Thanks Karl for promptness, Invoking http://<your_mcf_instance/mcf-authority-service/UserACLs?username= [email protected] gives me below ACLs which seem to be fine to me.
AUTHORIZED:SharePointAuthConnection TOKEN:SharepointAuthGroup:Ui%3A0%23.w%7Ciwater.ie%255cljangra TOKEN:SharepointAuthGroup:Uc%3A0%2B.w%7Cs-1-5-32-545 TOKEN:SharepointAuthGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-15263 TOKEN:SharepointAuthGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-513 TOKEN:SharepointAuthGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-13472 TOKEN:SharepointAuthGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-3182 TOKEN:SharepointAuthGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1619 TOKEN:SharepointAuthGroup:Uc%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-1813 TOKEN:SharepointAuthGroup:Ui%3A0%2B.w%7Cs-1-5-21-2630432783-15384281-2988178474-12149 TOKEN:SharepointAuthGroup:Uc%3A0%21.s%7Cwindows TOKEN:SharepointAuthGroup:Uc%3A0%28.s%7Ctrue I got it now, the missing part is absence of user tokens in solr query as you mentioned. Please suggest. Regards. On Tue, Aug 12, 2014 at 12:32 PM, Karl Wright <[email protected]> wrote: > Hi Lalit, > > The MCF plugin does this: > - Looks for the AuthenticatedUserName parameter > - Sends the AuthenticatedUserName parameter to ManifoldCF's authority > service, and gets back user tokens > - Constructs a filter query (fq) expression from the user tokens > > It's very hard for me to guess which acls come from your SharePoint > instance and which come from your Alfresco instance. But this is almost > certainly wrong: > > fq=content_source:SharePoint&version=2&AuthenticatedUserName= > [email protected] > ... because there are no access tokens whatsoever. > > This too has no ACLs: > fq=content_source:sharepoint+and+authenticatedusername%[email protected] > > > This has access tokens, but they seem to all be from Alfresco: > > fq=(content_source:Alfresco+AND+alf_acls%253A%2528GROUP_CTXRDP%2BOR%2BGROUP_ECM-Developer-Admins%2BOR%2BGROUP_EVERYONE%2BOR%2BGROUP_ExtendedReaders3e7350e3-ab94-4ecc-87fa-d59ad3deda23%2BOR%2BGROUP_GLS-IW-ADM-ECM-Manifold-Testing%2BOR%2BGROUP_Irish+Water+All+Hands%2BOR%2BGROUP_Jump-Server-Admins%2BOR%2BGROUP_iwaterdesktop%2BOR%2BGROUP_site_LegalServices%2BOR%2BGROUP_site_LegalServices_SiteConsumer%2529)+OR+content_source:SharePoint&AuthenticatedUserName= > [email protected] > > So frankly I see no evidence that you are including any SharePoint access > tokens in your query at all. Could you do the following: > > curl "http://<your_mcf_instance/mcf-authority-service/UserACLs?username= > [email protected]" > > ... and send me what you get back? If that looks good, I suggest that you > are probably overwriting the mcf plugin's fq entirely, and not including it > in your expression. > > Thanks, > Karl > > > > > On Tue, Aug 12, 2014 at 2:38 AM, lalit jangra <[email protected]> > wrote: > >> Thanks Karl, >> >> I am working with filter queries here and initially i tried to put filter >> queries as below but it did not work and i got only alfresco content. >> >> (alfresco_expression AND is_alfresco) OR (sharepoint_expression AND >> is_sharepoint) >> >> Here is query from solr logs for same. >> >> 588159410 [http-bio-8080-exec-330] INFO >> org.apache.solr.mcf.ManifoldCFQParserPlugin ? Default no-user response >> (open documents only) >> >> 588547075 [http-bio-8080-exec-260] INFO org.apache.solr.core.SolrCore ? >> [collection1] webapp=/solr path=/select >> params={q=*:*&fq=(content_source:Alfresco+AND+alf_acls%253A%2528GROUP_CTXRDP%2BOR%2BGROUP_ECM-Developer-Admins%2BOR%2BGROUP_EVERYONE%2BOR%2BGROUP_ExtendedReaders3e7350e3-ab94-4ecc-87fa-d59ad3deda23%2BOR%2BGROUP_GLS-IW-ADM-ECM-Manifold-Testing%2BOR%2BGROUP_Irish+Water+All+Hands%2BOR%2BGROUP_Jump-Server-Admins%2BOR%2BGROUP_iwaterdesktop%2BOR%2BGROUP_site_LegalServices%2BOR%2BGROUP_site_LegalServices_SiteConsumer%2529)+OR+( >> content_source:sharepoint+and+authenticatedusername%[email protected])} >> hits=4404 status=0 QTime=96 >> >> Here i get only 4404 results which i get if i select only alfresco as >> source without selecting sharepoint. >> >> 588159410 [http-bio-8080-exec-330] INFO >> org.apache.solr.mcf.ManifoldCFQParserPlugin ? Default no-user response >> (open documents only) >> >> 588159479 [http-bio-8080-exec-330] INFO org.apache.solr.core.SolrCore ? >> [collection1] webapp=/solr path=/select >> params={q=*:*&fq=(content_source:Alfresco+AND+alf_acls%253A%2528GROUP_CTXRDP%2BOR%2BGROUP_ECM-Developer-Admins%2BOR%2BGROUP_EVERYONE%2BOR%2BGROUP_ExtendedReaders3e7350e3-ab94-4ecc-87fa-d59ad3deda23%2BOR%2BGROUP_GLS-IW-ADM-ECM-Manifold-Testing%2BOR%2BGROUP_Irish+Water+All+Hands%2BOR%2BGROUP_Jump-Server-Admins%2BOR%2BGROUP_iwaterdesktop%2BOR%2BGROUP_site_LegalServices%2BOR%2BGROUP_site_LegalServices_SiteConsumer%2529)+OR+( >> content_source:sharepoint+and+uthenticatedusername%[email protected])} >> hits=4404 status=0 QTime=70 >> >> >> Then i moved to below structure where i need to pass >> sharepoint_expression as raw query parameters for filter queries. >> >> (alfresco_expression) OR (is_sharepoint) & sharepoint_expression >> >> This way i got results from both alfresco and sharepoint. Here i get 5425 >> results including alfresco as well as sharepoint. >> >> 588799237 [http-bio-8080-exec-331] INFO >> org.apache.solr.mcf.ManifoldCFQParserPlugin ? Trying to match docs for >> user '[:[email protected]]' >> >> 588799238 [http-bio-8080-exec-331] INFO >> org.apache.http.impl.client.DefaultHttpClient ? I/O exception >> (org.apache.http.NoHttpResponseException) caught when processing request: >> The target server failed to respond >> >> 588799239 [http-bio-8080-exec-331] INFO >> org.apache.http.impl.client.DefaultHttpClient ? Retrying request >> >> 588799330 [http-bio-8080-exec-331] INFO >> org.apache.solr.mcf.ManifoldCFQParserPlugin ? Saw authority response >> AUTHORIZED:SharePointAuthConnection >> >> 588799338 [http-bio-8080-exec-331] INFO org.apache.solr.core.SolrCore ? >> [collection1] webapp=/solr path=/select >> params={q=*:*&fq=(content_source:Alfresco+AND+alf_acls%253A%2528GROUP_CTXRDP%2BOR%2BGROUP_ECM-Developer-Admins%2BOR%2BGROUP_EVERYONE%2BOR%2BGROUP_ExtendedReaders3e7350e3-ab94-4ecc-87fa-d59ad3deda23%2BOR%2BGROUP_GLS-IW-ADM-ECM-Manifold-Testing%2BOR%2BGROUP_Irish+Water+All+Hands%2BOR%2BGROUP_Jump-Server-Admins%2BOR%2BGROUP_iwaterdesktop%2BOR%2BGROUP_site_LegalServices%2BOR%2BGROUP_site_LegalServices_SiteConsumer%2529)+OR+content_source:SharePoint&AuthenticatedUserName= >> [email