Authentication on CMIS with non-admin user

cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
frank_miller
Member II

Authentication on CMIS with non-admin user

Hi!

I'm having an issue trying to authenticate on CMIS with a non-admin user. Finally, I tried to do a simple get request, and I get this response…

org/springframework/extensions/webscripts/scriptdump.get requires admin authentication; however, a non-admin has attempted access

does this mean only admin users are able to connect Alfresco via CMIS? I think I'm missing something obvious, like an option on Alfresco to give a user "cmis privileges" maybe? Please, any help on this topic would be really appreciated.

Best regards.
19 Replies
jpotts
Advanced II

Re: Authentication on CMIS with non-admin user

Non-admin users should definitely be able to connect via CMIS and do anything the permissions are set to allow them to do.

Can you share with us some specifics such as:
- Alfresco server version
- Client you are using
- Binding you are using (Atom Pub versus Web Services)
- Specific code you are using that is failing
- Any exceptions you are seeing in the log

Jeff
frank_miller
Member II

Re: Authentication on CMIS with non-admin user

Thanks for the quick response Jeff.

I don't think this is a specific Alfresco version issue (tried on 3.4 and 4.0). Actually, I'm using an opensource api written in ruby (ActiveCMIS). I get a little lost understanding the procedure to connect to CMIS, but debugging the code I reach to the following request.

http://.../alfresco/service/cmis/arg/n?noderef=workspace%3A%2F%2FSpacesStore%2F68c3c179-7027-466a-ad...

which returns a 500 server exception. I include some log lines.-

net.sf.acegisecurity.AccessDeniedException - Access is denied.

org.springframework.extensions.webscripts.WebScriptException - 00310007 Wrapped Exception (with status template): 00310014 Error during processing of the template

org.springframework.extensions.webscripts.AbstractWebScript.createStatusException(AbstractWebScript.java:758)

I hope this information could be useful. Please, let me know if I can provide any other relevant information.

Thanks!
jpotts
Advanced II

Re: Authentication on CMIS with non-admin user

Without seeing the code it is hard to say, but it sounds like you might not be passing in the credentials in the header. When connecting to CMIS, you can either use basic authentication or you can use an Alfresco ticket. Tickets get passed in through an "alf_ticket" argument, so you clearly aren't doing that.

The auth header needs to be set on every request.

You could test your call using curl. For example, you should be able to do:

curl -uSomeUserSmiley FrustratedomePassword "http://.../alfresco/service/cmis/arg/n?noderef=workspace%3A%2F%2FSpacesStore%2F68c3c179-7027-466a-ad..."

And have that come back successfully. If you get the same response you are currently seeing, then you might be able to assume that the user and password you are using doesn't have the permissions to hit the node you are trying to hit.

If it works, but your Ruby code fails, you might be able to assume that the Ruby code is screwing up the auth somewhere.

Jeff
frank_miller
Member II

Re: Authentication on CMIS with non-admin user

You're right! The problem was indeed the user didn't have permissions to read that node (silly me!  Smiley Surprisedops: )

Thank you very much Jeff!
frank_miller
Member II

Re: Authentication on CMIS with non-admin user

Hi!

my problem now is that the api I'm using needs to get repository info before performing any other operation. Then, through repository object, it gets several templates for getting objects by id, by path, … (I understand the reason is the urls may vary depending on the CMS I'm connecting) But when I try this steps with a user without access to root folder, I get a forbidden exception. Is it possible for a non-admin user to retrieve repository info?

EDITED:

also, trying to connect to the home space of a given user, if the user does not have permissions to company home, I get a forbidden exception. The url looks like…

curl -uUserSmiley Tongueassword "http://localhost/alfresco/service/cmis/arg/n?noderef=workspace%3A%2F%2FSpacesStore%2Fd96b2971-c718-4..."

this url returns me the node, only when the user has permissions to read company home. This doesn't make much sense to me, so I'm pretty sure I'm missing something obvious here. Please, any advice would be really appreciated.

Best regards.
jpotts
Advanced II

Re: Authentication on CMIS with non-admin user

I don't think you need access to Company Home to get the repository information. To confirm that, I went into my Alfresco 4.0.d Community repository and removed the EVERYONE group from Company Home. I then used cmislib to connect as a test user (non-admin) and successfully retrieved the repository information:

>>> from cmislib.model import CmisClient
>>> client = CmisClient('http://localhost:8080/alfresco/cmisatom', 'tuser1', 'password')
>>> repo = client.defaultRepository
>>> repo.getRepositoryInfo()
{u'aclCapability': None, u'cmisVersionSupported': u'1.0', u'principalAnonymous': u'guest', u'principalAnyone': u'GROUP_EVERYONE', u'repositoryDescription': u'Main Repository', u'changesOnType': u'cmis:folder', u'changesIncomplete': u'true', u'productVersion': u'4.0.0 (4003)', u'rootFolderId': u'workspace://SpacesStore/98f66c7a-b300-48b9-b35f-8695b8ca22b8', u'repositoryId': u'558e5b3c-71a0-42ac-b420-eda16e93e95b', u'repositoryName': u'Main Repository', u'vendorName': u'Alfresco', u'productName': u'Alfresco Repository (contentUrl=|mimetype=|size=0|encoding=|locale=en_US_|id=120)'}

However, as you mentioned, when attempting to retrieve the properties of tuser1's home directory, I got a permission denied. That's because the user's home directory sits in "User Homes" and tuser1 has no access to User Homes–User Homes inherits its perms from Company Home. When I made the EVERYONE group a consumer on User Homes, the tuser1 user was able to get to his home directory.

What's going on is that the properties of an object include some properties related to the parent. If the user has no access to the parent, the calls fail. You can work around this by providing a filter that lists only the properties you need and excludes any parent-related properties.

For example, if tuser1 has no access to the User Homes folder, the following call will fail with a PermissionDeniedException:
home = repo.getObjectByPath('/User Homes/tuser1')

But this call, which excludes properties like cmisSmiley TonguearentObjectId and cmisSmiley Tongueath will successfully retrieve the object:
home = repo.getObjectByPath('/User Homes/tuser1', filter="cmis:creationDate,cmSmiley Surprisedwner,cmis:changeToken,cm:description,cmisSmiley SurprisedbjectId,cmisSmiley SurprisedbjectTypeId,cmis:lastModifiedBy,cmis:name,cmis:createdBy,cmis:baseTypeId")

Jeff
frank_miller
Member II

Re: Authentication on CMIS with non-admin user

Thank you very much for your detailed response Jeff.

I think I understand now most of the issues I was having accessing different folders. Anyway, I'm still not able to obtain repository info with a user without Company Home access. I'm trying this url directly on a web browser.-

http://alfrescoserver/alfresco/service/cmis

(which is the url that my ruby component uses to get repo info), it asks me for user/pass; if I introduce a user without access to Company Home, I get a 500 again. Perhaps this is not the right url to access to repository info?

Best regards.
jpotts
Advanced II

Re: Authentication on CMIS with non-admin user

Starting with Alfresco 4, the web script based CMIS implementation (http://localhost:8080/alfresco/service/cmis) is deprecated. Where possible, you should use the OpenCMIS implementation instead (http://localhost:8080/alfresco/cmisatom).

In a quick test using curl, I noticed that when a user does not have access to Company Home, the old implementation fails while the new implementation succeeds.

Jeff
frank_miller
Member II

Re: Authentication on CMIS with non-admin user

Thanks Jeff, it's good to know Smiley Happy

I'll give it a try to 4.0.d

Again, thank you very much for all your help, it's really appreciated!