Summary
If, as recommended in the Optic security advisory, you are not able to upgrade straight away, the following steps can be followed to disable the Optic query functionality.
Note: This will disable the ability to run all Optic and SPARQL queries so this can only be done if applications do not rely on those features.
Solution
The Optic and SPARQL query engines can be disabled via a script, or via the administration user interface.
In both cases the sem:sparql privilege will be removed from all the relevant roles.
Scripted privilege removal
Run the script listed below to remove the sem:sparql privilege from all roles. The script removes the sem:sparql privilege from the four out-of-the-box roles, then prompts the user to remove the privilege from the custom roles, if any are found. Please make sure to take good note of the affected roles If you intend to re-enable the privilege after upgrading your deployment.
xquery version "1.0-ml";
import module namespace sec="http://marklogic.com/xdmp/security" at
"/MarkLogic/security.xqy";
let $ootb-sem-sparql-roles:= ("optic-reader-internal",
"qconsole-internal",
"rest-writer-internal",
"rest-reader-internal")
let $remove-privilege:="http://marklogic.com/xdmp/privileges/sem-sparql"
return xdmp:invoke-function(function() {
let $sem-sparql-priv:=sec:get-privilege($remove-privilege,"execute")
let $_ := if (fn:count($sem-sparql-priv) eq 0 ) then fn:error(xs:QName("PRIV-NOT-FOUND"),"sem-sparql privilege not found. Contact MarkLogic Support.") else ()
let $_ := if (fn:count($sem-sparql-priv) gt 1 ) then fn:error(xs:QName("MULTIPLE-PRIVS-FOUND"),"Multiple sem-sparql privileges found. Contact MarkLogic Support.") else ()
let $role-ids-having-sem-sparql:=$sem-sparql-priv/sec:role-ids/sec:role-id/xs:unsignedLong(.)
let $role-names:=sec:get-role-names($role-ids-having-sem-sparql)/xs:string(.)
let $ootb-roles-having-sem-sparql:=$role-names[. = $ootb-sem-sparql-roles]
let $custom-roles-having-sem-sparql:=$role-names[fn:not(. = $ootb-sem-sparql-roles)]
let $_ := if (fn:count($ootb-roles-having-sem-sparql) gt 0) then
xdmp:invoke-function(function() {
sec:privilege-remove-roles($remove-privilege,"execute",$ootb-roles-having-sem-sparql)
},map:map()=>map:with('update',"true"))
else ()
return if (fn:count($role-names) eq 0) then
"No roles have the sem:sparql privilege."
else
("Removed sem:sparql from the following MarkLogic Server out-of-the-box roles:",
if (fn:count($ootb-roles-having-sem-sparql) eq 0) then "No OOTB roles have sem:sparql" else $ootb-roles-having-sem-sparql,
"The following non OOTB roles have sem:sparql which should be removed manually:",
if (fn:count($custom-roles-having-sem-sparql) eq 0) then "No custom roles present having sem:sparql" else $custom-roles-having-sem-sparql)
},map:map()=>map:with("database",xdmp:security-database())
=>map:with("update","false"))
Manual privilege removal
Alternatively, the sem:sparql privilege can be removed manually via the Admin UI. From the side menu, select Security > Execute Privileges. Scroll to the sem:sparql privilege, click on it and then uncheck any roles that are selected and click "OK". Please make sure to take good note of the affected roles If you intend to re-enable the privilege after upgrading your deployment.
(2 vote(s))