protected]} hits=5245 status=0 QTime=103 >> >> Also for sharepoint only queries, if i try filter queries as below, i got >> no results. >> >> (sharepoint_expression AND is_sharepoint) >> >> >> 587320867 [http-bio-8080-exec-325] INFO >> org.apache.solr.mcf.ManifoldCFQParserPlugin ? Trying to match docs for >> user '[:[email protected]]' >> >> 587320868 [http-bio-8080-exec-325] INFO >> org.apache.http.impl.client.DefaultHttpClient ? I/O exception >> (org.apache.http.NoHttpResponseException) caught when processing request: >> The target server failed to respond >> >> 587320869 [http-bio-8080-exec-325] INFO >> org.apache.http.impl.client.DefaultHttpClient ? Retrying request >> >> 587324291 [http-bio-8080-exec-325] INFO >> org.apache.solr.mcf.ManifoldCFQParserPlugin ? Saw authority response >> AUTHORIZED:SharePointAuthConnection >> >> 587324292 [http-bio-8080-exec-325] INFO org.apache.solr.core.SolrCore ? >> [collection1] webapp=/solr path=/select >> params={indent=true&q=*:*&_=1407823092895&wt=json&fq= >> content_source:sharepoint+and+authenticatedusername%[email protected] >> &[email protected]} hits=0 status=0 QTime=3426 >> >> 587338061 [http-bio-8080-exec-325] INFO >> org.apache.solr.mcf.ManifoldCFQParserPlugin ? Default no-user response >> (open documents only) >> >> 587338061 [http-bio-8080-exec-325] INFO org.apache.solr.core.SolrCore ? >> [collection1] webapp=/solr path=/select >> params={indent=true&q=*:*&_=1407823109996&wt=json&fq= >> content_source:sharepoint+and+authenticatedusername%[email protected]} >> hits=0 status=0 QTime=1 >> >> >> But if i use sharepoint_expression as below , get results for sahrepoint >> only. >> >> >> fq=content_source:SharePoint&version=2&AuthenticatedUserName= >> [email protected] >> >> 589523637 [http-bio-8080-exec-260] INFO >> org.apache.solr.mcf.ManifoldCFQParserPlugin ? Trying to match docs for >> user '[:[email protected]]' >> >> 589523639 [http-bio-8080-exec-260] INFO >> org.apache.http.impl.client.DefaultHttpClient ? I/O exception >> (org.apache.http.NoHttpResponseException) caught when processing request: >> The target server failed to respond >> >> 589523639 [http-bio-8080-exec-260] INFO >> org.apache.http.impl.client.DefaultHttpClient ? Retrying request >> >> 589523698 [http-bio-8080-exec-260] INFO >> org.apache.solr.mcf.ManifoldCFQParserPlugin ? Saw authority response >> AUTHORIZED:SharePointAuthConnection >> >> 589523699 [http-bio-8080-exec-260] INFO org.apache.solr.core.SolrCore ? >> [collection1] webapp=/solr path=/select >> params={sort=score+desc&df=text&q="lalit"&q.op=OR&wt=javabin&qt=/select&fq=content_source:SharePoint&version=2&AuthenticatedUserName= >> [email protected]} hits=35 status=0 QTime=62 >> >> >> What i assume is whatever is passed with AuthenticatedUserName variable, >> it is compared with stored ACLs in index and accordingly results are >> displayed. >> >> Please suggest. >> >> regards. >> >> >> On Mon, Aug 11, 2014 at 10:59 PM, Karl Wright <[email protected]> wrote: >> >>> Hi Lalit, >>> >>> First, if both Alfresco and SharePoint documents are indexed with the >>> same MCF instance, then you do >>> not need to play games like this. You only need the one query that the >>> MCF solr plugin generates. >>> >>> If that's not the case, then what you want are