I am trying to run some xquery scripts via the basexclient command line after logging in as a user with create permissions, but getting an error that admin permissions are required.
basexclient connect to server using db_creator (with CREATE permissions) OPEN MyDatabase RUN test.xq → admin permission needed.
Contents of test.xq : //database_info/version
If I login as admin user, this sequence works fine.
If I run this command via the rest interface in a browser and log in as db_creator, this also works. ( localhost:8984/rest/MyDatabase/?run=test.xq) If I run this command via the rest interface in a browser and log in a guest (permissions NONE) it says read permissions required (expected).
Is there some limitation on running xq scripts from the command line client that requires admin permissions? Or am I missing some steps somewhere?
Cheers, Chris
Hi Chris,
Sorry for letting you wait. These are the current conditions:
With REST, the permission of each command of a script is currently checked immediately before its execution. If a single command does not have enough permissions, the execution of the command, and all subsequent commands, will be canceled.
If the BaseX client is used, permissions are checked before the supplied script is accessed. As a script may contain admin commands, ADMIN permissions are required for any script.
The status quo is inconsistent indeed. The most flexible approach would be to first check all commands and queries before eventually executing them. As this requires full parsing of XQuery expressions, this would require some basic changes in the permission check architecture.
The simpler solution would be to restrict REST scripts to ADMIN permissions, but I guess that this would break running application… Including yours?
Best, Christian
Hi Christian, Thanks for getting back to me,
I agree I would think the better solution would be doing the same check that is being done for rest for the BaseXclient. Hopefully isn't too much work if some code is already in place.
I don't think it sounds very useful in terms of query functionality to effectively enforce all server side scripts to require admin privileges. We are using some server side query scripts to access data and present it in some specific structure for our clients (which most only need read access). We would prefer to not have all our client applications run with admin access for this if not required.
However, in the interest of reducing processing on each call, you could allow both options. Perhaps an options flag to lock scripts to admin permissions, (for both rest and basexclient) that could mean a simpler check.
You could also potentially add an optional flag to the query script (similar to the %updating flag). This might reduce the need to process the rest of the script in the cases where this flag has already restricted the current user permissions.
Cheers, Chris
-----Original Message----- From: Christian Grün christian.gruen@gmail.com Sent: Sunday, 26 April 2020 9:25 PM To: DYER Chris Chris.Dyer@sydac.com Cc: basex-talk@mailman.uni-konstanz.de Subject: Re: [basex-talk] BaseXClient command line run query requiring admin permissions?
Hi Chris,
Sorry for letting you wait. These are the current conditions:
With REST, the permission of each command of a script is currently checked immediately before its execution. If a single command does not have enough permissions, the execution of the command, and all subsequent commands, will be canceled.
If the BaseX client is used, permissions are checked before the supplied script is accessed. As a script may contain admin commands, ADMIN permissions are required for any script.
The status quo is inconsistent indeed. The most flexible approach would be to first check all commands and queries before eventually executing them. As this requires full parsing of XQuery expressions, this would require some basic changes in the permission check architecture.
The simpler solution would be to restrict REST scripts to ADMIN permissions, but I guess that this would break running application… Including yours?
Best, Christian
Hi Chris,
I have uploaded a new snapshot [1], it should allow you to run your script with BaseX client instances.
I decided to check permissions only at execution time. This might lead to incomplete transactions. This shouldn’t be a big deal, though: The existing architecture couldn’t prevent incomplete runs anyway, as XQuery is simply too powerful for that. And it wouldn’t work to check all permissions before the execution of a script, because a script may create new scripts that are not available at compile time yet.
Your feedback is welcome. Christian
[1] http://files.basex.org/releases/latest/
On Mon, Apr 27, 2020 at 3:14 AM DYER Chris Chris.Dyer@sydac.com wrote:
Hi Christian, Thanks for getting back to me,
I agree I would think the better solution would be doing the same check that is being done for rest for the BaseXclient. Hopefully isn't too much work if some code is already in place.
I don't think it sounds very useful in terms of query functionality to effectively enforce all server side scripts to require admin privileges. We are using some server side query scripts to access data and present it in some specific structure for our clients (which most only need read access). We would prefer to not have all our client applications run with admin access for this if not required.
However, in the interest of reducing processing on each call, you could allow both options. Perhaps an options flag to lock scripts to admin permissions, (for both rest and basexclient) that could mean a simpler check.
You could also potentially add an optional flag to the query script (similar to the %updating flag). This might reduce the need to process the rest of the script in the cases where this flag has already restricted the current user permissions.
Cheers, Chris
-----Original Message----- From: Christian Grün christian.gruen@gmail.com Sent: Sunday, 26 April 2020 9:25 PM To: DYER Chris Chris.Dyer@sydac.com Cc: basex-talk@mailman.uni-konstanz.de Subject: Re: [basex-talk] BaseXClient command line run query requiring admin permissions?
Hi Chris,
Sorry for letting you wait. These are the current conditions:
With REST, the permission of each command of a script is currently checked immediately before its execution. If a single command does not have enough permissions, the execution of the command, and all subsequent commands, will be canceled.
If the BaseX client is used, permissions are checked before the supplied script is accessed. As a script may contain admin commands, ADMIN permissions are required for any script.
The status quo is inconsistent indeed. The most flexible approach would be to first check all commands and queries before eventually executing them. As this requires full parsing of XQuery expressions, this would require some basic changes in the permission check architecture.
The simpler solution would be to restrict REST scripts to ADMIN permissions, but I guess that this would break running application… Including yours?
Best, Christian
basex-talk@mailman.uni-konstanz.de
-
Christian Grün -
DYER Chris