You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@sling.apache.org by an...@apache.org on 2022/03/02 13:05:08 UTC

[sling-site] branch SLING-11169 created (now aa2f3b5)

This is an automated email from the ASF dual-hosted git repository.

angela pushed a change to branch SLING-11169
in repository https://gitbox.apache.org/repos/asf/sling-site.git.


      at aa2f3b5  SLING-11169 : Repoinit does not allow to remove individual ACEs - Update documentation

This branch includes the following new commits:

     new aa2f3b5  SLING-11169 : Repoinit does not allow to remove individual ACEs - Update documentation

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[sling-site] 01/01: SLING-11169 : Repoinit does not allow to remove individual ACEs - Update documentation

Posted by an...@apache.org.

This is an automated email from the ASF dual-hosted git repository.

angela pushed a commit to branch SLING-11169
in repository https://gitbox.apache.org/repos/asf/sling-site.git

commit aa2f3b516e50a4f9422e3e1c7bc72f136142bb72
Author: angela <an...@adobe.com>
AuthorDate: Wed Mar 2 14:04:55 2022 +0100

    SLING-11169 : Repoinit does not allow to remove individual ACEs - Update documentation
---
 .../bundles/repository-initialization.md           | 45 ++++++++++++++++++++--
 1 file changed, 42 insertions(+), 3 deletions(-)

diff --git a/src/main/jbake/content/documentation/bundles/repository-initialization.md b/src/main/jbake/content/documentation/bundles/repository-initialization.md
index 79efe24..06bc36e 100644
--- a/src/main/jbake/content/documentation/bundles/repository-initialization.md
+++ b/src/main/jbake/content/documentation/bundles/repository-initialization.md
@@ -25,10 +25,11 @@ They are called in increasing order of their `service.ranking` service property,
 If any of them throws an Exception, the `SlingRepository` service is not registered.
     
 ## The 'repoinit' Repository Initialization Language
-The `org.apache.sling.repoinit.parser` implements a mini-language meant to create paths, service users and Access Control Lists in a content repository, as 
-well as registering JCR namespaces and node types.
+The `org.apache.sling.repoinit.parser` implements a mini-language meant to create paths, service users and manage access control in a content repository, as 
+well as registering JCR namespaces, node types and privileges. Defining access control content consists of setting and 
+deleting policies of type access control lists (ACL) for which individual access control entries (ACE) can be added and removed.
 
-As  I write this, the source code consists of [three modules](https://github.com/apache?utf8=%E2%9C%93&q=sling+repoinit): the parser, the JCR 
+The source code consists of [three modules](https://github.com/apache?utf8=%E2%9C%93&q=sling+repoinit): the parser, the JCR 
 repoinit adapter module and the integration tests.
 
 The language grammar is defined (using the JavaCC compiler-compiler, which has no runtime dependencies) in the `RepoInitGrammar.jjt` file in that module, and the automated tests provide a number of [test cases](https://github.com/apache/sling-org-apache-sling-repoinit-parser/tree/master/src/test/resources/testcases) which demonstrate various features.
@@ -421,6 +422,44 @@ repoinit parser repository.
       allow jcr:seven for mercury
     end
     
+    # test-35.txt
+    
+    # Removal of individual access control entries (see SLING-11160), requires
+    # o.a.s.repoinit.parser 1.6.14 and
+    # o.a.s.jcr.repoinit 1.1.38
+    
+    # remove entries by path
+    
+    remove ACE on /libs,/apps, /, /content/example.com/some-other_path
+        allow jcr:read for user1,user2
+        allow privilege_without_namespace for user4
+        deny jcr:write,something:else,another:one for user2
+        deny jcr:lockManagement for user1
+        deny jcr:modifyProperties for user2 restriction(rep:itemNames,prop1,prop2)
+    end
+    
+    # remove entries by principal
+    
+    remove ACE for user1,u2
+        allow jcr:read on /content
+        allow jcr:addChildNodes, jcr:modifyProperties on /content restriction(rep:glob)
+        deny jcr:read on /etc, /var restriction(rep:ntNames,sling:Folder,nt:unstructured) restriction(rep:itemNames,prop1,prop2)
+    end
+    
+    # remove principal-based entries
+    
+    remove principal ACE for principal1,principal2
+        allow jcr:read on /content
+        deny jcr:modifyProperties on /apps, /content restriction(rep:itemNames,prop1,prop2)
+        allow jcr:addChildNodes on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured)
+        allow jcr:modifyProperties on /apps restriction(rep:ntNames,sling:Folder,nt:unstructured) restriction(rep:itemNames,prop1,prop2)
+        allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat,/cat/,cat)
+        allow jcr:addChildNodes on /apps,/content restriction(rep:glob,cat/,*,*cat)
+        allow jcr:addChildNodes on /apps,/content restriction(rep:glob,/cat/*,*/cat,*cat/*)
+        allow jcr:something on / restriction(rep:glob)
+        allow jcr:all on :repository,home(alice)
+    end
+    
     # test-40.txt
     
     # Register namespaces, requires