two separate clauses >>> where one matches Alfresco documents and one clause that matches SharePoint >>> documents. The expression therefore would look like this: >>> >>> (alfresco_expression AND is_alfresco) OR (sharepoint_expression AND >>> is_sharepoint) >>> >>> >>> It cannot look like this and work: >>> >>> (alfresco_expression OR sharepoint_expression) OR is_sharepoint >>> >>> That is nonsensical. >>> Karl >>> >>> >>> >>> On Mon, Aug 11, 2014 at 1:22 PM, lalit jangra <[email protected]> >>> wrote: >>> >>>> Thanks Karl, >>>> >>>> In this query i am searching for results in both alfresco and >>>> SharePoint. So before OR i am checking for alfresco ACLs and post OR i am >>>> checking for SharePoint ACLs by supplying authenticatedusername .Hence OR >>>> facilitates here for both options. >>>> On Aug 11, 2014 10:44 PM, "Karl Wright" <[email protected]> wrote: >>>> >>>>> Hi Lalit, >>>>> >>>>> Have a look at this query: >>>>> >>>>> 522471481 [http-bio-8080-exec-238] INFO >>>>> org.apache.solr.core.SolrCore ? [collection1] webapp=/solr path=/select >>>>> params={sort=score+desc&df=text&q="blue"&q.op=OR&wt=javabin&qt=/select&fq=(content_source:Alfresco+AND+alf_acls%253A%2528GROUP_CTXRDP%2BOR%2BGROUP_ECM-Developer-Admins%2BOR%2BGROUP_EMAIL_CONTRIBUTORS%2BOR%2BGROUP_EVERYONE%2BOR%2BGROUP_ExtendedReaders3e7350e3-ab94-4ecc-87fa-d59ad3deda23%2BOR%2BGROUP_ExtendedWriters3e7350e3-ab94-4ecc-87fa-d59ad3deda23%2BOR%2BGROUP_GLS-IW-CTX-IWDesktop%2BOR%2BGROUP_GLS-IW-CTX-IWStandardUsers%2BOR%2BGROUP_Irish+Water+All+Hands%2BOR%2BGROUP_Jump-Server-Admins%2BOR%2BGROUP_site_LegalServices%2BOR%2BGROUP_site_LegalServices_SiteManager%2BOR%2BGROUP_site_asset-investment%2BOR%2BGROUP_site_asset-investment_SiteManager%2BOR%2BGROUP_site_asset-management%2BOR%2BGROUP_site_asset-management_SiteConsumer%2BOR%2BGROUP_site_asset-programmes%2BOR%2BGROUP_site_asset-programmes_SiteCollaborator%2BOR%2BGROUP_site_asset-programmes_SiteManager%2BOR%2BGROUP_site_asset-strategy%2BOR%2BGROUP_site_asset-strategy_SiteManager%2BOR%2BGROUP_site_capa%2BOR%2BGROUP_site_capa_SiteManager%2BOR%2BGROUP_site_capital-delivery%2BOR%2BGROUP_site_capital-delivery_SiteConsumer%2BOR%2BGROUP_site_communications%2BOR%2BGROUP_site_communications_SiteManager%2BOR%2BGROUP_site_customer-contacts%2BOR%2BGROUP_site_customer-contacts_SiteManager%2BOR%2BGROUP_site_hazcon%2BOR%2BGROUP_site_hazcon_SiteManager%2BOR%2BGROUP_site_human-resources%2BOR%2BGROUP_site_human-resources_SiteCollaborator%2BOR%2BGROUP_site_incident-management%2BOR%2BGROUP_site_incident-management_SiteManager%2BOR%2BGROUP_site_invoices%2BOR%2BGROUP_site_invoices_SiteManager%2BOR%2BGROUP_site_iwcontracts%2BOR%2BGROUP_site_iwcontracts_SiteManager%2BOR%2BGROUP_site_iwproject%2BOR%2BGROUP_site_iwproject_SiteManager%2BOR%2BGROUP_site_iwprojects%2BOR%2BGROUP_site_iwprojects_SiteManager%2BOR%2BGROUP_site_operations-and-maintenance%2BOR%2BGROUP_site_operations-and-maintenance_SiteManager%2BOR%2BGROUP_site_region-connaught-and-ulster%2BOR%2BGROUP_site_region-connaught-and-ulster_SiteCollaborator%2BOR%2BGROUP_site_region-east-and-midlands%2BOR%2BGROUP_site_region-east-and-midlands_SiteCollaborator%2BOR%2BGROUP_site_region-south-la-file-share%2BOR%2BGROUP_site_region-south-la-file-share_SiteCollaborator%2BOR%2BGROUP_site_rm%2BOR%2BGROUP_site_rm_SiteManager%2BOR%2BGROUP_site_site-water-investment-approvals-committee%2BOR%2BGROUP_site_site-water-investment-approvals-committee_SiteCollaborator%2BOR%2BGROUP_site_test-public%2BOR%2BGROUP_site_test-public_SiteManager%2BOR%2BGROUP_site_testing-private%2BOR%2BGROUP_site_testing-private_SiteManager%2529)+OR+content_source:SharePoint&version=2&AuthenticatedUserName= >>>>> [email