You are viewing a plain text version of this content. The canonical link for it is here.

Posted to oak-issues@jackrabbit.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2022/07/21 08:42:00 UTC

[jira] [Commented] (OAK-9852) FilterProviderImpl should log a warning if a subject contains 'mixed' service-user-principals

    [ https://issues.apache.org/jira/browse/OAK-9852?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17569310#comment-17569310 ] 

Angela Schreiber commented on OAK-9852:
---------------------------------------

[~cschneider], make sense.... though i would limit the warning to the case where there the subject consists solely of service user principals where some support principal-based-ac and some don't. this is the case that is most certainly not intended and might actually cause unexpected permission issues.

here the list of possible subjects:
- no system-user-prinicpal in subject -> ok (default authorization)
- mix system-userprinicipal + groups -> -> ok (default authorization, though not recommended)
- all system-user-principals without principal-based-supported path -> ok (default authorization, though not recommended)
- all system-user-principals mit principal-based-supported path -> ok  (principal-based authorization takes over)
- all system-user-principals but with a mix of pb-supported and not => WARN (default authorization though likely not intended)

> FilterProviderImpl should log a warning if a subject contains 'mixed' service-user-principals
> ---------------------------------------------------------------------------------------------
>
>                 Key: OAK-9852
>                 URL: https://issues.apache.org/jira/browse/OAK-9852
>             Project: Jackrabbit Oak
>          Issue Type: Improvement
>          Components: authorization-principalbased
>            Reporter: Christian Schneider
>            Priority: Critical
>
> For content distribution we use a user mapping with a subservice like:
> {code:java}
> "org.apache.sling.distribution.journal:importer=[sling-distribution-importer,sling-distribution,content-writer-service,repository-reader-service,version-manager-service,group-administration-service,user-administration-service,namespace-mgmt-service]"{code}
> Angela explained to me that if any of the subjects in the list is not principal based then the whole subservice will fall back to default authoristation. This can lead to unexpected access denied issues that are difficult to debug.
> So it would be great if we could add some warn logging that cleary tells us that our subservice is possibly not working as expected.
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)