You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2018/08/30 11:48:46 UTC
svn commit: r1839663 [17/22] - in /jackrabbit/site/live/oak/docs: ./
architecture/ coldstandby/ features/ nodestore/ nodestore/document/
nodestore/segment/ oak-mongo-js/ oak_api/ plugins/ query/ security/
security/accesscontrol/ security/authentication...
Modified: jackrabbit/site/live/oak/docs/security/overview.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/overview.html?rev=1839663&r1=1839662&r2=1839663&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/overview.html (original)
+++ jackrabbit/site/live/oak/docs/security/overview.html Thu Aug 30 11:48:45 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-29
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180829" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – The Oak Security Layer</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-29<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -252,124 +240,160 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- -->
-<div class="section">
+ --><div class="section">
<h2><a name="The_Oak_Security_Layer"></a>The Oak Security Layer</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
-<ul>
+<ul>
+
<li><a href="introduction.html">Introduction to Oak Security</a></li>
</ul></div>
<div class="section">
<h3><a name="Authentication"></a>Authentication</h3>
-<ul>
+<ul>
+
<li><a href="authentication.html">Overview</a></li>
+
<li><a href="authentication/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+
<li><a href="authentication/default.html">Authentication : Implementation Details</a></li>
+
<li><a href="authentication/preauthentication.html">Pre-Authentication</a></li>
</ul>
<div class="section">
<h4><a name="Extensions"></a>Extensions</h4>
-<ul>
+<ul>
+
<li><a href="authentication/tokenmanagement.html">Token Authentication and Token Management</a></li>
+
<li><a href="authentication/externalloginmodule.html">External Authentication</a>
+
<ul>
-
+
<li><a href="authentication/usersync.html">User and Group Synchronization</a></li>
+
<li><a href="authentication/identitymanagement.html">Identity Management</a></li>
+
<li><a href="authentication/ldap.html">LDAP Integration</a></li>
-</ul>
-</li>
+ </ul></li>
</ul></div></div>
<div class="section">
<h3><a name="Authorization"></a>Authorization</h3>
-<ul>
+<ul>
+
<li><a href="authorization.html">Overview</a>
+
<ul>
-
+
<li><a href="accesscontrol.html">Access Control Management</a></li>
+
<li><a href="permission.html">Permission Evalution</a></li>
+
<li><a href="authorization/composite.html">Combining Multiple Authorization Models</a></li>
-</ul>
-</li>
+ </ul></li>
</ul>
<div class="section">
<h4><a name="Access_Control_Management"></a>Access Control Management</h4>
-<ul>
+<ul>
+
<li><a href="accesscontrol.html">Overview</a></li>
+
<li><a href="accesscontrol/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+
<li><a href="accesscontrol/default.html">Access Control Management : The Default Implementation</a></li>
+
<li><a href="accesscontrol/editing.html">Using the API</a></li>
</ul></div>
<div class="section">
<h4><a name="Permissions"></a>Permissions</h4>
-<ul>
+<ul>
+
<li><a href="permission.html">Overview</a>
+
<ul>
-
+
<li><a href="permission/permissionsandprivileges.html">Permissions vs Privileges</a></li>
-</ul>
-</li>
+ </ul></li>
+
<li><a href="permission/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+
<li><a href="permission/default.html">Permissions : The Default Implementation</a>
+
<ul>
-
+
<li><a href="permission/evaluation.html">Permission Evaluation in Detail</a></li>
-</ul>
-</li>
+ </ul></li>
</ul></div>
<div class="section">
<h4><a name="Privilege_Management"></a>Privilege Management</h4>
-<ul>
+<ul>
+
<li><a href="privilege.html">Overview</a></li>
+
<li><a href="privilege/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+
<li><a href="privilege/default.html">Privilege Management : The Default Implementation</a></li>
+
<li>Mapping Privileges to Items and API Calls
+
<ul>
-
+
<li><a href="privilege/mappingtoitems.html">Mapping Privileges to Items</a></li>
+
<li><a href="privilege/mappingtoprivileges.html">Mapping API Calls to Privileges</a></li>
-</ul>
-</li>
+ </ul></li>
</ul></div>
<div class="section">
<h4><a name="Extensions"></a>Extensions</h4>
-<ul>
+<ul>
+
<li><a href="authorization/restriction.html">Restriction Management</a></li>
+
<li><a href="authorization/cug.html">Managing Access with Closed User Groups (CUG)</a></li>
</ul></div></div>
<div class="section">
<h3><a name="Principal_Management"></a>Principal Management</h3>
-<ul>
+<ul>
+
<li><a href="principal.html">Overview</a></li>
+
<li><a href="principal/differences.html">Differences wrt Jackrabbit 2.x</a></li>
</ul></div>
<div class="section">
<h3><a name="User_Management"></a>User Management</h3>
-<ul>
+<ul>
+
<li><a href="user.html">Overview</a></li>
+
<li><a href="user/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+
<li><a href="user/default.html">User Management : The Default Implementation</a>
+
<ul>
-
+
<li><a href="user/membership.html">Group Membership</a></li>
+
<li><a href="user/authorizableaction.html">Authorizable Actions</a></li>
+
<li><a href="user/groupaction.html">Group Actions</a></li>
+
<li><a href="user/authorizablenodename.html">Authorizable Node Name Generation</a></li>
+
