Change in Default rest-reader and rest-writer Permissions

To enable the creation of a document by a user who does not have rest-reader or rest-writer privileges, the following backward-incompatible changes were made to the REST API to improve security:

Prior to MarkLogic 10.0-1, when inserting documents, the REST API assigned permissions based on the default permissions configured for the user and role but also assigned read permissions to the rest-reader role and assigned update permissions to the rest-writer role. As a result, any user with the rest-reader role had permission to read to read all documents and any user with the rest-writer role had permission to update all documents.

In MarkLogic 10.0-1, when inserting documents, the REST API assigns permissions based only on the default permissions configured for the user and role. As a result, it is possible to adopt a security model in the REST API where no role has access to all documents.

In other words MarkLogic 9, when you wrote documents with the REST API using PUT v1/documents, the documents had the union of the following permissions:

• Any permissions specified in the request

• The default permissions for the user and document or, when update policy is set to overwrite-metadata, the existing permissions on the document

• Read permission for the rest-reader role and update permissions for the rest-writer role

In MarkLogic 10, when you write documents with the REST API using PUT v1/documents, the documents have the union of the following permissions:

• Any permissions specified in the request

• The default permissions for the user and document or, when update policy is set to overwrite-metadata, the existing permissions on the document

What has changed is that the rest-reader and rest-writer convenience roles no longer have any permissions on a document unless one of the following is true:

• The request specifies permissions for the rest-reader or rest-writer role.

• The definition of the user grants default permissions to the rest-reader or rest-writer.

Since the rest-writer convenience role default permissions grant reader permission to the rest-reader role and update permissions to the rest-writer role, documents written by a user who has the rest-writer convenience role are readable by users with the rest-reader role and writable by users with the rest-writer role.

• In MarkLogic 9, a user given the rest-reader or rest-writer role had access to every document written with the REST API.

• In MarkLogic 10, a security model need not grant any role access to every document written with the REST API. Documents inserted by users with the rest-writer role still have read permissions for the rest-reader role and update permissions for the rest-writer role.

To override this backward incompatibility, you must modify the user role creating documents to give default permissions to rest-writer and rest-reader.