You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Bertrand Delacretaz (JIRA)" <ji...@apache.org> on 2016/12/21 14:44:58 UTC

[jira] [Commented] (SLING-6422) Allow for specifying oak restrictions with repoinit

    [ https://issues.apache.org/jira/browse/SLING-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15767221#comment-15767221 ] 

Bertrand Delacretaz commented on SLING-6422:
--------------------------------------------

The first step is to define a suitable syntax in the repoinit language for those restrictions.

So far the language only supports an optional "nodetypes" clause (see test [1]) which is not implemented by the JCR repoinit module, so has no effect.

I have little experience with those restrictions but as per [2] it looks like each restriction is expressed with a name and 1..N values. And custom restrictions can be created, so the syntax must be flexible.

Here's a first set of examples of what those restriction definitions could look like in repoinit, comments are welcome. I think it makes sense to define keywords for the common restriction types (nodetypes, glob, namespaces) as well as a generic syntax for other built-in and custom restrictions.

In these examples, {{allow ...}} represents repoinit ACL definitions with the existing syntax

{code}
# explicit form for common restriction types
allow ... nodetypes sling:Folder, my:Type
allow ... nodetypes nt:file glob *.jsp
allow ... glob *.jsp
allow ... namespaces http://sling.apache.org/nt glob *.html

# generic form for any restriction type
allow ... restriction(rep:glob, *.jsp, *.txt) restriction(rep:ntNames, sling:Folder) restriction(rep:prefixes, sling)
allow ... restriction(my:custom, "13:00UTC, 23:59UTC")
allow ... restriction(my:string, "It's \"quoted\"", "second string")
{code}

[1] https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/repoinit/parser/src/test/resources/testcases/test-30.txt
[2] http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html

> Allow for specifying oak restrictions with repoinit
> ---------------------------------------------------
>
>                 Key: SLING-6422
>                 URL: https://issues.apache.org/jira/browse/SLING-6422
>             Project: Sling
>          Issue Type: New Feature
>          Components: Repoinit
>            Reporter: Nitin Nizhawan
>
> Allow for specifying oak restrictions with repoinit. Currently repoinit allows one to ADD remove ACLs but there is no way to specify oak restrictions.
> http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)