protected]} hits=11 status=0 QTime=10 >>>>> >>>>> >>>>> Note the following at the very end of the fq field: >>>>> "+OR+content_source:SharePoint". That will basically disable the entire >>>>> rest of the filter and permit ALL documents through that were indexed by >>>>> SharePoint. It should be "+AND+content_source:SharePoint". >>>>> >>>>> Karl >>>>> >>>>> >>>>> >>>>> On Mon, Aug 11, 2014 at 1:05 PM, lalit jangra < >>>>> [email protected]> wrote: >>>>> >>>>>> Sure Karl, >>>>>> >>>>>> Can you let me know what type of logs you need?I am attaching part of >>>>>> solr.log for your reference. >>>>>> >>>>>> Regards. >>>>>> On Aug 11, 2014 9:42 PM, "Karl Wright" <[email protected]> wrote: >>>>>> >>>>>>> Hi Lalit, >>>>>>> >>>>>>> Are you sure you are using the standard select query handler? In >>>>>>> order to convince me, you will need to enable appropriate Solr logging >>>>>>> so I >>>>>>> can see how a request is processed and whether the MCF solr plugin is >>>>>>> being >>>>>>> called. >>>>>>> >>>>>>> Karl >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mon, Aug 11, 2014 at 11:59 AM, lalit jangra < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> Thanks Karl, >>>>>>>> >>>>>>>> Below are my comments. >>>>>>>> >>>>>>>> 1. Your Solr query is in fact not hooked up to use the appropriate >>>>>>>> MCF Solr plugin, in which case no security whatsoever is being applied. >>>>>>>> --- Below is snippet from solrconfig.xml from one of servers with >>>>>>>> MCF Solr plugin included and enabled with /select query handler which >>>>>>>> i am >>>>>>>> using for search. I assume i need not to provide full server name for >>>>>>>> AuthorityServiceBaseURL >>>>>>>> & instead localhost will work fine. >>>>>>>> >>>>>>>> >>>>>>>> <!-- ManifoldCF document security enforcement component --> >>>>>>>> >>>>>>>> <queryParser name="manifoldCFSecurity" >>>>>>>> >>>>>>>> class="org.apache.solr.mcf.ManifoldCFQParserPlugin"> >>>>>>>> >>>>>>>> <str name="AuthorityServiceBaseURL"> >>>>>>>> http://localhost:80/mcf-authority-service</str> >>>>>>>> >>>>>>>> <int name="ConnectionPoolSize">50</int> >>>>>>>> >>>>>>>> </queryParser> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> <!-- ManifoldCF document security enforcement component --> >>>>>>>> >>>>>>>> <searchComponent name="manifoldCFSecurity" >>>>>>>> >>>>>>>> class="org.apache.solr.mcf.ManifoldCFSearchComponent"> >>>>>>>> >>>>>>>> <str name="AuthorityServiceBaseURL"> >>>>>>>> http://localhost:80/mcf-authority-service</str> >>>>>>>> >>>>>>>> <int name="ConnectionPoolSize">50</int> >>>>>>>> >>>>>>>> </searchComponent> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> <requestHandler name="/select" class="solr.SearchHandler"> >>>>>>>> >>>>>>>> <lst name="defaults"> >>>>>>>> >>>>>>>> <str name="echoParams">explicit</str> >>>>>>>> >>>>>>>> <int name="rows">10000</int> >>>>>>>> >>>>>>>> <str