Access Control Management with JCR

[Anuj Kumar <an...@gmail.com>]

Hello Everyone,

I am trying to understand the access management with JCR, using an example
of Blog posts. I am using espblog example of Apache Sling and trying to work
with the permissions on different blog posts. I am trying to create some
content in such a way that it is accessible to only a certain group of
users. Also, there are posts that are public and private.

It is my first attempt with Jackrabbit and Sling, so, please let me know
what works and what does not. That would be of great help. Here are the
details-

Suppose, I have a repository structure as-

/
-- myapp
    |
    --- blogs
        |
        --- private
        |
        --- public
        |
        --- shared

As, the folder name suggest, I am trying to organize the content depending
on the required security, i.e.
1. If a user wants to publish the blog for everyone, the content is posted
to /myapp/blogs/public/*
2. If a user wants to keep some articles private, it is posted to
/myapp/blogs/private/*
3. If a user wants to publish the blog for a limited group of people, the
content is posted to /myapp/blogs/shared/* with appropriate permissions.

Depending on the scenario-

1. The 'private' folder disallows any anonymous access and each content is
accessible only to the author. (All Permissions for the author)
2. The 'public' folder allows everyone, including anonymous (Read, Write)
3. The 'shared' folder has the policies set per content, depending on the
author (Read, Write, Read Permission, Write Permission only to the author or
participating entities)

For this scenario, my questions are-

1. Does it makes sense to have this kind of access policies?
Are there better ways to do so?
2. When I assign the permission to folders- private, public and shared, how
does it effect the permission for parent folders- myapp and blogs?
3. Isn't 'write' permission enough for adding new content nodes to the
existing node on which the 'write' permission is given? I tried assigning
the read, write permissions to a group of blog users on 'private' folder but
it didn't work. The write permission allows you to create child nodes as
well but still I am getting access denied exception. Moreover, if I assign
all the permissions on 'private' node it works, but that includes the read,
write access to permissions as well.

Thanks for your help.

Regards,
Anuj

Re: Access Control Management with JCR

[Anuj Kumar <an...@gmail.com>]

On Thu, Aug 18, 2011 at 11:07 PM, Mark Herman <MH...@nbme.org> wrote:

> >Thanks Mark. So, I will try to restructure and may be get the private,
> >public and shared folders up at the root level and then have different app
> >content within them depending on the permissions. Also, on the same lines,
> >does it make sense to have a separate folder for each user under the
> >'private' folder to separate the content?
>
> I think so. You either can apply permissions on every node you add, or rely
> on the inheritance.  Otherwise you could have everything open and implement
> the security in your application but I wouldn't recommend that.
>

Thanks. As you mentioned, permission at node level will be a better choice
instead of leaving everything open.


>
> >I am confused on what is the best way to manage user specific content. I
> >read about the clear indication of not to use workspaces for individual
> >users. Keeping that in mind, I would prefer to have a separate folder for
> >each user and give the control to the owner. By going with this approach
> the
> >number of folders will grow with the number of users and that may be huge.
> I
> >don't know about Jackrabbit's limitations but can you or anyone on this
> >mailing list suggest from one's experience?
>
> I definitely agree that separate workspaces is not a good idea. I think
> having a large number of workspaces is going to hurt you before having the
> same number of children under one node in one workspace.  How many users
> are
> you talking about?  If it's under 10k you should be fine.  If it's more you
> might just want to manually break it up by alphabet, or use something like
> jackrabbit's BTreeManager [1].  That should create a balanced hierarchy
> underneath one node when all you're doing is adding to the top node.  The
> downside is you can't assume anything about the path, so you either have to
> query without the path, or get the NodeSequence from the treemanager and
> call
> nodes.getItem("username")
>

The number of users will be more than 50k. So, I will check BTreeManager.
Thanks a lot Mark. This was really helpful.


