:Uc%3A0%21.s%7Cwindows))" Sincere Regards. On Sun, Jun 15, 2014 at 1:04 PM, Karl Wright <[email protected]> wrote: If I'm right, the interim solution would be to just rename your authority group to something that does not have characters that need escaping in them. If that works, then we know what the issue is, and I'll open a ticket and try to find a solution. Thanks, Karl On Sun, Jun 15, 2014 at 8:01 AM, Karl Wright <[email protected]> wrote: Hi Lalit, I'm sorry, I was confused. The document ingest you included had only ONE deny_token_document value: literal.deny_token_document=SP%2BKW:DEAD_AUTHORITY . So even though you see a deny_token_document clause in the Solr query expression, it will not match *unless* your user has a DEAD_AUTHORITY token. So that is not the problem. But what I do see is the following: SP+KW:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263 Note the prefix; the prefix when indexing is SP%2BKW, while the prefix when searching is SP+KW. I had discounted that because the [INFO] log from Solr is logging a URL and it is therefore URL encoded -- but it is possible now that since Solr no longer has Jetty involved, it may not be unencoding SP%2BKW back to SP+KW properly. What do you see for the ACL field values in Luke? Are they SP+KW? Karl On Sun, Jun 15, 2014 at 7:48 AM, Karl Wright <[email protected]> wrote: Hi Lalit, Ok, I think that everything on your end is now set up correctly. You should be able to see Windows documents on your search, if I am correct. Do you see any? As for SharePoint, when a user has a deny token in ManifoldCF it takes precedence over any allow tokens. But SharePoint does not current generate *any* deny tokens; it doesn't have those in the model. So I'm wondering where those are coming from, and if there's a bug of some kind. Let me do some research and get back to you. Karl On Sun, Jun 15, 2014 at 5:56 AM, lalit jangra <[email protected]> wrote: Hi Karl, My sincere apologies for going out a context here as i was confused & my limited knowledge of sharepoint and ACLs. After spending two more days and setting up everything from scratch couple of times, i am back into square one. The only thing which i could observe is that while indexing content into solr , i could see all ACL are getting indexed correctly. params={literal.content_name=/Alfresco-in-an-Hour.pdf&literal.deny_token_document=SP%2BKW:DEAD_AUTHORITY&literal.DocIcon=pdf&resource.name=Alfresco-in-an-Hour.pdf&literal.allow_token_document=SP%2BKW:GTest%2BIrish%2BWater%2BPortal%2BVisitors&literal.allow_token_document=SP%2BKW:GTest%2BIrish%2BWater%2BPortal%2BOwners&literal.allow_token_document=SP%2BKW:GRestricted%2BReaders&literal.allow_token_document=SP%2BKW:GTest%2BIrish%2BWater%2BAdministrators&literal.allow_token_document=SP%2BKW:GTest%2BIrish%2BWater%2BPortal%2BMembers&literal.allow_token_document=SP%2BKW:Uc%253A0%2528.s%257Ctrue&literal.allow_token_document=SP%2BKW:GHierarchy%2BManagers&literal.allow_token_document=SP%2BKW:GApprovers&literal.allow_token_document=SP%2BKW:GViewers&literal.allow_token_document=SP%2BKW:GDesigners&literal.content%3AmodifiedDate=2014-06-04T15:52:29.000Z&literal.FolderChildCount=0&version=2.2&literal.ItemChildCount=0&literal._dlc_DocId=N7JQZDZPVPT7-49-1&literal.content%3Alink=http://testirishwaterportal/irish-water/Shared%2520Documents/Alfresco-in-an-Hour.pdf&literal.ParentVersionString=&literal.content_source
