You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2017/05/09 08:02:04 UTC

[jira] [Commented] (OAK-4612) Multiplexing support for CugPermissionProvider

    [ https://issues.apache.org/jira/browse/OAK-4612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16002243#comment-16002243 ] 

angela commented on OAK-4612:
-----------------------------

I have been looking at this recently and got the feeling that it will not be possible to implement real multiplexing support with the CUG authorization model in the way it has been proposed for the default (i.e. the permisison store in OAK_37777). The CUG authorization does not keep a global storage for permission evaluation but instead evaluates permissions from the CUG policies attached to the individual nodes. The problem with this is IMHO the fact that we have hidden properties that link to the CUGs stored in the subtree, which consequently may be located within a private mount.

Therefore I would propose the following way to address this: The CUG authorization model heavily relies on the configured supported path(s), where these policies can be created and will be evaluated. So, IMO the best way would be adjust the evaluation of supported paths such that no CUG policies can be created nor evaluated within the private mounts. Changing the set of paths defined to be private mounts will have the same effect as changing the supported paths with {{CugConfiguration}} and policies created previously at a path that is no longer supported will just be ignored.

At a first glance I see the following changes to be needed:
- {{CugConfiguration}}: add reference to {{MountInfoProvider}} (or retrieve it from {{ConfigurationParameters}} in a pure java setup
- {{CugConfiguration.getPermissionProvider}}: adjust calculation of supported paths to take mount paths into account and pass that to the {{PermissionProvider}} in case cug-evaluation is really enabled and required for the given set of principals.
- maybe the {{TreePermission}} implementations and the {{NestedCugHook}} needs to be adjusted as well.

and obviously: tons of test :-)
- {{CugUtil.isSupportedPath}}: adjust to take mount paths into account (-> should cover all method calls in {{CugAccessControlManager}}
- 

> Multiplexing support for CugPermissionProvider
> ----------------------------------------------
>
>                 Key: OAK-4612
>                 URL: https://issues.apache.org/jira/browse/OAK-4612
>             Project: Jackrabbit Oak
>          Issue Type: Technical task
>          Components: authorization-cug
>            Reporter: angela
>            Assignee: angela
>
> as discussed we will use the {{CugPermissionProvider}} to validate the proposal against another (quite different) implementation.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)