<li><a href="user/expiry.html">Password Expiry and Force Initial Password Change</a></li>
+
<li><a href="user/history.html">Password History</a></li>
-</ul>
-</li>
+ </ul></li>
+
<li><a href="user/query.html">Searching Users and Groups</a></li>
</ul></div></div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/permission.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission.html?rev=1839663&r1=1839662&r2=1839663&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission.html Thu Aug 30 11:48:45 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-29
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180829" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Permissions</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-29<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,49 +239,64 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Permissions"></a>Permissions</h2>
-<a name="jcr_api"></a>
-### JCR and Jackrabbit API
-
+<p><a name="jcr_api"></a></p>
+<div class="section">
+<h3><a name="JCR_and_Jackrabbit_API"></a>JCR and Jackrabbit API</h3>
<p>While access control management is a optional feature, a JCR implementation is required to support the basic permission checking. The basic requirements for the permission evalution are defines as follows</p>
-<blockquote>
+<blockquote>
<p>Permissions encompass the restrictions imposed by any access control restrictions that may be in effect upon the content of a repository, either implementation specific or JCR-defined (Access Control Management)., which consists of</p>
</blockquote>
<p>The methods defined to check permissions:</p>
-<ul>
+<ul>
+
<li><tt>Session#hasPermission(String absPath, String actions)</tt></li>
+
<li><tt>Session#checkPermission(String absPath, String actions)</tt></li>
+
<li><tt>JackrabbitSession.hasPermission(String absPath, @Nonnull String... actions)</tt> (since Jackrabbit API 2.11.0 and Oak 1.4)</li>
</ul>
<p>The actions are expected to be a comma separated list of any of the following string constants:</p>
-<ul>
+<ul>
+
<li><tt>Session.ACTION_READ</tt></li>
+
<li><tt>Session.ACTION_ADD_NODE</tt></li>
+
<li><tt>Session.ACTION_REMOVE</tt></li>
+
<li><tt>Session.ACTION_SET_PROPERTY</tt></li>
</ul>
<p>And defined by Jackrabbit API the following additional actions (since Jackrabbit API 2.11.0):</p>
-<ul>
+<ul>
+
<li><tt>JackrabbitSession.ACTION_ADD_PROPERTY</tt></li>
+
<li><tt>JackrabbitSession.ACTION_MODIFY_PROPERTY</tt></li>
+
<li><tt>JackrabbitSession.ACTION_REMOVE_PROPERTY</tt></li>
+
<li><tt>JackrabbitSession.ACTION_REMOVE_NODE</tt></li>
+
<li><tt>JackrabbitSession.ACTION_NODE_TYPE_MANAGEMENT</tt></li>
+
<li><tt>JackrabbitSession.ACTION_VERSIONING</tt></li>
+
<li><tt>JackrabbitSession.ACTION_LOCKING</tt></li>
+
<li><tt>JackrabbitSession.ACTION_READ_ACCESS_CONTROL</tt></li>
+
<li><tt>JackrabbitSession.ACTION_MODIFY_ACCESS_CONTROL</tt></li>
+
<li><tt>JackrabbitSession.ACTION_USER_MANAGEMENT</tt></li>
</ul>
<p><b>Note</b>: As of Oak 1.0 the these methods also handle the names of the permissions defined by Oak (see <tt>Permissions#getString(long permissions)</tt>).</p>
-<p>See also section <a href="permission/permissionsandprivileges.html">Permissions vs Privileges</a> for a comparison of these permission checks and testing privileges on the <tt>AccessControlManager</tt>.</p>
-<div class="section">
+<p>See also section <a href="permission/permissionsandprivileges.html">Permissions vs Privileges</a> for a comparison of these permission checks and testing privileges on the <tt>AccessControlManager</tt>. </p>
<div class="section">
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
@@ -301,41 +304,36 @@
<h6><a name="Test_if_session_has_permission_to_add_a_new_node_JCR_API"></a>Test if session has permission to add a new node (JCR API)</h6>
<p>Important: <tt>absPath</tt> refers to the node to be created</p>
-<div>
-<div>
-<pre class="source">Node content = session.getNode("/content");
+<div class="source">
+<div class="source"><pre class="prettyprint">Node content = session.getNode("/content");
if (session.hasPermission("/content/newNode", Session.ACTION_ADD_NODE)) {
content.addNode("newNode");
session.save();
}
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h6><a name="Test_if_session_has_permission_to_perform_version_and_lock_operations_Jackrabbit_API"></a>Test if session has permission to perform version and lock operations (Jackrabbit API)</h6>
-<div>
-<div>
-<pre class="source">Node content = jrSession.getNode("/content");
+<div class="source">
+<div class="source"><pre class="prettyprint">Node content = jrSession.getNode("/content");
if (jrSession.hasPermission("/content", JackrabbitSession.ACTION_VERSIONING, JackrabbitSession.ACTION_LOCKING))) {
content.checkin();
session.save();
}
-</pre></div></div>
-</div>
+</pre></div></div></div>
<div class="section">
<h6><a name="Test_if_session_has_permission_to_perform_version_operations_Oak_SPI"></a>Test if session has permission to perform version operations (Oak SPI)</h6>
-<div>
-<div>
-<pre class="source">Node content = session.getNode("/content");
+<div class="source">
+<div class="source"><pre class="prettyprint">Node content = session.getNode("/content");
if (session.hasPermission("/content", Permissions.getString(Permissions.VERSION_MANAGEMENT))) {
content.checkin();
session.save();
}
</pre></div></div>
-<a name="oak_permissions"></a>
-### Oak Permissions
-</div></div></div>
