MongoDB、ACL 和用户的 Restheart
我有一个带有 atlas 示例数据库的 MongoDB 实例,我正在尝试在其上配置 Restheart。
我使用 mongoRealmAuthenticator 和 MongoAclAuthorizer 配置了 Restheart,并在 Restheart 数据库中配置了 ACL 和 USERS 集合,以及以下 mongo-mounts:
- what: /sample_weatherdata
where: /sample_weatherdata
Users 集合具有 admin 用户和具有 user 角色的名为 Sample_weatherdata 的用户。 ACL 集合具有以下 ACL。
{
"_id" : "userCanGetOwnCollection",
"roles" : [
"user"
],
"predicate" : "method(GET) and path-template('/{userid}') and equals(@user.userid, ${userid})",
"priority" : 100,
"_etag" : ObjectId("62322951a40a5c34cad71769")
}但是,当我尝试使用curl(curl -k -u Sample_weatherdata:secret -X GET https://xxxxx:4443/sample_weatherdata?page=1)从sample_weatherdata数据库获取信息时,我在restheart上收到错误日志:
21:01:22.702 [XNIO-1 task-1] DEBUG orsauthorizers.FileAclAuthorizer - 角色用户、权限(roles=[user]、predicate=method(GET) 和 path-template('/{userid}')和 equals(@user.userid, ${userid}) 和 qparams-contain(page) 和 qparams-blacklist(filter, sort) ), 解决错误
21:01:22.716 [XNIO-1 task-1] DEBUG orsauthorizers.MongoAclAuthorizer - 角色用户,权限 ID BsonString{value='userCanGetOwnCollection'},解析 false
21:01:22.718 [XNIO-1 task-1] INFO org.restheart.handlers.RequestLogger - 从 /10.100.200.100:55555 获取 https://xxxxxxx:4443/sample_weatherdata?page=1 => status=403 elapsed=26ms contentLength=0 用户名=sample_weatherdata 角色=[用户]
知道我是否遗漏了某些内容或如何配置 ACL 以允许查询吗?
I have a MongoDB instance with the atlas sample databases and I'm trying to configure Restheart on it.
I have restheart configured with mongoRealmAuthenticator and MongoAclAuthorizer, with ACL and USERS collections in the restheart database, and the following mongo-mounts:
- what: /sample_weatherdata
where: /sample_weatherdata
The Users collection have the admin user and a user called sample_weatherdata with user role. The ACL collection have the following ACL.
{
"_id" : "userCanGetOwnCollection",
"roles" : [
"user"
],
"predicate" : "method(GET) and path-template('/{userid}') and equals(@user.userid, ${userid})",
"priority" : 100,
"_etag" : ObjectId("62322951a40a5c34cad71769")
}But when I try to get the information from the sample_weatherdata db with curl (curl -k -u sample_weatherdata:secret -X GET https://xxxxx:4443/sample_weatherdata?page=1), I'm getting an error on the restheart logs:
21:01:22.702 [XNIO-1 task-1] DEBUG o.r.s.authorizers.FileAclAuthorizer - role user, permission (roles=[user],predicate=method(GET) and path-template('/{userid}') and equals(@user.userid, ${userid}) and qparams-contain(page) and qparams-blacklist(filter, sort)
), resolve false21:01:22.716 [XNIO-1 task-1] DEBUG o.r.s.authorizers.MongoAclAuthorizer - role user, permission id BsonString{value='userCanGetOwnCollection'}, resolve false
21:01:22.718 [XNIO-1 task-1] INFO org.restheart.handlers.RequestLogger - GET https://xxxxxxx:4443/sample_weatherdata?page=1 from /10.100.200.100:55555 => status=403 elapsed=26ms contentLength=0 username=sample_weatherdata roles=[user]
Any idea if I'm missing something or how to configure the ACLs to allow the query?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
如果您使用默认的身份验证器,即
mongoRealmAuthenticator用户的正确 id 属性是@user._id所以您的权限应该是:
在示例中 acl.json 你有:
我是 RESTHeart 的主要提交者,鉴于现在 mongoRealmAuthenticator 是默认的身份验证器,我刚刚更新了示例 acl.json 和相关文档以使用
@user._idIf you use the default authenticator, i.e.
mongoRealmAuthenticatorthe correct id property of the user is@user._idSo your permission should be:
In the example acl.json you have:
I'm the main committer of RESTHeart, and given that now
mongoRealmAuthenticatoris the default authenticator, I have just updated the example acl.json and related documentation to use@user._id