You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Brendan Robert (Jira)" <ji...@apache.org> on 2022/05/19 20:37:00 UTC
[jira] [Comment Edited] (OAK-9775) ACEs with unsupported restrictions must be cleared upon editing
[ https://issues.apache.org/jira/browse/OAK-9775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17539787#comment-17539787 ]
Brendan Robert edited comment on OAK-9775 at 5/19/22 8:36 PM:
--------------------------------------------------------------
Also the validation error produced by this makes no sense today. For example:
{code:java}
org.apache.jackrabbit.oak.api.CommitFailedException: OakAccessControl0013: Duplicate ACE '/rep:policy/deny21' found in policy
at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.accessViolation(AccessControlValidator.java:309) [org.apache.jackrabbit.oak-core:1.40.0.T20211119100624-06dae64]
at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.checkValidPolicy(AccessControlValidator.java:210) [org.apache.jackrabbit.oak-core:1.40.0.T20211119100624-06dae64]{code}
The duplication check is based on the policy content not the node names; however the conflicting policy node path is not provided nor are the policy node values. A developer or admin receiving this error doesn't have a lot of data points to triage the problem in this case.
was (Author: brobert):
Also the validation error produced by this makes no sense today. For example:
org.apache.jackrabbit.oak.api.CommitFailedException: OakAccessControl0013: Duplicate ACE '/rep:policy/deny21' found in policy
at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.accessViolation(AccessControlValidator.java:309) [org.apache.jackrabbit.oak-core:1.40.0.T20211119100624-06dae64]
at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.checkValidPolicy(AccessControlValidator.java:210) [org.apache.jackrabbit.oak-core:1.40.0.T20211119100624-06dae64]
The duplication check is based on the policy content not the node names; however the conflicting policy node path is not provided nor are the policy node values. A developer or admin receiving this error doesn't have a lot of data points to triage the problem in this case.
> ACEs with unsupported restrictions must be cleared upon editing
> ---------------------------------------------------------------
>
> Key: OAK-9775
> URL: https://issues.apache.org/jira/browse/OAK-9775
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core, security
> Reporter: Angela Schreiber
> Assignee: Angela Schreiber
> Priority: Critical
> Fix For: 1.44.0
>
>
> if the tree presentation of an access control list contains restrictions that are not supported the restriction provider will ignore them upon reading the policy from the content repository.
> this will lead to ACEs being generated that contain an incomplete restriction set. however, the access control manager fails to detect them as incomplete or invalid, which upon editing of the policy will lead to
> - incomplete ACEs being written back _or_
> - AccessControlValidator failing in case the incomplete ACEs result in duplications
> instead ACEs containing unsupported restrictions must be detected and removed from the policy upon editing (with a error being logged).
> how to get there:
> - custom restrictions being written to the repository and the custom restriction provider being uninstalled from the security setup
> - using newer restrictions and then using that repository content with an older oak version that doesn't support those restrictions
--
This message was sent by Atlassian Jira
(v8.20.7#820007)