>
>
> [1]
>
> http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/commons/flat/BTree
> Manager.html
>
>

RE: Access Control Management with JCR

[Mark Herman <MH...@NBME.org>]

>Thanks Mark. So, I will try to restructure and may be get the private,
>public and shared folders up at the root level and then have different app
>content within them depending on the permissions. Also, on the same lines,
>does it make sense to have a separate folder for each user under the
>'private' folder to separate the content?

I think so. You either can apply permissions on every node you add, or rely
on the inheritance.  Otherwise you could have everything open and implement
the security in your application but I wouldn't recommend that.

>I am confused on what is the best way to manage user specific content. I
>read about the clear indication of not to use workspaces for individual
>users. Keeping that in mind, I would prefer to have a separate folder for
>each user and give the control to the owner. By going with this approach the
>number of folders will grow with the number of users and that may be huge. I
>don't know about Jackrabbit's limitations but can you or anyone on this
>mailing list suggest from one's experience?

I definitely agree that separate workspaces is not a good idea. I think
having a large number of workspaces is going to hurt you before having the
same number of children under one node in one workspace.  How many users are
you talking about?  If it's under 10k you should be fine.  If it's more you
might just want to manually break it up by alphabet, or use something like
jackrabbit's BTreeManager [1].  That should create a balanced hierarchy
underneath one node when all you're doing is adding to the top node.  The
downside is you can't assume anything about the path, so you either have to
query without the path, or get the NodeSequence from the treemanager and call
nodes.getItem("username")


[1]
http://jackrabbit.apache.org/api/2.2/org/apache/jackrabbit/commons/flat/BTree
Manager.html

Re: Access Control Management with JCR

[Anuj Kumar <an...@gmail.com>]

On Thu, Aug 18, 2011 at 8:42 PM, Angela Schreiber <an...@adobe.com> wrote:

>
>
> On 8/18/11 4:19 PM, Mark Herman wrote:
>
>> 1. I think that should work.  This approach is kind of a "everything open
>> unless I close it" mindset, where you may want to consider "everything is
>> closed unless I open it."  If myapp and blog need anonymous access for
>> some
>> reason you may want to restructure so the content folders don't need to be
>> under them.
>>
>
Thanks Mark. So, I will try to restructure and may be get the private,
public and shared folders up at the root level and then have different app
content within them depending on the permissions. Also, on the same lines,
does it make sense to have a separate folder for each user under the
'private' folder to separate the content?

I am confused on what is the best way to manage user specific content. I
read about the clear indication of not to use workspaces for individual
users. Keeping that in mind, I would prefer to have a separate folder for
each user and give the control to the owner. By going with this approach the
number of folders will grow with the number of users and that may be huge. I
don't know about Jackrabbit's limitations but can you or anyone on this
mailing list suggest from one's experience?

>
>> 2. All permissions will only go down a hierarchy.  Changing the
>> permissions
>> on a child won't have any effect on the parent (except for the fact that
>> it's
>> child was changed).  Obviously changed to the parents security will be
>> inherited by the children.
>>
>
> ... unless you explicitly stop the inheritance by specifying
> an extra restriction with that ACE that only matches the
> parent node. this is part of the jackrabbit-specific extension
> of the JCR access control API.
>
> Thanks Mark and Angela. This helps. Also, I am referring to-
http://wiki.apache.org/jackrabbit/AccessControl

>
>  3. I'm not too familiar but through trial and error it looks like you need
>> to
>> add jcr:nodeTypeManagement as well.  I guess choosing a primary node type
>> for
>> a new node counts as nodeTypeManagement.
>>
>
> correct, Node.addNode(String) does not need the extra privilege
> but Node.addNode(String, String ntName) does.
>
> Thanks. Yes, this was the issue, jcr:all includes jcr:nodeTypeManagement
and that's why it worked with jcr:All but not with jcr:write


> regards
> angela
>

Re: Access Control Management with JCR

[Angela Schreiber <an...@adobe.com>]

On 8/18/11 4:19 PM, Mark Herman wrote:
> 1. I think that should work.  This approach is kind of a "everything open
> unless I close it" mindset, where you may want to consider "everything is
> closed unless I open it."  If myapp and blog need anonymous access for some
> reason you may want to restructure so the content folders don't need to be
> under them.
>
> 2. All permissions will only go down a hierarchy.  Changing the permissions
> on a child won't have any effect on the parent (except for the fact that it's
> child was changed).  Obviously changed to the parents security will be
> inherited by the children.