+<p><a name="oak_permissions"></a></p></div></div></div></div>
+<div class="section">
+<h3><a name="Oak_Permissions"></a>Oak Permissions</h3>
<div class="section">
<h4><a name="General_Notes"></a>General Notes</h4>
<p>As of Oak 1.0 Permission evaluation is intended to be completely separated from the access control management as defined by JCR and Jackrabbit API. While the evaluation and enforcing permissions is considered to be an internal feature of the Oak core module, the package <tt>org.apache.jackrabbit.oak.spi.security.authorization.permission</tt> provides some extensions points that allow to plug custom extensions or implementations the evaluation (see <a href="#api_extensions">API Extensions</a> below).</p></div>
@@ -345,176 +343,243 @@ if (session.hasPermission("/content
<div class="section">
<h5><a name="Simple_Permissions"></a>Simple Permissions</h5>
<p>Read operations:</p>
-<ul>
+<ul>
+
<li><tt>READ_NODE</tt></li>
+
<li><tt>READ_PROPERTY</tt></li>
+
<li><tt>READ_ACCESS_CONTROL</tt></li>
</ul>
<p>Write operations:</p>
-<ul>
+<ul>
+
<li><tt>ADD_NODE</tt></li>
+
<li><tt>REMOVE_NODE</tt></li>
+
<li><tt>MODIFY_CHILD_NODE_COLLECTION</tt></li>
+
<li><tt>ADD_PROPERTY</tt></li>
+
<li><tt>MODIFY_PROPERTY</tt></li>
+
<li><tt>REMOVE_PROPERTY</tt></li>
+
<li><tt>NODE_TYPE_MANAGEMENT</tt></li>
+
<li><tt>MODIFY_ACCESS_CONTROL</tt></li>
+
<li><tt>LOCK_MANAGEMENT</tt></li>
+
<li><tt>VERSION_MANAGEMENT</tt></li>
</ul>
<p>Since Oak 1.0:</p>
-<ul>
+<ul>
+
<li><tt>USER_MANAGEMENT</tt>: : execute user management related tasks such as e.g. creating or removing user/group, changing user password and editing group membership.</li>
+
<li><tt>INDEX_DEFINITION_MANAGEMENT</tt>: create, modify and remove the oak:index node and it’s subtree which is expected to contain the index definitions.</li>
</ul>
<p>Repository operations:</p>
-<ul>
+<ul>
+
<li><tt>NODE_TYPE_DEFINITION_MANAGEMENT</tt></li>
+
<li><tt>NAMESPACE_MANAGEMENT</tt></li>
+
<li><tt>PRIVILEGE_MANAGEMENT</tt></li>
+
<li><tt>WORKSPACE_MANAGEMENT</tt></li>
</ul>
<p>Not used in Oak 1.0:</p>
-<ul>
+<ul>
+
<li><tt>LIFECYCLE_MANAGEMENT</tt></li>
+
<li><tt>RETENTION_MANAGEMENT</tt></li>
</ul></div>
<div class="section">
<h5><a name="Aggregated_Permissions"></a>Aggregated Permissions</h5>
-<ul>
+<ul>
+
<li><tt>READ</tt>: aggregates <tt>READ_NODE</tt> and <tt>READ_PROPERTY</tt></li>
+
<li><tt>REMOVE</tt>: aggregates <tt>REMOVE_NODE</tt> and <tt>REMOVE_PROPERTY</tt></li>
+
<li><tt>SET_PROPERTY</tt>: aggregates <tt>ADD_PROPERTY</tt>, <tt>MODIFY_PROPERTY</tt> and <tt>REMOVE_PROPERTY</tt></li>
+
<li><tt>WRITE</tt>: aggregates <tt>ADD_NODE</tt>, <tt>REMOVE_NODE</tt> and <tt>SET_PROPERTY</tt></li>
+
<li><tt>ALL</tt>: aggregates all permissions</li>
</ul></div></div>
<div class="section">
<h4><a name="Mapping_of_JCR_Actions_to_Oak_Permissions"></a>Mapping of JCR Actions to Oak Permissions</h4>
<p><tt>ACTION_READ</tt>:</p>
-<ul>
+<ul>
+
<li>access control content: <tt>Permissions.READ_ACCESS_CONTROL</tt></li>
+
<li>regular nodes: <tt>Permissions.READ_NODE</tt></li>
+
<li>regular properties: <tt>Permissions.READ_PROPERTY</tt></li>
+
<li>non-existing items: <tt>Permissions.READ</tt></li>
</ul>
<p><tt>ACTION_ADD_NODE</tt>:</p>
-<ul>
+<ul>
+
<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
<li>regular nodes: <tt>Permissions.ADD_NODE</tt></li>
</ul>
<p><tt>ACTION_REMOVE</tt>:</p>
-<ul>
+<ul>
+
<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
<li>regular nodes: <tt>Permissions.REMOVE_NODE</tt></li>
+
<li>regular properties: <tt>Permissions.REMOVE_PROPERTY</tt></li>
+
<li>non-existing nodes: <tt>Permissions.REMOVE</tt></li>
</ul>
<p><tt>ACTION_SET_PROPERTY</tt>:</p>
-<ul>
+<ul>
+
<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
<li>regular properties: <tt>Permissions.MODIFY_PROPERTY</tt></li>
+
<li>non-existing properties: <tt>Permissions.ADD_PROPERTY</tt></li>
</ul>
<p><tt>ACTION_ADD_PROPERTY</tt>:</p>
-<ul>
+<ul>
+
<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
<li>other properties: <tt>Permissions.ADD_PROPERTY</tt></li>
</ul>
<p><tt>ACTION_MODIFY_PROPERTY</tt>:</p>
-<ul>
+<ul>
+
<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
<li>other properties: <tt>Permissions.MODIFY_PROPERTY</tt></li>
</ul>
<p><tt>ACTION_REMOVE_PROPERTY</tt>:</p>
-<ul>
+<ul>
+
<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
<li>other properties: <tt>Permissions.REMOVE_PROPERTY</tt></li>
</ul>
<p><tt>ACTION_REMOVE_NODE</tt>:</p>
-<ul>
+<ul>
+
<li>access control content: <tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
+
<li>regular nodes: <tt>Permissions.REMOVE_NODE</tt></li>
</ul>
<p><tt>ACTION_NODE_TYPE_MANAGEMENT</tt></p>
-<ul>
+<ul>
+
<li><tt>Permissions.NODE_TYPE_MANAGEMENT</tt></li>
</ul>
<p><tt>ACTION_VERSIONING</tt></p>
-<ul>
+<ul>
+
<li><tt>Permissions.VERSION_MANAGEMENT</tt></li>
</ul>
<p><tt>ACTION_LOCKING</tt></p>
-<ul>
+<ul>
+
<li><tt>Permissions.LOCK_MANAGEMENT</tt></li>
</ul>
<p><tt>ACTION_READ_ACCESS_CONTROL</tt></p>
-<ul>
+<ul>
+
<li><tt>Permissions.READ_ACCESS_CONTROL</tt></li>
</ul>
<p><tt>ACTION_MODIFY_ACCESS_CONTROL</tt></p>
-<ul>
+<ul>
+
<li><tt>Permissions.MODIFY_ACCESS_CONTROL</tt></li>
</ul>
<p><tt>ACTION_USER_MANAGEMENT</tt></p>
-<ul>
+<ul>
+
<li><tt>Permissions.USER_MANAGEMENT</tt></li>
</ul></div>
<div class="section">
<h4><a name="Permissions_for_Different_Operations"></a>Permissions for Different Operations</h4>
<div class="section">
<h5><a name="Reading"></a>Reading</h5>
-<ul>
+<ul>
+
<li><b>Regular Items</b>: Due to the fine grained read permissions Oak read access can be separately granted/denied for nodes and properties. Granting the <tt>jcr:read</tt> privilege will result in a backwards compatible read access for nodes and their properties, while specifying <tt>rep:readNodes</tt> or <tt>rep:readProperties</tt> privileges allows to grant or deny access to nodes and properties (see also <a href="privilege.html">Privilege Management</a> for changes in the privilege definitions). Together with the restrictions this new behavior now allows to individually grant/deny access to properties that match a given name/path/nodetype (and as a possible extension even property value).</li>
+
<li><b>Version Content</b>: The accessibility of version content located underneath <tt>/jcr:system/jcr:versionStore</tt> is defined by the permissions present with the versionable node. In case the version information does no longer have a versionable node in this workspace it’s original versionable path is used to evaluate the effective permissions that would apply to that item if the version was restored. This change is covered by <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-444">OAK-444</a> and addresses concerns summarized in <a class="externalLink" href="https://issues.apache.org/jira/browse/JCR-2963">JCR-2963</a>.</li>
+
<li><b>Access Control Content</b> Read access to access control content such node storing policy or ACE information requires <tt>READ_ACCESS_CONTROL</tt> permission.</li>
</ul></div>
<div class="section">
<h5><a name="Writing"></a>Writing</h5>
-<ul>
+<ul>
+
<li><b>Property Modification</b>: Since Oak the former <tt>SET_PROPERTY</tt> permission has been split such to allow for more fined grained control on writing JCR properties. In particular Oak clearly distinguishes between creating a new property that didn’t exist before, modifying or removing an existing property. This will allow to cover those cases where a given <tt>Subject</tt> is only allowed to create content without having the ability to modify/delete it later on.</li>
+
<li><b>Node Removal</b>: As of Oak <tt>Node#remove()</tt> only requires sufficient permissions to remove the target node. See below for configuration parameters to obtain backwards compatible behavior.</li>
+
<li><b>Rename</b>: Due to the nature of the diff mechanism in Oak it is no longer possible to distinguish between <tt>JackrabbitNode#rename</tt> and a move with subsequent reordering.</li>
+
<li><b>Move</b>: The current permission evaluation attempts to provide a best-effort handling to achieve a similar behavior that it was present in Jackrabbit 2.x by keeping track of transient move operations. The current implementation has the following limitations with respect to multiple move operations within a given set of transient operations:
+
<ul>
-
+
<li>Move operations that replace an node that has been moved away will not be detected as modification by the diff mechanism and regular permission checks for on the subtree will be performed.</li>
+
<li>Moving an ancestor of a node that has been moved will only detect the second move and will enforce regular permissions checks on the child that has been moved in a first step.</li>
-</ul>
-</li>
+ </ul></li>
+
<li><b>Managing Index Definitions</b>: Writing query index definitions requires the specific index definition management which is enforce on nodes named “oak:index” and the subtree defined by them. Note that the corresponding items are not protected in the JCR sense. Consequently any other modification in these subtrees like e.g. changing the primary type or adding mixin types is governed by the corresponding privileges.</li>
</ul></div>
<div class="section">
<h5><a name="Writing_Protected_Items"></a>Writing Protected Items</h5>
<p>Writing protected items requires specific permissions and is not covered by regular JCR write permissions. This affects:</p>
-<ul>
+<ul>
+
<li><b>Set/Modify Primary or Mixin Type</b>: <tt>NODE_TYPE_MANAGEMENT</tt></li>
+
<li><b>Access Control Content</b>: <tt>MODIFY_ACCESS_CONTROL</tt></li>
+
<li><b>Locking</b>: <tt>LOCK_MANAGEMENT</tt></li>
+
<li><b>Versioning</b>: Executing version related operations and thus writing to the version store requires <tt>VERSION_MANAGEMENT</tt> permission instead of the regular JCR write permissions. Similarly, the content in the version store can only be modified using the dedicated version management API.</li>
+
<li><b>User Management</b>: By default user management operations require the specific user management related permission <tt>USER_MANAGEMENT</tt> to be granted for the editing subject. This permission (including a corresponding privilege) has been introduced with Oak 1.0. See below for configuration parameters to obtain backwards compatible behavior.</li>
</ul></div>
<div class="section">
@@ -522,58 +587,71 @@ if (session.hasPermission("/content
<p>Permission evaluation is also applied when delivering observation events respecting the effective permission setup of the <tt>Session</tt> that registered the <tt>EventListener</tt>.</p>
<p>However, it is important to understand that events are only delivered once the modifications have been successfully persisted and permissions will be evaluated against the persisted state.</p>
<p>In other words: Changing the permission setup along with the modifications to be reported to the <tt>EventListener</tt> will result in events being included or excluded according to the modified permissions. See <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-4196">OAK-4196</a> for an example.</p>
-<a name="api_extensions"></a>
-### API Extensions
-
+<p><a name="api_extensions"></a></p></div></div></div>
+<div class="section">
+<h3><a name="API_Extensions"></a>API Extensions</h3>
<p>Due to the separation of access control management from permission evaluation, Oak 1.0 comes with a dedicated API for permission discovery that is used both for the repository internal permission evaluation as well as for permission discovery at JCR level.</p>
<p>The package <tt>org.apache.jackrabbit.oak.spi.security.authorization.permission</tt> defines the following interfaces and classes:</p>
-<ul>
+<ul>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionProvider.html">PermissionProvider</a>: Main entry point for permission discovery and evaluation.
+
<ul>
-
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/TreePermission.html">TreePermission</a>: Evaluates the permissions of a given Oak <tt>Tree</tt>, exposed by <tt>PermissionProvider</tt>.</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/RepositoryPermission.html">RepositoryPermission</a>: Evaluates the repository level permissions, exposed by <tt>PermissionProvider</tt>.</li>
-</ul>
-</li>
+ </ul></li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.html">AggregatedPermissionProvider</a>: Extension of the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionProvider.html">PermissionProvider</a> required for implementations that are intended to be used in an aggregation of multiple providers (since Oak 1.4)</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/Permissions.html">Permissions</a>: The permissions defined, respected and evaluated by the repository.</li>
+
<li><a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/PermissionConstants.html">PermissionConstants</a>: Constants used throughout the permission evaluation.</li>
</ul>
-<a name="default_implementation"></a>
-### Characteristics of the Permission Evaluation
-
-<p>As explained above permission evaluation is completely separated from the access control management and the associated ccontent. The evaluation itself is done by the configured <tt>PermissionProvider</tt>.</p>
-<p>Each JCR <tt>Session</tt> (and Oak <tt>ContentSession</tt>) gets it’s own <tt>PermissionProvider</tt> associated with the current repository revision the session is operating on. The evaluated permissions and caches are not shared between different sessions even if they represent the same subject.</p></div></div>
+<p><a name="default_implementation"></a></p></div>
+<div class="section">
+<h3><a name="Characteristics_of_the_Permission_Evaluation"></a>Characteristics of the Permission Evaluation</h3>
+<p>As explained above permission evaluation is completely separated from the access control management and the associated ccontent. The evaluation itself is done by the configured <tt>PermissionProvider</tt>.</p>
+<p>Each JCR <tt>Session</tt> (and Oak <tt>ContentSession</tt>) gets it’s own <tt>PermissionProvider</tt> associated with the current repository revision the session is operating on. The evaluated permissions and caches are not shared between different sessions even if they represent the same subject.</p>
<div class="section">
<h4><a name="Differences_wrt_Jackrabbit_2.x"></a>Differences wrt Jackrabbit 2.x</h4>
<p>see the corresponding <a href="permission/differences.html">documentation</a>.</p></div>
<div class="section">
<h4><a name="Details_on_the_Default_Permission_Evaluation"></a>Details on the Default Permission Evaluation</h4>
<p>The behavior of the default permission implementation is described in sections <a href="permission/default.html">Permissions: The Default Implementation</a> and <a href="permission/evaluation.html">Permission Evaluation in Detail: The Default Implementation</a>.</p>
-<a name="configuration"></a>
-### Configuration
-
+<p><a name="configuration"></a></p></div></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
<p>The configuration of the permission evaluation implementation is handled by the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.html">AuthorizationConfiguration</a>, which is used for all authorization related matters. This class provides the following two permission related methods:</p>
-<ul>
+<ul>
+
<li><tt>getPermissionProvider(Root, String, Set<Principal>)</tt>: get a new <tt>PermissionProvider</tt> instance.</li>
-</ul></div>
+</ul>
<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
<p>The supported configuration options of the default implementation are described in the corresponding <a href="permission/default.html#configuration">section</a>.</p>
-<a name="further_reading"></a>
-### Further Reading
+<p><a name="further_reading"></a></p></div></div>
+<div class="section">
+<h3><a name="Further_Reading"></a>Further Reading</h3>
<ul>
-
+
<li><a href="permission/permissionsandprivileges.html">Permissions vs Privileges</a></li>
+
<li><a href="permission/differences.html">Differences wrt Jackrabbit 2.x</a></li>
+
<li><a href="permission/default.html">Permissions : The Default Implementation</a></li>
+
<li><a href="permission/evaluation.html">Permission Evaluation in Detail</a></li>
+
<li><a href="permission/multiplexing.html">Multiplexed PermissionStore</a></li>
+
<li><a href="authorization/restriction.html">Restriction Management</a></li>
-</ul><!-- references --></div></div></div>
+</ul>
+<!-- references --></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/permission/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission/default.html?rev=1839663&r1=1839662&r2=1839663&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission/default.html Thu Aug 30 11:48:45 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-29
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180829" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Permissions : The Default Implementation</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-29<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,52 +239,57 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
--->
-<div class="section">
+--><div class="section">
<h2><a name="Permissions_:_The_Default_Implementation"></a>Permissions : The Default Implementation</h2>
<div class="section">
<h3><a name="General_Notes"></a>General Notes</h3>
<p>The default implementation of the <tt>PermissionProvider</tt> interface evaluates permissions based on the information stored in a dedicated part of the repository content call the <a href="#permissionStore">permission store</a>.</p>
-<a name="default_implementation"></a>
-### Characteristics of the Permission Evaluation
-
+<p><a name="default_implementation"></a></p></div>
+<div class="section">
+<h3><a name="Characteristics_of_the_Permission_Evaluation"></a>Characteristics of the Permission Evaluation</h3>
<div class="section">
<h4><a name="Regular_Permission_Evaluation"></a>Regular Permission Evaluation</h4>
<p>See section <a href="evaluation.html">Permission Evaluation in Detail</a>.</p></div>
<div class="section">
<h4><a name="Readable_Trees"></a>Readable Trees</h4>
<p>Oak 1.0 comes with a configurable set of subtrees that are read-accessible to all subjects irrespective of other access control content taking effect. The original aim of these readable trees is to assert full acccess to namespace, nodetype and privilege information and the corresponding configuration therefore lists the following paths:</p>
-<ul>
+<ul>
+
<li><tt>/jcr:system/rep:namespaces</tt>: stores all registered namespaces</li>
+
<li><tt>/jcr:system/jcr:nodeTypes</tt>: stores all registered node types</li>
+
<li><tt>/jcr:system/rep:privileges</tt>: stores all registered privileges</li>
</ul>
<p>This default set can be changed or extended by setting the corresponding configuration option. However, it is important to note that many JCR API calls rely on the accessibility of the namespace, nodetype and privilege information. Removing the corresponding paths from the configuration will most probably have undesired effects.</p></div>
<div class="section">
<h4><a name="Administrative_Access"></a>Administrative Access</h4>
<p>In the default implementation following principals always have full access to the whole content repository (except for hidden items that are not exposed on the Oak API) irrespective of the access control content:</p>
-<ul>
+<ul>
+
<li><tt>SystemPrincipal</tt></li>
+
<li>All instances of <tt>AdminPrincipal</tt></li>
+
<li>All principals whose name matches the configured administrative principal names (see Configuration section below). This configuration only applies to the permission evaluation and is currently not reflected in other security models nor methods that deal with the administrator (i.e. <tt>User#isAdmin</tt>).</li>
</ul></div>
<div class="section">
<h4><a name="Permission_Evaluation_in_Multiplexed_Stores"></a>Permission Evaluation in Multiplexed Stores</h4>
<p>See section <a href="multiplexing.html">Multiplexing support in the PermissionStore</a>.</p>
-<a name="representation"></a>
-### Representation in the Repository
-<a name="permissionStore"></a>
-#### Permission Store
-
+<p><a name="representation"></a></p></div></div>
+<div class="section">
+<h3><a name="Representation_in_the_Repository"></a>Representation in the Repository</h3>
+<p><a name="permissionStore"></a></p>
+<div class="section">
+<h4><a name="Permission_Store"></a>Permission Store</h4>
<p>The permission evaluation present with Oak 1.0 keeps a dedicated location where permissions are being stored for later evaluation. The store is kept in sync with the access control content by a separated <tt>PostValidationHook</tt> implementation ([PermissionHook]).</p>
<p>The location of the permission store is <tt>/jcr:system/rep:permissionStore</tt>; in accordance with other stores underneath <tt>jcr:system</tt> it is global to the whole repository keeping a separate entry for each workspace present with the repository.</p>
<p>The permission entries are grouped by principal and stored below the store root based on the hash value of the path of the access controlled node; hash collisions are handled by adding subnodes accordingly.</p>
-<div>
-<div>
-<pre class="source">/jcr:system/rep:permissionStore/workspace-name [rep:PermissionStore]
+<div class="source">
+<div class="source"><pre class="prettyprint">/jcr:system/rep:permissionStore/workspace-name [rep:PermissionStore]
/principal-name [rep:PermissionStore]
/1259237738 [rep:PermissionStore]
/0 [rep:Permissions]
@@ -313,12 +306,10 @@
/0 [rep:Permissions]
/1 [rep:Permissions]
</pre></div></div>
-
<p>Each per path store looks as follows</p>
-<div>
-<div>
-<pre class="source">"1259237738" {
+<div class="source">
+<div class="source"><pre class="prettyprint">"1259237738" {
"jcr:primaryType": "rep:PermissionStore",
"rep:accessControlledPath": "/content",
"0": {
@@ -330,7 +321,6 @@
}
}
</pre></div></div>
-
<div class="section">
<h5><a name="Accessing_the_Permission_Store"></a>Accessing the Permission Store</h5>
<p>It is important to understand that the permission store is a implementation specific structure that is maintained by the system itself. For this reason access to the permission store is additionally restricted superimposing the regular permissions being enforced for regular repository items.</p>
@@ -339,9 +329,8 @@
<h4><a name="Node_Type_Definitions"></a>Node Type Definitions</h4>
<p>For the permission store the following built-in node types have been defined:</p>
-<div>
-<div>
-<pre class="source">[rep:PermissionStore]
+<div class="source">
+<div class="source"><pre class="prettyprint">[rep:PermissionStore]
- rep:accessControlledPath (STRING) protected IGNORE
- rep:numPermissions (LONG) protected IGNORE
- rep:modCount (LONG) protected IGNORE
@@ -353,81 +342,127 @@
- * (UNDEFINED) protected multiple IGNORE
+ * (rep:Permissions) = rep:Permissions protected IGNORE
</pre></div></div>
-
<p>In addition Oak 1.0 defines a specific mixin type that allows to store the path(s) of the versionable node with each version history. Adding this mixing and updating the versionable path information is taken care of by a dedicated commit hook implementation (<tt>VersionablePathHook</tt>).</p>
-<div>
-<div>
-<pre class="source">[rep:VersionablePaths]
+<div class="source">
+<div class="source"><pre class="prettyprint">[rep:VersionablePaths]
mixin
- * (PATH) protected ABORT
</pre></div></div>
-<a name="validation"></a>
-### Validation
-
+<p><a name="validation"></a></p></div></div>
+<div class="section">
+<h3><a name="Validation"></a>Validation</h3>
<p>The consistency of this content structure is asserted by a dedicated <tt>PermissionValidator</tt>. The corresponding errors are all of type <tt>Access</tt> with the following codes:</p>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Code </th>
-<th> Message </th></tr>
-</thead><tbody>
-
+
+<th>Code </th>
+
+<th>Message </th>
+ </tr>
+ </thead>
+ <tbody>
+
<tr class="b">
-<td> 0000 </td>
-<td> Generic access violation </td></tr>
+
+<td>0000 </td>
+
+<td>Generic access violation </td>
+ </tr>
+
<tr class="a">
-<td> 0021 </td>
-<td> Version storage: Node creation without version history </td></tr>
+
+<td>0021 </td>
+
+<td>Version storage: Node creation without version history </td>
+ </tr>
+
<tr class="b">
-<td> 0022 </td>
-<td> Version storage: Removal of intermediate node </td></tr>
-</tbody>
+
+<td>0022 </td>
+
+<td>Version storage: Removal of intermediate node </td>
+ </tr>
+ </tbody>
</table>
-<a name="configuration"></a>
-### Configuration
-</div>
+<p><a name="configuration"></a></p></div>
+<div class="section">
+<h3><a name="Configuration"></a>Configuration</h3>
<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
<p>The default implementation supports the following configuration parameters:</p>
-<table border="0" class="table table-striped">
-<thead>
+<table border="0" class="table table-striped">
+ <thead>
+
<tr class="a">
-<th> Parameter </th>
-<th> Type </th>
-<th> Default </th>
-<th> Description </th></tr>
-</thead><tbody>
-
+
+<th>Parameter </th>
+
+<th>Type </th>
+
+<th>Default </th>
+
+<th>Description </th>
+ </tr>
+ </thead>
+ <tbody>
+
<tr class="b">
-<td> <tt>PARAM_PERMISSIONS_JR2</tt> </td>
-<td> String </td>
-<td> - </td>
-<td> Enables backwards compatible behavior for the permissions listed in the parameter value containing the permission names separated by ‘,’. Supported values are: <tt>USER_MANAGEMENT</tt>,<tt>REMOVE_NODE</tt> </td></tr>
+
+<td><tt>PARAM_PERMISSIONS_JR2</tt> </td>
+
+<td>String </td>
+
+<td>- </td>
+
+<td>Enables backwards compatible behavior for the permissions listed in the parameter value containing the permission names separated by ‘,’. Supported values are: <tt>USER_MANAGEMENT</tt>,<tt>REMOVE_NODE</tt> </td>
+ </tr>
+
<tr class="a">
-<td> <tt>PARAM_READ_PATHS</tt> </td>
-<td> Set<String> </td>
-<td> paths to namespace, nodetype and privilege root nodes </td>
-<td> Set of paths that are always readable to all principals irrespective of other permissions defined at that path or inherited from other nodes. </td></tr>
+
+<td><tt>PARAM_READ_PATHS</tt> </td>
+
+<td>Set<String> </td>
+
+<td>paths to namespace, nodetype and privilege root nodes </td>
+
+<td>Set of paths that are always readable to all principals irrespective of other permissions defined at that path or inherited from other nodes. </td>
+ </tr>
+
<tr class="b">
-<td> <tt>PARAM_ADMINISTRATIVE_PRINCIPALS</tt> </td>
-<td> String[] </td>
-<td> - </td>
-<td> The names of the additional principals that have full permission and for which the permission evaluation can be skipped altogether. </td></tr>
+
+<td><tt>PARAM_ADMINISTRATIVE_PRINCIPALS</tt> </td>
+
+<td>String[] </td>
+
+<td>- </td>
+
+<td>The names of the additional principals that have full permission and for which the permission evaluation can be skipped altogether. </td>
+ </tr>
+
<tr class="a">
+
+<td> </td>
