mongodbaclrestheart

Restheart for MongoDB, ACL and users

I have a MongoDB instance with the atlas sample databases and I'm trying to configure Restheart on it.
I have restheart configured with mongoRealmAuthenticator and MongoAclAuthorizer, with ACL and USERS collections in the restheart database, and the following mongo-mounts:

- what: /sample_weatherdata  
  where: /sample_weatherdata

The Users collection have the admin user and a user called sample_weatherdata with user role. The ACL collection have the following ACL.

{
        "_id" : "userCanGetOwnCollection",
        "roles" : [
                "user"
        ],
        "predicate" : "method(GET) and path-template('/{userid}') and equals(@user.userid, ${userid})",
        "priority" : 100,
        "_etag" : ObjectId("62322951a40a5c34cad71769")
}

But when I try to get the information from the sample_weatherdata db with curl (curl -k -u sample_weatherdata:secret -X GET https://xxxxx:4443/sample_weatherdata?page=1), I'm getting an error on the restheart logs:

21:01:22.702 [XNIO-1 task-1] DEBUG o.r.s.authorizers.FileAclAuthorizer - role user, permission (roles=[user],predicate=method(GET) and path-template('/{userid}') and equals(@user.userid, ${userid}) and qparams-contain(page) and qparams-blacklist(filter, sort) ), resolve false

21:01:22.716 [XNIO-1 task-1] DEBUG o.r.s.authorizers.MongoAclAuthorizer - role user, permission id BsonString{value='userCanGetOwnCollection'}, resolve false

21:01:22.718 [XNIO-1 task-1] INFO org.restheart.handlers.RequestLogger - GET https://xxxxxxx:4443/sample_weatherdata?page=1 from /10.100.200.100:55555 => status=403 elapsed=26ms contentLength=0 username=sample_weatherdata roles=[user]

Any idea if I'm missing something or how to configure the ACLs to allow the query?

Solution

  • If you use the default authenticator, i.e. mongoRealmAuthenticator the correct id property of the user is @user._id

    So your permission should be:

    {
        "_id" : "userCanGetOwnCollection",
        "roles" : [ "user" ],
        "predicate" : "method(GET) and path-template('/{userid}') and equals(@user._id, ${userid})",
        "priority" : 100
}

    In the example acl.json you have:

    NOTE: the id of the user is @user.userid with fileRealmAuthenticator and @user._id with mongoRealmAuthenticator

    I'm the main committer of RESTHeart, and given that now mongoRealmAuthenticator is the default authenticator, I have just updated the example acl.json and related documentation to use @user._id