... unless you explicitly stop the inheritance by specifying
an extra restriction with that ACE that only matches the
parent node. this is part of the jackrabbit-specific extension
of the JCR access control API.

> 3. I'm not too familiar but through trial and error it looks like you need to
> add jcr:nodeTypeManagement as well.  I guess choosing a primary node type for
> a new node counts as nodeTypeManagement.

correct, Node.addNode(String) does not need the extra privilege
but Node.addNode(String, String ntName) does.

regards
angela

RE: Access Control Management with JCR

[Mark Herman <MH...@NBME.org>]

1. I think that should work.  This approach is kind of a "everything open
unless I close it" mindset, where you may want to consider "everything is
closed unless I open it."  If myapp and blog need anonymous access for some
reason you may want to restructure so the content folders don't need to be
under them.

2. All permissions will only go down a hierarchy.  Changing the permissions
on a child won't have any effect on the parent (except for the fact that it's
child was changed).  Obviously changed to the parents security will be
inherited by the children.

3. I'm not too familiar but through trial and error it looks like you need to
add jcr:nodeTypeManagement as well.  I guess choosing a primary node type for
a new node counts as nodeTypeManagement.


-----Original Message-----
From: Anuj Kumar [mailto:anujsays@gmail.com] 
Sent: Tuesday, August 16, 2011 12:27 PM
To: users@sling.apache.org; users@jackrabbit.apache.org
Subject: Access Control Management with JCR

Hello Everyone,

I am trying to understand the access management with JCR, using an example
of Blog posts. I am using espblog example of Apache Sling and trying to work
with the permissions on different blog posts. I am trying to create some
content in such a way that it is accessible to only a certain group of
users. Also, there are posts that are public and private.

It is my first attempt with Jackrabbit and Sling, so, please let me know
what works and what does not. That would be of great help. Here are the
details-

Suppose, I have a repository structure as-

/
-- myapp
    |
    --- blogs
        |
        --- private
        |
        --- public
        |
        --- shared

As, the folder name suggest, I am trying to organize the content depending
on the required security, i.e.
1. If a user wants to publish the blog for everyone, the content is posted
to /myapp/blogs/public/*
2. If a user wants to keep some articles private, it is posted to
/myapp/blogs/private/*
3. If a user wants to publish the blog for a limited group of people, the
content is posted to /myapp/blogs/shared/* with appropriate permissions.

Depending on the scenario-

1. The 'private' folder disallows any anonymous access and each content is
accessible only to the author. (All Permissions for the author)
2. The 'public' folder allows everyone, including anonymous (Read, Write)
3. The 'shared' folder has the policies set per content, depending on the
author (Read, Write, Read Permission, Write Permission only to the author or
participating entities)

For this scenario, my questions are-

1. Does it makes sense to have this kind of access policies?
Are there better ways to do so?
2. When I assign the permission to folders- private, public and shared, how
does it effect the permission for parent folders- myapp and blogs?
3. Isn't 'write' permission enough for adding new content nodes to the
existing node on which the 'write' permission is given? I tried assigning
the read, write permissions to a group of blog users on 'private' folder but
it didn't work. The write permission allows you to create child nodes as
well but still I am getting access denied exception. Moreover, if I assign
all the permissions on 'private' node it works, but that includes the read,
write access to permissions as well.

Thanks for your help.

Regards,
Anuj