Service authentication with principals-only (and without system user)

[Georg Henzler <gh...@apache.org>]

Hi all,

since quite a while it's possible to configure principals instead of a 
user for service authentication [1]. IMHO this suggests that an actual 
authorizable should not be required anymore, but testing it showed that 
this is explicitly checked and forbidden [2]. Now looking at how the 
code hooks into oak [3], at least on Sling side there seems little 
reason for this requirement. On oak side there are obvious places where 
"some user id" is needed [4] but maybe this could be auto-generated?

Could somebody clarify why a backing service user is needed and if 
(maybe :)) it would be possible to work towards getting rid of this 
requirement?

-Georg

[1]
https://issues.apache.org/jira/browse/SLING-6963
https://sling.apache.org/documentation/the-sling-engine/service-authentication.html#service-user-mappings

[2] 
https://github.com/apache/sling-org-apache-sling-jcr-resource/blob/541c918ef0869c9ff88b86ab96235ef07740c643/src/main/java/org/apache/sling/jcr/resource/internal/JcrSystemUserValidator.java#L219

[3] 
https://github.com/apache/sling-org-apache-sling-jcr-base/blob/e8fe5e004b5af1802bb2a76dbbb583a437f848ee/src/main/java/org/apache/sling/jcr/base/AbstractSlingRepository2.java#L242

[4] 
https://docs.adobe.com/docs/en/spec/javax.jcr/javadocs/jcr-2.0/javax/jcr/Session.html#getUserID()