You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by Timothee Maret <tm...@apache.org> on 2016/12/20 13:55:01 UTC

Skipping structural/security resources from user content

Hi,

I would need to setup ACLs in AEM for the Sling tenant module such that the
sling-tenant service user can read/write under /etc/tenants.
Currently, the TenantProvider considers anything under /etc/tenants as a
tenant (including ACL resources such as rep:policy).

I think we could generally solve this in either of the following ways

1. Allow the TenantProvider to skip a configurable list of resource names
when listing tenants ; or
2. Use the Jackrabbit support for ACL glob restrictions and set the ACE
under /etc instead of /etc/tenants

Going the 1. route is easy, but I am expecting the pattern occurs in many
modules and it may be complex to maintain the duplicated configurations.
Going the 2. route may be better, but we'd need support for specifying glob
restrictions in repoinit.

What pattern makes most sense ?

Regards,

Timothee

Re: Skipping structural/security resources from user content

Posted by Timothee Maret <tm...@apache.org>.

Hi Bertrand,

It seems there was a concurrent need for this feature :-)
Thanks for sharing the JIRA reference and proposing a syntax!

I think the best is to support the generic one, let's discuss in the issue.

Regards,

Timothee

2016-12-21 15:49 GMT+01:00 Bertrand Delacretaz <bd...@apache.org>:

> On Tue, Dec 20, 2016 at 2:55 PM, Timothee Maret <tm...@apache.org> wrote:
> > ...Going the 2. route may be better, but we'd need support for
> specifying glob
> > restrictions in repoinit....
>
> Supporting ACL restrictions in repoinit would be good,
> https://issues.apache.org/jira/browse/SLING-6422 has recently been
> created about that.
>
> I have just added a suggested syntax, feedback is welcome.
>
> -Bertrand
>

Re: Skipping structural/security resources from user content

Posted by Bertrand Delacretaz <bd...@apache.org>.

On Tue, Dec 20, 2016 at 2:55 PM, Timothee Maret <tm...@apache.org> wrote:
> ...Going the 2. route may be better, but we'd need support for specifying glob
> restrictions in repoinit....

Supporting ACL restrictions in repoinit would be good,
https://issues.apache.org/jira/browse/SLING-6422 has recently been
created about that.

I have just added a suggested syntax, feedback is welcome.

-Bertrand