stackoom
  简体   繁体   中英

Restheart for MongoDB, ACL and users

 原文  2022-03-17 20:18:22       mongodb/ acl/ restheart

Question

I have a MongoDB instance with the atlas sample databases and I'm trying to configure Restheart on it.
I have restheart configured with mongoRealmAuthenticator and MongoAclAuthorizer, with ACL and USERS collections in the restheart database, and the following mongo-mounts:

- what: /sample_weatherdata  
  where: /sample_weatherdata

The Users collection have the admin user and a user called sample_weatherdata with user role. The ACL collection have the following ACL. 

 { "_id": "userCanGetOwnCollection", "roles": [ "user" ], "predicate": "method(GET) and path-template('/{userid}') and equals(@user.userid, ${userid})", "priority": 100, "_etag": ObjectId("62322951a40a5c34cad71769") }

But when I try to get the information from the sample_weatherdata db with curl (curl -k -u sample_weatherdata:secret -X GET https://xxxxx:4443/sample_weatherdata?page=1), I'm getting an error on the restheart logs:

21:01:22.702 [XNIO-1 task-1] DEBUG o.r.s.authorizers.FileAclAuthorizer - role user, permission (roles=[user],predicate=method(GET) and path-template('/{userid}') and equals(@user.userid, ${userid}) and qparams-contain(page) and qparams-blacklist(filter, sort) ), resolve false

21:01:22.716 [XNIO-1 task-1] DEBUG o.r.s.authorizers.MongoAclAuthorizer - role user, permission id BsonString{value='userCanGetOwnCollection'}, resolve false

21:01:22.718 [XNIO-1 task-1] INFO org.restheart.handlers.RequestLogger - GET https://xxxxxxx:4443/sample_weatherdata?page=1 from /10.100.200.100:55555 => status=403 elapsed=26ms contentLength=0 username=sample_weatherdata roles=[user]

Any idea if I'm missing something or how to configure the ACLs to allow the query?

1 answers

solution1
 1 ACCPTED  2022-03-18 09:14:17

If you use the default authenticator, ie mongoRealmAuthenticator the correct id property of the user is @user._id

So your permission should be:

{
        "_id" : "userCanGetOwnCollection",
        "roles" : [ "user" ],
        "predicate" : "method(GET) and path-template('/{userid}') and equals(@user._id, ${userid})",
        "priority" : 100
}

In the example acl.json you have:

NOTE: the id of the user is @user.userid with fileRealmAuthenticator and @user._id with mongoRealmAuthenticator

I'm the main committer of RESTHeart, and given that now mongoRealmAuthenticator is the default authenticator, I have just updated the example acl.json and related documentation to use @user._id

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question RestHeart with mongoDB Restheart mongodb filtering by date RESTHeart Bind Error to MongoDB on AmazonAWS AngularJS - Restheart API (MongoDB) - Parsing the JSON result Using Java (HttpURLConnection) to authenticate to Restheart (for Mongodb) Restheart: mongodb thgourh http get returns 404 deploy Restheart at kubernetes running mongodb sharded db Ajax POST request to Restheart MongoDB service Connect RESTHeart to MongoDB over TLS/SSL Querying MongoDB with RestHeart returns different result than with MongoDB client
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM