You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Tomek Rękawek (JIRA)" <ji...@apache.org> on 2018/11/29 20:10:00 UTC
[jira] [Commented] (OAK-7725) Allow to have the users and groups
created in the immutable part of the composite setup
[ https://issues.apache.org/jira/browse/OAK-7725?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16703732#comment-16703732 ]
Tomek Rękawek commented on OAK-7725:
------------------------------------
This seems to work out-of-the-box, for the /home/users/system. The only required change is to extend the CrossMountReferenceValidator, so it prevents adding the read-only system users to the groups living outside the mount. It's done in [r1847748|https://svn.apache.org/r1847748].
> Allow to have the users and groups created in the immutable part of the composite setup
> ---------------------------------------------------------------------------------------
>
> Key: OAK-7725
> URL: https://issues.apache.org/jira/browse/OAK-7725
> Project: Jackrabbit Oak
> Issue Type: Story
> Components: composite, security
> Reporter: Tomek Rękawek
> Assignee: Tomek Rękawek
> Priority: Major
> Fix For: 1.10, 1.9.13
>
>
> When running the Oak with Composite Node Store, the /home subtree is always stored in the mutable, global part. Therefore, even if we switch the immutable part (eg. /libs), the users and groups are not affected.
> This setup makes sense for the users and groups created interactively. However, we also have the service users, which usually are not created interactively, but are part of the application and therefore are related to the /libs part. For such users, it'd make sense to include them dynamically, together with the application, read-only mount.
> The proposal is to allow some part of the /home (eg. /home/service) to be mounted from the read-only partial node store. Let's consider the constraints we need to put in place (eg. it shouldn't be possible to have inter-mounts group memberships) and how we can implement this.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)