MongoDB、ACL和用户的Restheart

Question

I have a MongoDB instance with the atlas sample databases and I'm trying to configure Restheart on it.我有一个带有 atlas 示例数据库的 MongoDB 实例，我正在尝试在其上配置 Restheart。
I have restheart configured with mongoRealmAuthenticator and MongoAclAuthorizer, with ACL and USERS collections in the restheart database, and the following mongo-mounts:我在 restheart 配置了 mongoRealmAuthenticator 和 MongoAclAuthorizer，在 restheart 数据库中配置了 ACL 和 USERS collections，以及以下 mongo-mounts：

- what: /sample_weatherdata  
  where: /sample_weatherdata

The Users collection have the admin user and a user called sample_weatherdata with user role. Users 集合有 admin 用户和一个名为 sample_weatherdata 且具有用户角色的用户。 The ACL collection have the following ACL. ACL 集合具有以下 ACL。

 { "_id": "userCanGetOwnCollection", "roles": [ "user" ], "predicate": "method(GET) and path-template('/{userid}') and equals(@user.userid, ${userid})", "priority": 100, "_etag": ObjectId("62322951a40a5c34cad71769") }

But when I try to get the information from the sample_weatherdata db with curl (curl -k -u sample_weatherdata:secret -X GET https://xxxxx:4443/sample_weatherdata?page=1), I'm getting an error on the restheart logs:但是，当我尝试使用 curl（curl -k -u sample_weatherdata:secret -X GET https://xxxxx:4443/sample_weatherdata?page=1）从 sample_weatherdata 数据库获取信息时，我在 restheart 上遇到了错误日志：

21:01:22.702 [XNIO-1 task-1] DEBUG o.r.s.authorizers.FileAclAuthorizer - role user, permission (roles=[user],predicate=method(GET) and path-template('/{userid}') and equals(@user.userid, ${userid}) and qparams-contain(page) and qparams-blacklist(filter, sort) ), resolve false 21:01:22.702 [XNIO-1 task-1] DEBUG o.r.s.authorizers.FileAclAuthorizer - 角色用户、权限（角色=[用户]、谓词=方法（GET）和路径模板（'/{userid }') and equals(@user.userid, ${userid}) and qparams-contain(page) and qparams-blacklist(filter, sort) ), resolve false

21:01:22.716 [XNIO-1 task-1] DEBUG o.r.s.authorizers.MongoAclAuthorizer - role user, permission id BsonString{value='userCanGetOwnCollection'}, resolve false 21:01:22.716 [XNIO-1 task-1] DEBUG o.r.s.authorizers.MongoAclAuthorizer - 角色用户，权限 id BsonString{value='userCanGetOwnCollection'}，解析错误

21:01:22.718 [XNIO-1 task-1] INFO org.restheart.handlers.RequestLogger - GET https://xxxxxxx:4443/sample_weatherdata?page=1 from /10.100.200.100:55555 => status=403 elapsed=26ms contentLength=0 username=sample_weatherdata roles=[user] 21:01:22.718 [XNIO-1 task-1] INFO org.restheart.handlers.RequestLogger - GET https://xxxxxxx:4443/sample_weatherdata?page=1 from /10.100.200.100:55555 => status=403 elapsed= 26ms contentLength=0 username=sample_weatherdata roles=[user]

Any idea if I'm missing something or how to configure the ACLs to allow the query?知道我是否遗漏了什么或如何配置 ACL 以允许查询吗？

Answer 1

If you use the default authenticator, ie mongoRealmAuthenticator the correct id property of the user is @user._id如果您使用默认的身份验证器，即mongoRealmAuthenticator用户的正确 id 属性是@user._id

So your permission should be:所以你的许可应该是：

{
        "_id" : "userCanGetOwnCollection",
        "roles" : [ "user" ],
        "predicate" : "method(GET) and path-template('/{userid}') and equals(@user._id, ${userid})",
        "priority" : 100
}

In the example acl.json you have:在示例acl.json 中，您有：

NOTE: the id of the user is @user.userid with fileRealmAuthenticator and @user._id with mongoRealmAuthenticator注意：用户的 id 是 @user.userid 与 fileRealmAuthenticator 和 @user._id 与 mongoRealmAuthenticator

I'm the main committer of RESTHeart, and given that now mongoRealmAuthenticator is the default authenticator, I have just updated the example acl.json and related documentation to use @user._id我是 RESTHeart 的主要提交者，鉴于现在mongoRealmAuthenticator是默认的身份验证器，我刚刚更新了示例 acl.json 和相关文档以使用@user._id

MongoDB、ACL和用户的Restheart

问题描述

1 个解决方案

解决方案1
1 已采纳 2022-03-18 09:14:17

MongoDB、ACL和用户的Restheart

问题描述

1 个解决方案

解决方案1 1 已采纳 2022-03-18 09:14:17

解决方案1
1 已采纳 2022-03-18 09:14:17