You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Nitin Nizhawan (JIRA)" <ji...@apache.org> on 2017/06/13 09:53:00 UTC

[jira] [Comment Edited] (SLING-6422) Allow for specifying oak restrictions with repoinit

    [ https://issues.apache.org/jira/browse/SLING-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16047529#comment-16047529 ] 

Nitin Nizhawan edited comment on SLING-6422 at 6/13/17 9:52 AM:
----------------------------------------------------------------

[~bdelacretaz] I further verified that vault package manager also respects ordering. To verify I specified following aces
{code}
    <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[rep:readProperties]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow>
    <allow1   jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[jcr:addChildNodes]">
        <rep:restrictions     jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow1>
{code}
Since in above case restrictions and principal are same, package manager merged the privileges as follows
{code}
    <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[rep:readProperties,jcr:addChildNodes]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow>
{code}


Then I tried with order reversed for restriction values as follows
{code}
 <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[rep:readProperties]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow>
    <allow1   jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[jcr:addChildNodes]">
        <rep:restrictions     jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[def,abc]"/>
    </allow1>
{code}
In above case package manager did not merge ACEs because I think it also considers restrictions different. So, I suppose we should also consider restrictions with different ordering of values different. 
Also, the example date based restriction provider at \[0\] assumes ordered values
WDYT?

\[0\] http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html



was (Author: nitin.nizhawan):
[~bdelacretaz] I further verified that vault package manager also respects ordering. To verify I specified following aces
{code}
    <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[rep:readProperties]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow>
    <allow1   jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[jcr:addChildNodes]">
        <rep:restrictions     jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow1>
{code}
Since in above case restrictions and principal are same, package manager merged the privileges as follows
{code}
    <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[rep:readProperties,jcr:addChildNodes]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow>
{code}


Then I tried with order reversed for restriction values as follows
{code}
 <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[rep:readProperties]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow>
    <allow1   jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[jcr:addChildNodes]">
        <rep:restrictions     jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[def,abc]"/>
    </allow1>
{code}
In above case package manager did not merge ACEs because I think it also considers restrictions different. So, I suppose we should also consider restrictions with different ordering of values different. WDYT?

> Allow for specifying oak restrictions with repoinit
> ---------------------------------------------------
>
>                 Key: SLING-6422
>                 URL: https://issues.apache.org/jira/browse/SLING-6422
>             Project: Sling
>          Issue Type: New Feature
>          Components: Repoinit
>            Reporter: Nitin Nizhawan
>         Attachments: SLING6422ApplyRestrictionsV2.patch, SLING6422ApplyRestrictionsV3.patch, SLING6422_interpretparsedrestrictionclause.patch, SLING-6422.patch
>
>
> Allow for specifying oak restrictions with repoinit. Currently repoinit allows one to ADD remove ACLs but there is no way to specify oak restrictions.
> http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)