+
<td> </td>
+
<td> </td>
+
<td> </td>
-<td> </td></tr>
-</tbody>
+ </tr>
+ </tbody>
</table>
<div class="section">
<h5><a name="Supported_Values_for_PARAM_PERMISSIONS_JR2"></a>Supported Values for PARAM_PERMISSIONS_JR2</h5>
-<ul>
+<ul>
+
<li><tt>REMOVE_NODE</tt>: if present, the permission evaluation will traverse down the hierarchy upon node removal. This config flag is a best effort approach but doesn’t guarantee an identical behavior.</li>
+
<li><tt>USER_MANAGEMENT</tt>: if set permissions for user related items will be evaluated the same way as regular JCR items irrespective of their protection status.</li>
</ul></div>
<div class="section">
Modified: jackrabbit/site/live/oak/docs/security/permission/differences.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/permission/differences.html?rev=1839663&r1=1839662&r2=1839663&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/permission/differences.html (original)
+++ jackrabbit/site/live/oak/docs/security/permission/differences.html Thu Aug 30 11:48:45 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-08-29
+ | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180829" />
+ <meta name="Date-Revision-yyyymmdd" content="20180221" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Permissions : Differences wrt Jackrabbit 2.x</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,7 +52,6 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -67,12 +66,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li class="dropdown-submenu">
-<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
- <ul class="dropdown-menu">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -142,7 +136,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-08-29<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -161,14 +155,12 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
- <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
- <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -179,11 +171,7 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
- <ul class="nav nav-list">
- <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
- </ul>
- </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -251,30 +239,35 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- -->
-<div class="section">
+ --><div class="section">
<div class="section">
<h3><a name="Permissions_:_Differences_wrt_Jackrabbit_2.x"></a>Permissions : Differences wrt Jackrabbit 2.x</h3>
<div class="section">
<h4><a name="General_Notes"></a>General Notes</h4>
<p>The permission evaluation as present in Oak 1.0 differs from Jackrabbit 2.x in two fundamental aspects:</p>
-<ol style="list-style-type: decimal">
-<li>Permission evaluation has been completely separated from the access control content and is executed based on the information stored in the permission store.</li>
-<li>Each JCR <tt>Session</tt> (or Oak <tt>ContentSession</tt>) gets it’s own <tt>PermissionProvider</tt> associated with the current repository revision the session is operating on.</li>
+<ol style="list-style-type: decimal">
+
+<li>Permission evaluation has been completely separated from the access control content and is executed based on the information stored in the permission store.</li>
+
+<li>Each JCR <tt>Session</tt> (or Oak <tt>ContentSession</tt>) gets it’s own <tt>PermissionProvider</tt> associated with the current repository revision the session is operating on.</li>
</ol></div>
<div class="section">
<h4><a name="Permissions"></a>Permissions</h4>
<p>The following permissions are now an aggregation of new permissions:</p>
-<ul>
+<ul>
+
<li><tt>READ</tt>: aggregates <tt>READ_NODE</tt> and <tt>READ_PROPERTY</tt></li>
+
<li><tt>SET_PROPERTY</tt>: aggregates <tt>ADD_PROPERTY</tt>, <tt>MODIFY_PROPERTY</tt> and <tt>REMOVE_PROPERTY</tt></li>
</ul>
<p>The following permissions have been introduced with Oak 1.0:</p>
-<ul>
+<ul>
+
<li><tt>USER_MANAGEMENT</tt>: permission to execute user management related tasks such as e.g. creating or removing user/group, changing user password and editing group membership.</li>
+
<li><tt>INDEX_DEFINITION_MANAGEMENT</tt>: permission to create, modify and remove the oak:index node and it’s subtree which is expected to contain the index definitions.</li>
</ul></div>
<div class="section">
@@ -304,7 +297,8 @@
<p>Repository level operations such as namespace, nodetype, privilege and workspace management require permissions to be defined at the repository level such as outlined by JSR 283. This implies that access control policies need to be set at the <tt>null</tt> path. In contrast to Jackrabbit 2.x permissions defined at any regular path such as e.g. the root path with be ignored.</p></div></div>
<div class="section">
<h4><a name="Configuration"></a>Configuration</h4>
-<p>The <tt>omit-default-permission</tt> configuration option present with the Jackrabbit’s AccessControlProvider implementations is no longer supported with Oak. Since there are no permissions installed by default this flag has become superfluous.</p><!-- hidden references --></div></div></div>
+<p>The <tt>omit-default-permission</tt> configuration option present with the Jackrabbit’s AccessControlProvider implementations is no longer supported with Oak. Since there are no permissions installed by default this flag has become superfluous.</p>
+<!-- hidden references --></div></div></div>
</div>
</div>
</div>