You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2016/06/14 09:30:50 UTC
svn commit: r1748366 -
/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
Author: angela
Date: Tue Jun 14 09:30:50 2016
New Revision: 1748366
URL: http://svn.apache.org/viewvc?rev=1748366&view=rev
Log:
minor improvement: add index-def-management to the call-privilege mapping and separate transient, workspace and repository operations
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md?rev=1748366&r1=1748365&r2=1748366&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/mappingtoprivileges.md Tue Jun 14 09:30:50 2016
@@ -19,7 +19,9 @@
The following table allows to identify which API calls require which type of
privilege(s)
-#### Read
+#### Transient Operations
+
+##### Read
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
@@ -58,7 +60,7 @@ privilege(s)
| `Session.exportSystemView` | `jcr:read` |
| `Session.exportDocumentView` | `jcr:read` |
-#### Writing Properties
+##### Writing Properties
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
@@ -69,7 +71,7 @@ privilege(s)
| `Node.setProperty(String, null)` | `rep:removeProperties` |
| `JackrabbitSession.removeItem` (item is a property) | `rep:removeProperties` |
-#### Writing Nodes
+##### Writing Nodes
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
@@ -82,52 +84,33 @@ privilege(s)
| `Node.removeMixin` | `jcr:nodeTypeManagement` |
| `Node.orderBefore` | `jcr:addChildNodes` and `jcr:removeChildNodes` (on parent) |
-#### Move, Copy and Import
+##### Writing Index Definition
-| API Call | Privilege(s) |
-|----------------------------------------------|--------------------------------|
-| `Session.move` | `jcr:removeChildNodes` (source parent) and `jcr:addChildNodes` (target parent) |
-| `Workspace.move` | `jcr:removeChildNodes` (source parent) and `jcr:addChildNodes` (target parent) |
-| `Workspace.copy` | same privileges as if items would be created using regular API calls |
-| `Session.importXml` | same privileges as if items would be created using regular API calls |
-| `Workspace.importXml` | same privileges as if items would be created using regular API calls |
+While covered by regular JCR API write operations the target items require a
+dedicated privilege despite the fact that the item definitions are not protected
+(see Oak JIRA for corresponding discussions).
-#### Version Management
+All items located within a path that contains `oak:index` will be considered part
+of the special index definition.
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
-| `VersionManager.isCheckedOut` | `rep:readNodes` on versionable node and `rep:readProperties` on its property `jcr:isCheckedOut` |
-| `VersionManager.getVersionHistory` | `rep:readNodes` on versionable node and `rep:readProperties` on its property `jcr:versionHistory` |
-| `VersionManager.getBaseVersion` | `rep:readNodes` on versionable node and `rep:readProperties` on its property `jcr:baseVersion` |
-| `VersionManager.checkin` | `jcr:versionManagement` on versionable node |
-| `VersionManager.checkout` | `jcr:versionManagement` on versionable node |
-| `VersionManager.checkpoint` | `jcr:versionManagement` on versionable node |
-| `VersionManager.restore` | _TODO_ |
-| `VersionManager.restoreByLabel` | _TODO_ |
-| `VersionManager.merge` | _TODO_ |
-| `VersionManager.cancelMerge` | _TODO_ |
-| `VersionManager.doneMerge` | _TODO_ |
-| `VersionManager.createConfiguration` | _TODO_ |
-| `VersionManager.setActivity` | _TODO_ |
-| `VersionManager.createActivity` | _TODO_ |
-| `VersionManager.removeActivity` | _TODO_ |
-| `VersionHistory.*` (read) | `rep:readNodes` on versionable node |
-| `VersionHistory.removeVersion` | `jcr:versionManagement` on versionable node |
-| `Version.*` (read) | `rep:readNodes` on versionable node |
-
-NOTE: since Oak 1.0 read/write access to version storage is defined by accessibility of the versionable node and _not_ to the version store items.
