You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Nitin Nizhawan (JIRA)" <ji...@apache.org> on 2017/06/13 09:53:00 UTC
[jira] [Comment Edited] (SLING-6422) Allow for specifying oak
restrictions with repoinit
[ https://issues.apache.org/jira/browse/SLING-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16047529#comment-16047529 ]
Nitin Nizhawan edited comment on SLING-6422 at 6/13/17 9:52 AM:
----------------------------------------------------------------
[~bdelacretaz] I further verified that vault package manager also respects ordering. To verify I specified following aces
{code}
<allow jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[rep:readProperties]">
<rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/>
</allow>
<allow1 jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[jcr:addChildNodes]">
<rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/>
</allow1>
{code}
Since in above case restrictions and principal are same, package manager merged the privileges as follows
{code}
<allow jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[rep:readProperties,jcr:addChildNodes]">
<rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/>
</allow>
{code}
Then I tried with order reversed for restriction values as follows
{code}
<allow jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[rep:readProperties]">
<rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/>
</allow>
<allow1 jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[jcr:addChildNodes]">
<rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[def,abc]"/>
</allow1>
{code}
In above case package manager did not merge ACEs because I think it also considers restrictions different. So, I suppose we should also consider restrictions with different ordering of values different.
Also, the example date based restriction provider at \[0\] assumes ordered values
WDYT?
\[0\] http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html
was (Author: nitin.nizhawan):
[~bdelacretaz] I further verified that vault package manager also respects ordering. To verify I specified following aces
{code}
<allow jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[rep:readProperties]">
<rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/>
</allow>
<allow1 jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[jcr:addChildNodes]">
<rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/>
</allow1>
{code}
Since in above case restrictions and principal are same, package manager merged the privileges as follows
{code}
<allow jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[rep:readProperties,jcr:addChildNodes]">
<rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/>
</allow>
{code}
Then I tried with order reversed for restriction values as follows
{code}
<allow jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[rep:readProperties]">
<rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[abc,def]"/>
</allow>
<allow1 jcr:primaryType="rep:GrantACE" rep:principalName="forms-users" rep:privileges="{Name}[jcr:addChildNodes]">
<rep:restrictions jcr:primaryType="rep:Restrictions" rep:ntNames="{Name}[def,abc]"/>
</allow1>
{code}
In above case package manager did not merge ACEs because I think it also considers restrictions different. So, I suppose we should also consider restrictions with different ordering of values different. WDYT?
> Allow for specifying oak restrictions with repoinit
> ---------------------------------------------------
>
> Key: SLING-6422
> URL: https://issues.apache.org/jira/browse/SLING-6422
> Project: Sling
> Issue Type: New Feature
> Components: Repoinit
> Reporter: Nitin Nizhawan
> Attachments: SLING6422ApplyRestrictionsV2.patch, SLING6422ApplyRestrictionsV3.patch, SLING6422_interpretparsedrestrictionclause.patch, SLING-6422.patch
>
>
> Allow for specifying oak restrictions with repoinit. Currently repoinit allows one to ADD remove ACLs but there is no way to specify oak restrictions.
> http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)