You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-dev@jackrabbit.apache.org by Jukka Zitting <ju...@gmail.com> on 2013/01/24 14:22:19 UTC
Accessing ACLs (Was: [jira] [Created] (OAK-581) IndexDefinition for
Access Control Content)
Hi,
On Thu, Jan 24, 2013 at 10:11 AM, angela (JIRA) <ji...@apache.org> wrote:
> since query is used to retrieve to used retrieve ac content by
> principal, the ac impl should define an property index for the
> rep:principalName defined by rep:ACE node type.
Is it essential for the access control code to use query? I would
assume that it would be both easier (i.e. less code) and more
efficient to simply read the relevant ACLs directly from the content
tree being accessed.
BR,
Jukka Zitting
Re: Accessing ACLs (Was: [jira] [Created] (OAK-581) IndexDefinition
for Access Control Content)
Posted by Jukka Zitting <ju...@gmail.com>.
Hi,
On Thu, Jan 24, 2013 at 3:27 PM, Angela Schreiber <an...@adobe.com> wrote:
> it's not for the access control evaluation nor for access
> by path that the query is used... is for the jackrabbit api
> extensions that retrieve access control content by principal.
Ah, I see, thanks!
I used to assume that the per-principal policy getters in
JackrabbitAccessControlManager referred only to global access policies
not tied to specific nodes or subtrees, and that the path-based
getters in AccessControlManager would return policies tied to the
given path. Looks like I was mistaken.
BR,
Jukka Zitting
Re: Accessing ACLs (Was: [jira] [Created] (OAK-581) IndexDefinition
for Access Control Content)
Posted by Thomas Mueller <mu...@adobe.com>.
Hi,
Ah OK. Then the only solution to avoid those indexes is to not support the
feature I guess.
Regards,
Thomas
On 1/24/13 2:27 PM, "Angela Schreiber" <an...@adobe.com> wrote:
>hi jukka
>
>it's not for the access control evaluation nor for access
>by path that the query is used... is for the jackrabbit api
>extensions that retrieve access control content by principal.
>
>you don't want a repository traversal there... trust me ;-)
>
>angela
>
>On 1/24/13 2:22 PM, Jukka Zitting wrote:
>> Hi,
>>
>> On Thu, Jan 24, 2013 at 10:11 AM, angela (JIRA)<ji...@apache.org> wrote:
>>> since query is used to retrieve to used retrieve ac content by
>>> principal, the ac impl should define an property index for the
>>> rep:principalName defined by rep:ACE node type.
>>
>> Is it essential for the access control code to use query? I would
>> assume that it would be both easier (i.e. less code) and more
>> efficient to simply read the relevant ACLs directly from the content
>> tree being accessed.
>>
>> BR,
>>
>> Jukka Zitting
Re: Accessing ACLs (Was: [jira] [Created] (OAK-581) IndexDefinition
for Access Control Content)
Posted by Angela Schreiber <an...@adobe.com>.
hi jukka
it's not for the access control evaluation nor for access
by path that the query is used... is for the jackrabbit api
extensions that retrieve access control content by principal.
you don't want a repository traversal there... trust me ;-)
angela
On 1/24/13 2:22 PM, Jukka Zitting wrote:
> Hi,
>
> On Thu, Jan 24, 2013 at 10:11 AM, angela (JIRA)<ji...@apache.org> wrote:
>> since query is used to retrieve to used retrieve ac content by
>> principal, the ac impl should define an property index for the
>> rep:principalName defined by rep:ACE node type.
>
> Is it essential for the access control code to use query? I would
> assume that it would be both easier (i.e. less code) and more
> efficient to simply read the relevant ACLs directly from the content
> tree being accessed.
>
> BR,
>
> Jukka Zitting
Re: Accessing ACLs (Was: [jira] [Created] (OAK-581) IndexDefinition
for Access Control Content)
Posted by Thomas Mueller <mu...@adobe.com>.
Hi,
Yes, I would also try to avoid using a query to read the ACLs from the
content tree (for multiple reasons: to avoid maintaining indexes, to speed
up access, to simplify caching).
Regards,
Thomas
On 1/24/13 2:22 PM, "Jukka Zitting" <ju...@gmail.com> wrote:
>Hi,
>
>On Thu, Jan 24, 2013 at 10:11 AM, angela (JIRA) <ji...@apache.org> wrote:
>> since query is used to retrieve to used retrieve ac content by
>> principal, the ac impl should define an property index for the
>> rep:principalName defined by rep:ACE node type.
>
>Is it essential for the access control code to use query? I would
>assume that it would be both easier (i.e. less code) and more
>efficient to simply read the relevant ACLs directly from the content
>tree being accessed.
>
>BR,
>
>Jukka Zitting