MarkLogic multiple Security database on single MarkLogic Server

0
votes

In a development project, we want separate Security databases for each application on the same MarkLogic server.

Since roles in different applications have the same name, we can't create those in the same Security database.

Is there any way to create and maintain multiple security databases on the same MarkLogic Server to handle multiple application?

Our current approach to create new Security database is as follows:

  1. Create and attach 'WSK-Security' database to default 'Security' database (/manage/v2/databases/Security/sub-databases)
  2. Forest creation of 'WSK-Security-1' forest (/manage/v2/forests) 3.'WSK-Security' database attachment with 'WSK-Security-1' forest (/manage/v2/databases/WSK-Security/properties) 4.'WSK-HTTP' setup (/manage/v2/packages). MarkLogic Error while setting default-user=Admin

Manage: ADMIN-NOSUCHUSER: (err:FOER0000) No such user 7071164303237443533

It seems our new database is not working as it should work (Security database). It would be great help if we get any solution/recommendation on this.

3
marklogic

3 Answers

1
votes

Although the Admin UI (port 8001) assumes security is managed in a database called "Security", you can use any database for that purpose. When you create a content database using the Management API, specify the security-database property to indicate which database is to be used. The application-specific security database must exist before you tell your content database to use that one. This way, you can have foo-content, foo-security, bar-content, and bar-security for "foo" and "bar" applications. This is analogous to using application-specific modules databases, rather than the default "Modules" database for all applications.

Note that you will not be able to use the Admin UI to review or manage the contents of your other security databases, but you can use the Management API for this purpose.

1
votes

Personally, it would make sense to use different names for different things. If you don't give distinctive names to roles, things will get confusing at some point.

But to answer your question, yes you can have multiple Security databases, provided you give them unique names. Dave already provided some ways to go about with that, but I must mention there are a few catches. Keep in mind that the Security database also contains a lot of internal definitions from MarkLogic, like privileges, amps, and not in the least built-in users and roles.

There is a way though to have a generic set of content in a shared database, and add app-specific content to that in a specific database. If you want to extend upon the existing Security database with for instance a foo-security database, then just create that as any other database. After that use Admin UI, admin API or management REST API to add Security as a sub-database.

HTH!

0
votes

Personal Recommendation: "Don't Do That" Architect some other method of multi-tenancy or segregated applications then using different security databases. While it can be made to work, the path to happiness is painful and difficult. Similar to mucking around with a Linux system boot volume. If its 100% perfect all is well, if 1 thing is off the symptom is likely to be the system is entirely non-functioning -- or worse.

Plus there are "third party" (or user written) tools that make assumptions about the security database -- you will find out about those after you break with convention -- maybe before all your data is screwed up or your system inaccessible , maybe not. Worse case -- everything appears to work -- if you don't have a very deep understanding of ML internals its challenging to devise test cases to validate that in fact everything is 'working'.