You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Bertrand Delacretaz (JIRA)" <ji...@apache.org> on 2016/12/21 14:44:58 UTC
[jira] [Commented] (SLING-6422) Allow for specifying oak
restrictions with repoinit
[ https://issues.apache.org/jira/browse/SLING-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15767221#comment-15767221 ]
Bertrand Delacretaz commented on SLING-6422:
--------------------------------------------
The first step is to define a suitable syntax in the repoinit language for those restrictions.
So far the language only supports an optional "nodetypes" clause (see test [1]) which is not implemented by the JCR repoinit module, so has no effect.
I have little experience with those restrictions but as per [2] it looks like each restriction is expressed with a name and 1..N values. And custom restrictions can be created, so the syntax must be flexible.
Here's a first set of examples of what those restriction definitions could look like in repoinit, comments are welcome. I think it makes sense to define keywords for the common restriction types (nodetypes, glob, namespaces) as well as a generic syntax for other built-in and custom restrictions.
In these examples, {{allow ...}} represents repoinit ACL definitions with the existing syntax
{code}
# explicit form for common restriction types
allow ... nodetypes sling:Folder, my:Type
allow ... nodetypes nt:file glob *.jsp
allow ... glob *.jsp
allow ... namespaces http://sling.apache.org/nt glob *.html
# generic form for any restriction type
allow ... restriction(rep:glob, *.jsp, *.txt) restriction(rep:ntNames, sling:Folder) restriction(rep:prefixes, sling)
allow ... restriction(my:custom, "13:00UTC, 23:59UTC")
allow ... restriction(my:string, "It's \"quoted\"", "second string")
{code}
[1] https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/repoinit/parser/src/test/resources/testcases/test-30.txt
[2] http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html
> Allow for specifying oak restrictions with repoinit
> ---------------------------------------------------
>
> Key: SLING-6422
> URL: https://issues.apache.org/jira/browse/SLING-6422
> Project: Sling
> Issue Type: New Feature
> Components: Repoinit
> Reporter: Nitin Nizhawan
>
> Allow for specifying oak restrictions with repoinit. Currently repoinit allows one to ADD remove ACLs but there is no way to specify oak restrictions.
> http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)