name="df">text</str> >>>>>>>> >>>>>>>> </lst> >>>>>>>> >>>>>>>> <lst name="appends"> >>>>>>>> >>>>>>>> <str name="fq">{!manifoldCFSecurity}</str> >>>>>>>> >>>>>>>> </lst> >>>>>>>> >>>>>>>> </requestHandler> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Below is one of queries built for same using AuthenticatedUserName >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> q=%22blue%22&q.op=OR&df=text&qt=%2Fselect&sort=score+desc&fq=content_source%3ASharePoint&AuthenticatedUserName=ljangra% >>>>>>>> 40iwater.ie >>>>>>>> >>>>>>>> >>>>>>>> 2. You are supposed to be able to see the documents, but the URL >>>>>>>> ManifoldCF is generating does not permit you to log into SharePoint for >>>>>>>> some reason. >>>>>>>> -- If i go to the location of the search result, i am not able to >>>>>>>> see any document available there for me as per my permissions. >>>>>>>> >>>>>>>> 3. You indexed the documents with security "off", and so no >>>>>>>> security information was attached to the documents in Solr. >>>>>>>> --- I have enabled security before starting the job as below. >>>>>>>> >>>>>>>> >>>>>>>> Please suggest. >>>>>>>> >>>>>>>> Regards. >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Aug 11, 2014 at 5:17 PM, Karl Wright <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi Lalit, >>>>>>>>> >>>>>>>>> There are a number of possibilities. You will need to do some >>>>>>>>> investigation to figure out which one it is. Here are the >>>>>>>>> possibilities I >>>>>>>>> see: >>>>>>>>> >>>>>>>>> (1) Your Solr query is in fact not hooked up to use the >>>>>>>>> appropriate MCF Solr plugin, in which case no security whatsoever is >>>>>>>>> being >>>>>>>>> applied. >>>>>>>>> (2) You are supposed to be able to see the documents, but the URL >>>>>>>>> ManifoldCF is generating does not permit you to log into SharePoint >>>>>>>>> for >>>>>>>>> some reason. >>>>>>>>> (3) You indexed the documents with security "off", and so no >>>>>>>>> security information was attached to the documents in Solr. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Karl >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Mon, Aug 11, 2014 at 7:30 AM, lalit jangra < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I am using MCF 1.5.1 and crawling SharePoint 2010 list items. I >>>>>>>>>> have also placed MCF solr ACL plugin into solr instances and updated >>>>>>>>>> solrconfig.xml for same. I created a job to connect to SharePoint and >>>>>>>>>> indexed list items in solr. >>>>>>>>>> >>>>>>>>>> Next i am searching for content items from index and what i could >>>>>>>>>> see is that i am able to see search results for content on which i >>>>>>>>>> do not >>>>>>>>>> have any access. I can see these content into search results but >>>>>>>>>> when i am >>>>>>>>>> trying to aceess these content , i can getting SharePoint access >>>>>>>>>> denied >>>>>>>>>> error. Ideally if a user has no access to a content, he should not >>>>>>>>>> be see >>>>>>>>>> these content. >>>>>>>>>> >>>>>>>>>> Am i missing anything here? >>>>>>>>>> >>>>>>>>>> Regards, >>>>>>>>>> Lalit. >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Regards, >>>>>>>> Lalit. >>>>>>>> >>>>>>> >>>>>>> >>>>> >>> >> >> >> -- >> Regards, >> Lalit. >> > > -- Regards, Lalit.
