You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-dev@jackrabbit.apache.org by Angela Schreiber <an...@adobe.com.INVALID> on 2019/06/03 06:24:35 UTC
Re: ldap user permission
hi jorge
that should be easy to do by configuring your system to trigger the 'AccessControlAction' upon user/group creation. this action is part of the default action provider implementation and you can configure the desired privileges granted for users and group, respectively.
in the OSGi console the provider is labeled "Apache Jackrabbit Oak AuthorizableActionProvider" and the corresponding configuration option "Configure AccessControlAction: User Privileges".
the documentation for the actions is located at
http://jackrabbit.apache.org/oak/docs/security/user/authorizableaction.html
there should be tests available in oak-core that illustrate the behavior if you wanted to see it in action.
hope that helps
angela
________________________________________
From: jorgeeflorez . <jo...@gmail.com>
Sent: Friday, May 31, 2019 2:34 PM
To: oak-dev@jackrabbit.apache.org
Subject: ldap user permission
Hello,
I am currently implementing user login using a ldap server. So far so good.
I am able enter to the repositories and when the user that is logging in
doesn't exist in the repository, it is automatically created.
I am seeing that the created users have no privileges (which makes sense).
Unfortunately, I am using a property from the authorizable to get the
modules the user can see in the application. And when a new user logs in,
he is not able to get its own authorizable and I cannot read the property.
Is there an "easy" way to assign, to the user that is created
automatically, jcr:read to it's own authorizable's path?
If there is not I think I will go with the alternative. Just check if he
has the permission, if not, grant it before getting its own authorizable...
Thanks.
Jorge Eduardo Flórez
Re: ldap user permission
Posted by Angela Schreiber <an...@adobe.com.INVALID>.
Hi Jorge
If you are not using OSGi, you have to make sure you setup the Oak repository with a SecurityProvider that is configured such that the {{DefaultAuthorizableActionProvider}} comes with the corresponding actions setup the way you need it.
That should be doable... at least it works for the our tests, which mostly use non-OSGi based setup.
org.apache.jackrabbit.oak.security.internal.SecurityProviderBuilder might turn out to be useful.
Hope that helps
Angela
________________________________________
From: jorgeeflorez . <jo...@gmail.com>
Sent: Wednesday, June 5, 2019 2:19 PM
To: oak-dev@jackrabbit.apache.org
Subject: Re: ldap user permission
Hi Angela,
thank you for your reply.
I think it is awesome all the things you guys made with Oak.
Unfortunately we are not using OSGi. Anyway, I will make it work as you say
and see what happens.
Thanks again.
Jorge
El lun., 3 jun. 2019 a las 1:24, Angela Schreiber
(<an...@adobe.com.invalid>) escribió:
> hi jorge
>
> that should be easy to do by configuring your system to trigger the
> 'AccessControlAction' upon user/group creation. this action is part of the
> default action provider implementation and you can configure the desired
> privileges granted for users and group, respectively.
>
> in the OSGi console the provider is labeled "Apache Jackrabbit Oak
> AuthorizableActionProvider" and the corresponding configuration option
> "Configure AccessControlAction: User Privileges".
>
> the documentation for the actions is located at
> http://jackrabbit.apache.org/oak/docs/security/user/authorizableaction.html
>
> there should be tests available in oak-core that illustrate the behavior
> if you wanted to see it in action.
>
> hope that helps
> angela
>
> ________________________________________
> From: jorgeeflorez . <jo...@gmail.com>
> Sent: Friday, May 31, 2019 2:34 PM
> To: oak-dev@jackrabbit.apache.org
> Subject: ldap user permission
>
> Hello,
>
> I am currently implementing user login using a ldap server. So far so good.
> I am able enter to the repositories and when the user that is logging in
> doesn't exist in the repository, it is automatically created.
>
> I am seeing that the created users have no privileges (which makes sense).
> Unfortunately, I am using a property from the authorizable to get the
> modules the user can see in the application. And when a new user logs in,
> he is not able to get its own authorizable and I cannot read the property.
> Is there an "easy" way to assign, to the user that is created
> automatically, jcr:read to it's own authorizable's path?
>
> If there is not I think I will go with the alternative. Just check if he
> has the permission, if not, grant it before getting its own authorizable...
>
> Thanks.
>
> Jorge Eduardo Flórez
>
Re: ldap user permission
Posted by "jorgeeflorez ." <jo...@gmail.com>.
Hi Angela,
thank you for your reply.
I think it is awesome all the things you guys made with Oak.
Unfortunately we are not using OSGi. Anyway, I will make it work as you say
and see what happens.
Thanks again.
Jorge
El lun., 3 jun. 2019 a las 1:24, Angela Schreiber
(<an...@adobe.com.invalid>) escribió:
> hi jorge
>
> that should be easy to do by configuring your system to trigger the
> 'AccessControlAction' upon user/group creation. this action is part of the
> default action provider implementation and you can configure the desired
> privileges granted for users and group, respectively.
>
> in the OSGi console the provider is labeled "Apache Jackrabbit Oak
> AuthorizableActionProvider" and the corresponding configuration option
> "Configure AccessControlAction: User Privileges".
>
> the documentation for the actions is located at
> http://jackrabbit.apache.org/oak/docs/security/user/authorizableaction.html
>
> there should be tests available in oak-core that illustrate the behavior
> if you wanted to see it in action.
>
> hope that helps
> angela
>
> ________________________________________
> From: jorgeeflorez . <jo...@gmail.com>
> Sent: Friday, May 31, 2019 2:34 PM
> To: oak-dev@jackrabbit.apache.org
> Subject: ldap user permission
>
> Hello,
>
> I am currently implementing user login using a ldap server. So far so good.
> I am able enter to the repositories and when the user that is logging in
> doesn't exist in the repository, it is automatically created.
>
> I am seeing that the created users have no privileges (which makes sense).
> Unfortunately, I am using a property from the authorizable to get the
> modules the user can see in the application. And when a new user logs in,
> he is not able to get its own authorizable and I cannot read the property.
> Is there an "easy" way to assign, to the user that is created
> automatically, jcr:read to it's own authorizable's path?
>
> If there is not I think I will go with the alternative. Just check if he
> has the permission, if not, grant it before getting its own authorizable...
>
> Thanks.
>
> Jorge Eduardo Flórez
>