+| `Node.addNode(String, String)` | `rep:indexDefinitionManagement`|
+| `Node.addNode(String)` | `rep:indexDefinitionManagement`|
+| `Node.orderBefore` | `rep:indexDefinitionManagement`|
+| `Node.setProperty` | `rep:indexDefinitionManagement`|
+| `Property.setValue` | `rep:indexDefinitionManagement`|
+| `Item.remove` (i.e. Node and Property) | `rep:indexDefinitionManagement`|
+| `JackrabbitSession.removeItem` | `rep:indexDefinitionManagement`|
-#### Lock Management
+##### Move and Import
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
-| `LockManager.getLock` = `Node.getLock` | `jcr:read` |
-| `LockManager.isLocked` = `Node.isLocked` | `jcr:read` |
-| `LockManager.holdsLock` = `Node.holdsLock` | `jcr:read` |
-| `LockManager.lock` = `Node.lock` | `jcr:lockManagement` |
-| `LockManager.unlock` = `Node.unlock` | `jcr:lockManagement` |
+| `Session.move` | `jcr:removeChildNodes` (source parent) and `jcr:addChildNodes` (target parent) |
+| `Session.importXml` | same privileges as if items would be created using regular API calls |
-#### Access Control Management
+##### Access Control Management
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
@@ -138,7 +121,7 @@ NOTE: since Oak 1.0 read/write access to
| `AccessControlManager.removePolicy` | `jcr:modifyAccessControl` |
| `PrivilegeManager.registerPrivilege` | `rep:privilegeManagent` at 'null' path |
-#### User Management
+##### User Management
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
@@ -176,13 +159,13 @@ NOTE: since Oak 1.0 read/write access to
| `Authorizable.setProperty` (with relPath | `rep:addProperties` and/or `rep:alterProperties`, `jcr:addChildNodes` |
| `Authorizable.removeProperty` | `rep:removeProperties` |
-#### LifeCycle Management
+##### LifeCycle Management
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
| `Node.followLifecycleTransition` | `jcr:lifecycleManagement` |
-#### Retention Management
+##### Retention Management
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
@@ -193,7 +176,56 @@ NOTE: since Oak 1.0 read/write access to
| `RetentionManager.setRetentionPolicy` | `jcr:retentionManagement` |
| `RetentionManager.removeRetentionPolicy` | `jcr:retentionManagement` |
-#### Namespace Management
+#### Workspace Operations
+
+##### Move, Copy and Import
+
+| API Call | Privilege(s) |
+|----------------------------------------------|--------------------------------|
+| `Workspace.move` | `jcr:removeChildNodes` (source parent) and `jcr:addChildNodes` (target parent) |
+| `Workspace.copy` | same privileges as if items would be created using regular API calls |
+| `Workspace.importXml` | same privileges as if items would be created using regular API calls |
+
+##### Version Management
+
+| API Call | Privilege(s) |
+|----------------------------------------------|--------------------------------|
+| `VersionManager.isCheckedOut` | `rep:readNodes` on versionable node and `rep:readProperties` on its property `jcr:isCheckedOut` |
+| `VersionManager.getVersionHistory` | `rep:readNodes` on versionable node and `rep:readProperties` on its property `jcr:versionHistory` |
+| `VersionManager.getBaseVersion` | `rep:readNodes` on versionable node and `rep:readProperties` on its property `jcr:baseVersion` |
+| `VersionManager.checkin` | `jcr:versionManagement` on versionable node |
+| `VersionManager.checkout` | `jcr:versionManagement` on versionable node |
+| `VersionManager.checkpoint` | `jcr:versionManagement` on versionable node |
+| `VersionManager.restore` | _TODO_ |
+| `VersionManager.restoreByLabel` | _TODO_ |
+| `VersionManager.merge` | _TODO_ |
+| `VersionManager.cancelMerge` | _TODO_ |
+| `VersionManager.doneMerge` | _TODO_ |
+| `VersionManager.createConfiguration` | _TODO_ |
+| `VersionManager.setActivity` | _TODO_ |
+| `VersionManager.createActivity` | _TODO_ |
+| `VersionManager.removeActivity` | _TODO_ |
+| `VersionHistory.*` (read) | `rep:readNodes` on versionable node |
+| `VersionHistory.removeVersion` | `jcr:versionManagement` on versionable node |
+| `Version.*` (read) | `rep:readNodes` on versionable node |
+
+NOTE: since Oak 1.0 read/write access to version storage is defined by accessibility of the versionable node and _not_ to the version store items.
+
+##### Lock Management
+
+| API Call | Privilege(s) |
+|----------------------------------------------|--------------------------------|
+| `LockManager.getLock` = `Node.getLock` | `jcr:read` |
+| `LockManager.isLocked` = `Node.isLocked` | `jcr:read` |
+| `LockManager.holdsLock` = `Node.holdsLock` | `jcr:read` |
+| `LockManager.lock` = `Node.lock` | `jcr:lockManagement` |
+| `LockManager.unlock` = `Node.unlock` | `jcr:lockManagement` |
+
+#### Repository Operations
+
+Note: privileges for repository operations need to be granted|denied on the _null_ path.
+
+##### Namespace Management
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
@@ -204,7 +236,7 @@ NOTE: since Oak 1.0 read/write access to
| `NamespaceRegistry.registerNamespace` | `jcr:namespaceManagement` |
| `NamespaceRegistry.unregisterNamespace` | `jcr:namespaceManagement` |
-#### NodeType Management
+##### NodeType Management
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
@@ -221,7 +253,7 @@ NOTE: since Oak 1.0 read/write access to
| `NodeTypeManager.unregisterNodeType` | `jcr:nodeTypeDefinitionManagement` |
| `NodeTypeManager.unregisterNodeTypes` | `jcr:nodeTypeDefinitionManagement` |
-#### Privilege Management
+##### Privilege Management
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|
@@ -229,7 +261,7 @@ NOTE: since Oak 1.0 read/write access to
| `PrivilegeManager.getPrivilege` | `jcr:read` |
| `PrivilegeManager.registerPrivilege` | `rep:privilegeManagement` |
-#### Workspace Management
+##### Workspace Management
| API Call | Privilege(s) |
|----------------------------------------------|--------------------------------|