You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2021/01/13 08:11:00 UTC

[jira] [Commented] (SLING-9956) RepPolicyEntryHandler ignores ACEs on repository level

    [ https://issues.apache.org/jira/browse/SLING-9956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17263974#comment-17263974 ] 

Angela Schreiber commented on SLING-9956:
-----------------------------------------

[~karlpauls], proposed patch attached. i will create a PR once changes from https://github.com/apache/sling-org-apache-sling-feature-cpconverter/pull/46 are successfully merged into the main branch and i have any conflicts resolved.

a few notes/questions regarding the patch:
- the regex in the new RepRepoPolicyEntryHandler looks a rather ugly to me.... if you have a better idea on how to do this without changing too much of the logic in RepPolicyEntryHandler, please let me know.
- RepoPath: should isRepositoryPath be reflected in the equals/hashcode methods?
- DefaultAclManager: the method getRepoInitPath introduced in the patch has a param SystemUser which is not used yet.... but will it be needed for SLING-9692 and SLING-9953. since i derived the patch from some initial work done for those issues i decided to leave it in. 
- TestUtils: i noticed that quite some test copy the logic on how to mock the fvault parts. i didn't yet replace all copies (just the one in the SystemUserHandlerTest). should i rather create a separate improvement for that?

> RepPolicyEntryHandler ignores ACEs on repository level
> ------------------------------------------------------
>
>                 Key: SLING-9956
>                 URL: https://issues.apache.org/jira/browse/SLING-9956
>             Project: Sling
>          Issue Type: Bug
>          Components: Content-Package to Feature Model Converter
>            Reporter: Angela Schreiber
>            Priority: Major
>             Fix For: Content-Package to Feature Model Converter 1.0.26
>
>         Attachments: SLING-9956.patch
>
>
> based on my reading of https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandler.java#L56
> i don't see how the converter would handle service user permissions that are defined for the repository level that in JCR access control management API are defined using a {{null}} path.
> with the default authorization module in oak the corresponding ACL is stored at the root node with a dedicated policy node named {{rep:repoPolicy}} (see http://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#representation)
> i guess this bug requires 3 steps:
> - adjust the regexp in the handler
> - adjust "Acl" class (which reprents an Ace) to make sure repo-level aces are properly identified (e.g. extra method isRepositoryLevel or set the correct path field to null)
> - adjust https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/acl/DefaultAclManager.java#L242 to proper create repository level entries with repo-init. according to https://sling.apache.org/documentation/bundles/repository-initialization.html this is achieved using the following special path:
> {code}
> set ACL for alice,bob
>     allow jcr:namespaceManagement on :repository
> end
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)