Security Guide - MarkLogic

MarkLogic Server

Security Guide

1

Copyright ? 2021 MarkLogic Corporation. All rights reserved.

MarkLogic 10 May, 2019

Last Revised: 10.0-8, October, 2021

MarkLogic Server

Table of Contents

Table of Contents

Security Guide

1.0 Introduction to Security ...............................................................................11

1.1 Licensing ...............................................................................................................11 1.2 Security Overview ................................................................................................11

1.2.1 Authentication and Access Control ..........................................................12 1.2.2 Authorization ............................................................................................12 1.2.3 Administration ..........................................................................................12 1.3 MarkLogic Security Model ...................................................................................12 1.3.1 Role-Based Security Model (Authorization) ............................................13 1.3.2 Element Level Security .............................................................................14 1.3.3 Access Control With the Security Database .............................................14 1.3.4 Security Administration ............................................................................16 1.4 Terminology ..........................................................................................................16 1.4.1 User ...........................................................................................................16 1.4.2 Role ...........................................................................................................16 1.4.3 Execute Privilege ......................................................................................17 1.4.4 URI Privilege ............................................................................................17 1.4.5 Permission .................................................................................................17 1.4.6 Amp ..........................................................................................................17

2.0 Role-Based Security Model .........................................................................18

2.1 Understanding Roles .............................................................................................18 2.1.1 Assigning Privileges to Roles ...................................................................18 2.1.1.1 Execute Privileges .....................................................................18 2.1.1.2 URI Privileges ...........................................................................19 2.1.2 Associating Permissions With Roles ........................................................19 2.1.3 Default Permissions in Roles ....................................................................19 2.1.4 Assigning Roles to Users ..........................................................................19 2.1.5 Roles, Privileges, Document Permissions, and Users ..............................20

2.2 The admin and security Roles ...............................................................................21 2.3 Example--Introducing Roles, Users and Execute Privileges ...............................21

3.0 Protecting Documents ..................................................................................24

3.1 Creating Documents .............................................................................................24 3.1.1 URI Privileges ...........................................................................................24 3.1.2 Built-In URI Execute Privileges ...............................................................25

3.2 Document Permissions .........................................................................................25 3.2.1 Capabilities Associated Through Permissions ..........................................26 3.2.1.1 Read ...........................................................................................26

MarkLogic 10--May, 2019

Security Guide--Page 2

MarkLogic Server

Table of Contents

3.2.1.2 Update .......................................................................................26 3.2.1.3 Node-Update .............................................................................26 3.2.1.4 Insert ..........................................................................................27 3.2.1.5 Execute ......................................................................................27 3.2.2 Setting Document Permissions .................................................................27 3.3 Securing Collection Membership .........................................................................27 3.4 Default Permissions ..............................................................................................28 3.5 Example--Using Permissions ..............................................................................28 3.5.1 Setting Permissions Explicitly ..................................................................29 3.5.2 Default Permission Settings ......................................................................29

4.0 Authenticating Users ....................................................................................33

4.1 Users .....................................................................................................................33 4.2 Types of Authentication ........................................................................................33

4.2.1 Basic ..........................................................................................................34 4.2.2 Digest ........................................................................................................34 4.2.3 Digest-Basic ..............................................................................................34 4.2.4 Limitations of Digest and Basic Authentication .......................................34 4.2.5 Certificate ..................................................................................................35 4.2.6 Application Level .....................................................................................35 4.2.7 Kerberos Ticket .........................................................................................35 4.2.8 SAML .......................................................................................................36

5.0 Compartment Security .................................................................................37

5.1 Understanding Compartment Security ..................................................................37 5.2 Configuring Compartment Security ......................................................................38 5.3 Example--Compartment Security ........................................................................38

5.3.1 Create Roles ..............................................................................................38 5.3.2 Create Users ..............................................................................................39 5.3.3 Create the Documents and Add Permissions ............................................40 5.3.4 Test It Out .................................................................................................41

6.0 Element Level Security ................................................................................42

6.1 Understanding Element Level Security ................................................................43 6.2 Example--Element Level Security ......................................................................43

6.2.1 Create Roles ..............................................................................................44 6.2.2 Create Users and Assign Roles .................................................................44 6.2.3 Add the Documents ..................................................................................46 6.2.4 Add Protected Paths and Query Rolesets .................................................47 6.2.5 Run the Example Queries .........................................................................51

6.2.5.1 XQuery Examples of Element Level Security ..........................51 6.2.5.2 JavaScript Examples of Element Security ................................54 6.2.6 Additional Examples .................................................................................58 6.2.6.1 XQuery - Query Element Hierarchies .......................................58 6.2.6.2 XQuery - Matching By Paths or Attributes ...............................60

