Change in Default rest-reader and rest-writer Permissions
To enable the creation of a document by a user who does not have rest-reader
or rest-writer
privileges, the following backward-incompatible changes were made to the REST API to improve security:
Prior to MarkLogic 10.0-1, when inserting documents, the REST API assigned permissions based on the default permissions configured for the user and role but also assigned read permissions to the rest-reader
role and assigned update permissions to the rest-writer
role. As a result, any user with the rest-reader
role had permission to read to read all documents and any user with the rest-writer
role had permission to update all documents.
In MarkLogic 10.0-1, when inserting documents, the REST API assigns permissions based only on the default permissions configured for the user and role. As a result, it is possible to adopt a security model in the REST API where no role has access to all documents.
In other words MarkLogic 9, when you wrote documents with the REST API using PUT v1/documents, the documents had the union of the following permissions:
Any permissions specified in the request
The default permissions for the user and document or, when update policy is set to overwrite-metadata, the existing permissions on the document
Read permission for the rest-reader role and update permissions for the rest-writer role
In MarkLogic 10, when you write documents with the REST API using PUT v1/documents, the documents have the union of the following permissions:
Any permissions specified in the request
The default permissions for the user and document or, when update policy is set to overwrite-metadata, the existing permissions on the document
What has changed is that the rest-reader
and rest-writer
convenience roles no longer have any permissions on a document unless one of the following is true:
The request specifies permissions for the
rest-reader
orrest-writer
role.The definition of the user grants default permissions to the
rest-reader
orrest-writer
.
Since the rest-writer
convenience role default permissions grant reader permission to the rest-reader
role and update permissions to the rest-writer
role, documents written by a user who has the rest-writer
convenience role are readable by users with the rest-reader role and writable by users with the rest-writer
role.
In MarkLogic 9, a user given the
rest-reader
orrest-writer
role had access to every document written with the REST API.In MarkLogic 10, a security model need not grant any role access to every document written with the REST API. Documents inserted by users with the
rest-writer
role still have read permissions for therest-reader
role and update permissions for therest-writer
role.
To override this backward incompatibility, you must modify the user role creating documents to give default permissions to rest-writer
and rest-reader
.