Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-27200

Fix permission check on a NXQL query with SQL Server when a user belongs to many groups

    XMLWordPrintable

    Details

    • Release Notes Summary:
      Very large READ ACLs are supported.
    • Tags:
    • Backlog priority:
      850
    • Impact type:
      Configuration Change
    • Upgrade notes:
      Hide

      On SQL Server it's now possible to configure VCS to use an increased size to stored the Read ACLs optimization tables, which may be necessary if users belong to many groups (total size of group names + the user name + "Everyone" > 4000 characters).

      nuxeo.vcs.optimizations.acl.maxsize=999999

      Any value > 4000 will make SQL Server use NVARCHAR(MAX) instead of NVARCHAR(4000) for its internal datastructures.

      On PostgreSQL this feature already existed (default to 4096) but was not easily configurable, the same configuration property can be used to increase the value. The specific value requested will be used (there is no notion of MAX).

      Note that the use of a new value will only happen when the optimization tables are created, which can be done on a stopped server by running:

      DROP TABLE aclr;
DROP TABLE aclr_user;
-- on SQL Server:
EXEC nx_rebuild_read_acls;
-- on PostgreSQL:
SELECT nx_rebuild_read_acls();
      Show
      On SQL Server it's now possible to configure VCS to use an increased size to stored the Read ACLs optimization tables, which may be necessary if users belong to many groups (total size of group names + the user name + "Everyone" > 4000 characters). nuxeo.vcs.optimizations.acl.maxsize=999999 Any value > 4000 will make SQL Server use NVARCHAR(MAX) instead of NVARCHAR(4000) for its internal datastructures. On PostgreSQL this feature already existed (default to 4096) but was not easily configurable, the same configuration property can be used to increase the value. The specific value requested will be used (there is no notion of MAX). Note that the use of a new value will only happen when the optimization tables are created, which can be done on a stopped server by running: DROP TABLE aclr; DROP TABLE aclr_user; -- on SQL Server: EXEC nx_rebuild_read_acls; -- on PostgreSQL: SELECT nx_rebuild_read_acls();
    • Sprint:
      nxFG 11.1.7

      Description

      Steps to reproduce:

      1. Configure Nuxeo to use a SQL Server database
      2. Start Nuxeo
      3. Log in as an admin
      4. Load the 3 SQL scripts in comment
      5. Block permission inheritance on Domain > Templates
      6. Log in as JS5676 / test
      7. Navigate to the default domain
      8. Observe that no document is displayed
      9. Observe this exception in the logs 
        ERROR [NuxeoRequestControllerFilter] remote=172.16.6.45,principal=JS5676,uri=/nuxeo/site/api/v1/search/pp/advanced_document_content/execute,session=702DD0FC37E46BBF540DAAEEE80F4BE8.nuxeo,thread=http-nio-0.0.0.0-8080-exec-1,info=Unhandled error was caught by the Filter
org.nuxeo.ecm.core.api.DocumentSecurityException: Privilege 'Read' is not granted to 'JS5676'
	at org.nuxeo.ecm.core.api.AbstractSession.checkPermission(AbstractSession.java:215)
	at org.nuxeo.ecm.core.api.AbstractSession.refreshDocument(AbstractSession.java:2440)
	at org.nuxeo.ecm.core.api.impl.DocumentModelImpl.refresh(DocumentModelImpl.java:1437)
	at org.nuxeo.ecm.core.api.impl.DocumentModelImpl.isCheckedOut(DocumentModelImpl.java:658)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelJsonWriter.writeEntityBody(DocumentModelJsonWriter.java:146)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelJsonWriter.writeEntityBody(DocumentModelJsonWriter.java:107)
	at org.nuxeo.ecm.core.io.marshallers.json.ExtensibleEntityJsonWriter.write(ExtensibleEntityJsonWriter.java:79)
	at org.nuxeo.ecm.core.io.marshallers.json.AbstractJsonWriter.write(AbstractJsonWriter.java:76)
	at org.nuxeo.ecm.core.io.marshallers.json.DefaultListJsonWriter.write(DefaultListJsonWriter.java:124)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelListJsonWriter.write(DocumentModelListJsonWriter.java:56)
	at org.nuxeo.ecm.core.io.marshallers.json.document.DocumentModelListJsonWriter.write(DocumentModelListJsonWriter.java:41)
	at org.nuxeo.ecm.core.io.marshallers.json.AbstractJsonWriter.write(AbstractJsonWriter.java:76)

        Attachments

          Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. NXP-6004 Canonicalize read acl to by pass 4k db limits

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day
                  1d