MarkLogic 10--May, 2019

Security Guide--Page 3

MarkLogic Server

Table of Contents

6.2.6.3 JavaScript - Query Element Hierarchies ...................................64 6.2.6.4 JavaScript - Matching By Paths or Attributes ...........................66 6.3 Configuring Element Level Security ....................................................................70 6.3.1 Protected Paths ..........................................................................................70 6.3.1.1 Examples of Protected Paths .....................................................71 6.3.1.2 Namespaces as Part of a Protected Path ....................................72 6.3.1.3 Unprotecting or Removing Paths ..............................................73 6.3.1.4 Performance Considerations With Protected Paths ...................76 6.3.2 Query Rolesets ..........................................................................................77 6.3.2.1 How Query Rolesets Work .......................................................77 6.3.2.2 Parent/Child Relationships in Query Rolesets ..........................79 6.3.2.3 Overlapping Protected Paths .....................................................79 6.3.2.4 Protected Path Sets ....................................................................82 6.3.2.5 Helper Functions for Query Rolesets ........................................84 6.3.2.6 Query for Protected Paths on a Document ................................85 6.4 Configure Element Level Security in the Admin UI ............................................86 6.4.1 Add a Protected Path .................................................................................86 6.4.2 Add a Query Roleset .................................................................................87 6.5 Configure Element Level Security With XQuery .................................................88 6.5.1 Using XQuery for Query Rolesets ............................................................88 6.5.2 Using XQuery for Protected Paths ............................................................89 6.6 Configure Element Level Security With REST ....................................................90 6.6.1 Using REST for Query Rolesets ...............................................................90 6.6.2 Using REST for Protected Paths ...............................................................92 6.7 Combining Document and Element Level Permissions .......................................93 6.7.1 Document Level Security and Indexing ...................................................93 6.7.2 Combination Security Example ................................................................94 6.8 Node Update Capabilities .....................................................................................95 6.8.1 Updates With Element Level Security ......................................................95 6.8.2 Node Update and Node Insert at the Element Level ................................96 6.9 Document and Element Level Permissions Summary ..........................................97 6.10 Node Update and Document Permissions Expanded ...........................................99 6.10.1 Unexpected Behavior with Permissions ...................................................99 6.10.2 Different Permissions on the Same Node ...............................................100 6.10.3 A More Complex Example .....................................................................101 6.11 APIs for Element Level Security ........................................................................101 6.11.1 XQuery APIs ...........................................................................................102 6.11.2 REST Management APIs ........................................................................103 6.11.2.1 REST Management APIs for Protected Paths .........................103 6.11.2.2 REST Management APIs for Query Rolesets .........................103 6.12 Algorithm That Determines Which Query Rolesets to Use ...............................103 6.13 Interactions With Compartment Security ...........................................................105 6.13.1 Compartment Security and Indexing .................................................106 6.14 Interactions with Other MarkLogic Features ......................................................107 6.14.1 Lexicon Calls ..........................................................................................107 6.14.2 Fragmentation .........................................................................................107

MarkLogic 10--May, 2019

Security Guide--Page 4

MarkLogic Server

Table of Contents

6.14.3 SQL on Range-Index Based Views ........................................................108 6.14.4 UDFs (including UDF-based aggregate built-ins) ..................................108 6.14.5 Reverse Indexes ......................................................................................108 6.14.6 SPARQL .................................................................................................108 6.14.7 Alerting and QBFR .................................................................................109 6.14.8 mlcp ........................................................................................................109 6.14.9 XCC ........................................................................................................109 6.14.10Bitemporal ..............................................................................................110 6.14.11Others ......................................................................................................110 6.14.12Rolling Upgrades ....................................................................................111

7.0 Protecting XQuery and JavaScript Functions With Privileges ..................112

7.1 Built-In MarkLogic Execute Privileges ..............................................................112 7.2 Protecting Your XQuery and JavaScript Code with Execute Privileges ............112

7.2.1 Using Execute Privileges ........................................................................113 7.2.2 Execute Privileges and App Servers .......................................................113 7.2.3 Creating and Updating Collections .........................................................114 7.3 Temporarily Increasing Privileges with Amps ...................................................114

8.0 Query-Based Access Control .....................................................................115

8.1 What is QBAC ....................................................................................................115 8.2 Example QBAC Applications .............................................................................116

8.2.1 Scenario 1: Region Restrictions ..............................................................116 8.2.1.1 Create Roles ............................................................................116 8.2.1.2 Create Users ............................................................................117 8.2.1.3 Insert the Documents and Add Permissions ............................117 8.2.1.4 Test It Out ................................................................................119

8.2.2 Scenario 2: Group Restrictions ...............................................................119 8.2.2.1 Create Roles ............................................................................120 8.2.2.2 Create Users ............................................................................121 8.2.2.3 Insert the Documents and Add Permissions ............................121 8.2.2.4 Test It Out ................................................................................122

8.3 Interfaces to Support QBAC ...............................................................................122 8.3.1 Changes to Security Module APIs ..........................................................122 8.3.2 Admin GUI .............................................................................................124

8.4 Errors ..................................................................................................................124 8.5 Limitations ..........................................................................................................124

9.0 Granular Privileges ....................................................................................126

9.1 Understanding Granular Privileges .....................................................................126 9.2 Categories of Granularity ....................................................................................127

9.2.1 Privileges to Read, Write, or Delete Any Configuration File .................127 9.2.2 Privileges to Read, Write, or Delete a Specific Configuration File ........127 9.2.3 Privileges to Administer a Set of Resources ...........................................128 9.2.4 Privileges to Administer a Specific Resource .........................................129

MarkLogic 10--May, 2019

Security Guide--Page 5

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.