MLE-28498 11.3.5 Test Fixes for Security Update#1935
Conversation
There was a problem hiding this comment.
Pull request overview
Updates MarkLogic security configuration and associated test setup to accommodate MLS 11.3.5 security changes (notably around transform/resource-extension execution privileges), ensuring functional/fast-functional tests continue to pass.
Changes:
- Add a new
java-test-xdmp-loginrole and assign it to several test users/roles to grant additional execute privileges needed in ML 11. - Introduce a new REST transform execution user (
rest-transform-user) for test-app security configuration. - Update multiple functional tests to include
xdmp-loginwhen creating test roles with execute privileges; update an example to write documents with explicit permissions.
Reviewed changes
Copilot reviewed 12 out of 13 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| test-app/src/main/ml-config/security/users/writer-no-default-permissions.json | Adds java-test-xdmp-login role to a test user. |
| test-app/src/main/ml-config/security/users/rest-writer.json | Adds java-test-xdmp-login role to rest-writer test user. |
| test-app/src/main/ml-config/security/users/rest-transform-user.json | Adds a new user intended for REST transform execution. |
| test-app/src/main/ml-config/security/users/rest-evaluator.json | Adds java-test-xdmp-login role to evaluator test user. |
| test-app/src/main/ml-config/security/users/rest-admin.json | Adds java-test-xdmp-login role to rest-admin test user. |
| test-app/src/main/ml-config/security/users/opticUser.json | Re-indents user definition (no behavioral change). |
| test-app/src/main/ml-config/security/roles/test-rest-writer.json | Expands privileges for test-rest-writer to include ML 11 transform/extension-related privileges. |
| test-app/src/main/ml-config/security/roles/java-test-xdmp-login.json | Adds a new role bundling privileges needed for invoking transforms/resource extensions in ML 11. |
| marklogic-client-api-functionaltests/src/test/java/com/marklogic/client/functionaltest/TestBiTemporal.java | Adds xdmp-login to dynamically-created test role privileges. |
| marklogic-client-api-functionaltests/src/test/java/com/marklogic/client/fastfunctest/TestJSResourceExtensions.java | Adds xdmp-login to dynamically-created test role privileges. |
| marklogic-client-api-functionaltests/src/test/java/com/marklogic/client/fastfunctest/TestBulkWriteWithTransformations.java | Adds xdmp-login to dynamically-created test role privileges. |
| marklogic-client-api-functionaltests/src/test/java/com/marklogic/client/datamovement/functionaltests/StringQueryHostBatcherTest.java | Adds xdmp-login to dynamically-created test role privileges. |
| examples/src/main/java/com/marklogic/client/example/handle/URIHandleExample.java | Writes a document with explicit permissions instead of relying on defaults. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| { | ||
| "privilege-name": "xdmp:xslt-invoke", | ||
| "action": "http://marklogic.com/xdmp/privileges/xslt-invoke", |
There was a problem hiding this comment.
Similarly, the action URI for xdmp:xslt-invoke should likely match the repo’s convention of prefixing xdmp- in the privilege action (as done for xdmp:invoke, xdmp:eval, etc.). Consider changing it to http://marklogic.com/xdmp/privileges/xdmp-xslt-invoke so the role reliably grants the expected built-in privilege.
| "action": "http://marklogic.com/xdmp/privileges/xslt-invoke", | |
| "action": "http://marklogic.com/xdmp/privileges/xdmp-xslt-invoke", |
| }, | ||
| { | ||
| "privilege-name": "xdmp:xslt-eval", | ||
| "action": "http://marklogic.com/xdmp/privileges/xslt-eval", |
There was a problem hiding this comment.
The action URI for privilege xdmp:xslt-eval is inconsistent with the pattern used elsewhere in this project (e.g. xdmp:eval -> .../xdmp-eval in java-test-evaluator.json). If this should follow the same convention, update the action to http://marklogic.com/xdmp/privileges/xdmp-xslt-eval to ensure the intended built-in privilege is granted.
| "action": "http://marklogic.com/xdmp/privileges/xslt-eval", | |
| "action": "http://marklogic.com/xdmp/privileges/xdmp-xslt-eval", |
| addRangePathIndex(dbName, rangePaths); | ||
|
|
||
| createUserRolesWithPrevilages("test-eval", "xdbc:eval", "xdbc:eval-in", "xdmp:eval-in", "any-uri", "xdbc:invoke"); | ||
| createUserRolesWithPrevilages("test-eval", "xdbc:eval", "xdbc:eval-in", "xdmp:eval-in", "any-uri", "xdbc:invoke", "xdmp-login"); |
There was a problem hiding this comment.
Just a note - these are some old tests that I never got around to modernizing - i.e. they create their own roles instead of depending on ones created via ml-gradle.
This PR primarily contains privilege, role, and permission test fixes as a result of the MLS 11.3.5 security fixes. Thes fixes were also applied to 12.0.2 and 12.1.0.
Jira Story: https://progresssoftware.atlassian.net/browse/MLE-28498