You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2016/02/16 14:16:25 UTC

svn commit: r1730681 - /jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md

Author: angela
Date: Tue Feb 16 13:16:24 2016
New Revision: 1730681

URL: http://svn.apache.org/viewvc?rev=1730681&view=rev
Log:
OAK-4016 : Document composite authorization setup (WIP)

Modified:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md?rev=1730681&r1=1730680&r2=1730681&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md Tue Feb 16 13:16:24 2016
@@ -46,11 +46,30 @@ in an aggregated setup:
 
 #### PolicyOwner
 
-_TODO_
+Interface defining a single method, which allows to identify the `AccessControlManager` 
+implementation responsible set or removing a given policy. `AccessControlManager`s 
+deployed in a composite authorization setup are required to implement this interface 
+_if_ they choose to support _setPolicy_ or _removePolicy_. Omitting the `PolicyOwner` 
+interface will most likely result in a `AccessControlException` as no policy owner 
+can be found for the given type of policy.
 
 #### AggregatedPermissionProvider
 
-_TODO_
+Extension of the `PermissionProvider` interface that allows a given provider to 
+be deployed in a composite authorization setup. The additional methods allow the  
+aggregating provider to identify if a given `PermissionProvider` can handle permission 
+evaluation for a given set of permissions at a given path.
+
+##### Example
+
+The permission provider shipped with the [oak-authorization-cug](cug.html#details) module 
+has a very limited scope: it only evaluates read-access to regular items at the 
+configured supported paths. This means e.g. that the implementation is not able to 
+determine if write access is granted to a given set of `Principal`s and indicates 
+this fact by just returning the subset of supported read permissions upon 
+`supportedPermissions(Tree, PropertyState, long)`. The aggregated permission provider 
+will consequently not consult this implementation for the evaluation of write 
+permissions and move on to other providers in the aggregate.
 
 <a name="details"/>
 ### Implementation Details
@@ -78,7 +97,7 @@ evaluating the subset of restrictions it
 extensions and the permission evaluation, respectively. Similarly, a given module  
 may decide to provide no support for restrictions. Examples include modules that 
 provide different types of `AccessControlPolicy` where restrictions cannot be applied 
-(see for example [oak-authorization-cug](cug.html)).
+(see for example [oak-authorization-cug](cug.html#details)).
                
 <a name="configuration"/>
 ### Configuration