You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2016/02/16 14:16:25 UTC
svn commit: r1730681 -
/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
Author: angela
Date: Tue Feb 16 13:16:24 2016
New Revision: 1730681
URL: http://svn.apache.org/viewvc?rev=1730681&view=rev
Log:
OAK-4016 : Document composite authorization setup (WIP)
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md?rev=1730681&r1=1730680&r2=1730681&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md Tue Feb 16 13:16:24 2016
@@ -46,11 +46,30 @@ in an aggregated setup:
#### PolicyOwner
-_TODO_
+Interface defining a single method, which allows to identify the `AccessControlManager`
+implementation responsible set or removing a given policy. `AccessControlManager`s
+deployed in a composite authorization setup are required to implement this interface
+_if_ they choose to support _setPolicy_ or _removePolicy_. Omitting the `PolicyOwner`
+interface will most likely result in a `AccessControlException` as no policy owner
+can be found for the given type of policy.
#### AggregatedPermissionProvider
-_TODO_
+Extension of the `PermissionProvider` interface that allows a given provider to
+be deployed in a composite authorization setup. The additional methods allow the
+aggregating provider to identify if a given `PermissionProvider` can handle permission
+evaluation for a given set of permissions at a given path.
+
+##### Example
+
+The permission provider shipped with the [oak-authorization-cug](cug.html#details) module
+has a very limited scope: it only evaluates read-access to regular items at the
+configured supported paths. This means e.g. that the implementation is not able to
+determine if write access is granted to a given set of `Principal`s and indicates
+this fact by just returning the subset of supported read permissions upon
+`supportedPermissions(Tree, PropertyState, long)`. The aggregated permission provider
+will consequently not consult this implementation for the evaluation of write
+permissions and move on to other providers in the aggregate.
<a name="details"/>
### Implementation Details
@@ -78,7 +97,7 @@ evaluating the subset of restrictions it
extensions and the permission evaluation, respectively. Similarly, a given module
may decide to provide no support for restrictions. Examples include modules that
provide different types of `AccessControlPolicy` where restrictions cannot be applied
-(see for example [oak-authorization-cug](cug.html)).
+(see for example [oak-authorization-cug](cug.html#details)).
<a name="configuration"/>
### Configuration