You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Bertrand Delacretaz (JIRA)" <ji...@apache.org> on 2016/01/05 10:58:39 UTC
[jira] [Comment Edited] (SLING-5355) Create service users and ACLs
from the provisioning model
[ https://issues.apache.org/jira/browse/SLING-5355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15075924#comment-15075924 ]
Bertrand Delacretaz edited comment on SLING-5355 at 1/5/16 9:57 AM:
--------------------------------------------------------------------
This is now implemented under https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/acldef
The {{it}} module demonstrates this using the below definitions in its provisioning model. Those are simply configurations for the {{AclSetup}} component. Note that as Oak requires paths to exist to set ACLs on them, that component needs to retry executing those ACL definitions snippets if the affected paths don't exist yet.
To use this, install the {{org.apache.sling.acldef.oak-jcr}} and {{org.apache.sling.acldef.parser}} modules, and create configs as shown below, as many as needed. Watch the logs for messages under the {{org.apache.sling.acldef}} category to see what's happening.
{code}
org.apache.sling.acldef.jcr.AclSetup-one
#
acldef.text.1="create service user fredWilma"
#
# multiline acldef statement
acldef.text.2="
set ACL for fredWilma
allow jcr:all on /acltest
deny jcr:write on /acltest/A
end"
#
# single line with backslash n works as well
acldef.text.backs="set ACL for fredWilma \n allow jcr:write on /acltest/A/B \n end"
# try some acldef in a separate config
org.apache.sling.acldef.jcr.AclSetup-two
# this user will be created from code, to validate the async ACL setting
# and using the path-oriented notation, to test that
acldef.text.another="
set ACL on /acltest
allow jcr:all for anotherUser
end
set ACL on /acltest/A/B
deny jcr:write for anotherUser
end
"
{code}
was (Author: bdelacretaz):
This is now implemented under https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/acldef
The {{it}} module demonstrates this using the below definitions in its provisioning model. Those are simply configurations for the AclSetup component. Note that as Oak requires paths to exist to set ACLs on them, that component needs to retry executing those ACL definitions snippets if the affected paths don't exist yet.
{code}
org.apache.sling.acldef.jcr.AclSetup-one
#
acldef.text.1="create service user fredWilma"
#
# multiline acldef statement
acldef.text.2="
set ACL for fredWilma
allow jcr:all on /acltest
deny jcr:write on /acltest/A
end"
#
# single line with backslash n works as well
acldef.text.backs="set ACL for fredWilma \n allow jcr:write on /acltest/A/B \n end"
# try some acldef in a separate config
org.apache.sling.acldef.jcr.AclSetup-two
# this user will be created from code, to validate the async ACL setting
# and using the path-oriented notation, to test that
acldef.text.another="
set ACL on /acltest
allow jcr:all for anotherUser
end
set ACL on /acltest/A/B
deny jcr:write for anotherUser
end
"
{code}
> Create service users and ACLs from the provisioning model
> ---------------------------------------------------------
>
> Key: SLING-5355
> URL: https://issues.apache.org/jira/browse/SLING-5355
> Project: Sling
> Issue Type: New Feature
> Components: Service User Mapper
> Reporter: Bertrand Delacretaz
> Assignee: Bertrand Delacretaz
>
> As discussed in the "Removing loginAdministrative, how to test that, and service username conventions" thread on our dev list [1] we need to be able to create service users and set the corresponding ACLs from our provisioning model.
> This should be implemented using distinct utility classes, one for the users and one for the ACLs, that take simple mini-languages as input. This will allow for reusing these utilities in test code for example.
> I have made a suggestion for those mini languages in that thread, will copy them here once we agree.
> [1] http://markmail.org/message/kcvuhwfdald2dyuz
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)