You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by Daniel Klco <dk...@apache.org> on 2021/08/05 18:00:23 UTC
[DISCUSS] Sling RepoInit Webconsole
Hi,
While working on RepoInit scripts, I felt that there was a need for some
means of easily testing RepoInit scripts without having to a) always
execute them b) create an OSGi config and then look at logs.
I've been working on a web console plugin for users to test and validate
their RepoInit scripts on an instance of Sling. It would not be expected to
be installed in production, but something for developers to install in a
local instance.
Before I call for this to be added as a project, do others see the value in
this? Are there any other features others would like to see?
Please review the project in the Sling Whiteboard:
https://github.com/apache/sling-whiteboard/tree/master/org.apache.sling.repoinit.webconsole
Regards,
Dan
Re: [DISCUSS] Sling RepoInit Webconsole
Posted by Eric Norman <en...@apache.org>.
Perhaps your original goal of easily testing RepoInit script could be
accomplished by creating some sort of (parameterized) generic integration
test?
Imagine a test that starts up an instance of sling by using paxexam (or
feature launcher?) with the existing bundle (or a tinybundle created on the
fly) configured to be deployed and then let the test do some assertions to
make sure it worked. The test automation may be more efficient (and
reusable?) than the manual steps you outlined for a webconsole plugin.
Regards,
Eric
On Fri, Aug 6, 2021 at 7:52 AM Bertrand Delacretaz <bd...@apache.org>
wrote:
> Hi Dan,
>
> On Fri, Aug 6, 2021 at 3:55 PM Daniel Klco <dk...@apache.org> wrote:
> > On Fri, Aug 6, 2021 at 8:40 AM Bertrand Delacretaz <
> bdelacretaz@apache.org>
> > wrote:
> > >...I think nowadays we'd rather create command-line
> > > utilities for such things,...
>
> > ...The question I have though is how would I get access to the running
> OSGi
> > context? I've done JCR over RMI, but I'm not seeing a good way to invoke
> > services remotely...
>
> I think you either need a specific servlet on the Sling side, which
> kind of defeats the whole purpose of a command-line tool, or you can
> inject code from the client side given the appropriate permissions.
> Uploading a Sling script comes to mind, but that won't work if the
> target instance uses read-only scripts.
>
> -Bertrand
>
Re: [DISCUSS] Sling RepoInit Webconsole
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi Dan,
On Fri, Aug 6, 2021 at 3:55 PM Daniel Klco <dk...@apache.org> wrote:
> On Fri, Aug 6, 2021 at 8:40 AM Bertrand Delacretaz <bd...@apache.org>
> wrote:
> >...I think nowadays we'd rather create command-line
> > utilities for such things,...
> ...The question I have though is how would I get access to the running OSGi
> context? I've done JCR over RMI, but I'm not seeing a good way to invoke
> services remotely...
I think you either need a specific servlet on the Sling side, which
kind of defeats the whole purpose of a command-line tool, or you can
inject code from the client side given the appropriate permissions.
Uploading a Sling script comes to mind, but that won't work if the
target instance uses read-only scripts.
-Bertrand
Re: [DISCUSS] Sling RepoInit Webconsole
Posted by Daniel Klco <dk...@apache.org>.
On Fri, Aug 6, 2021 at 8:40 AM Bertrand Delacretaz <bd...@apache.org>
wrote:
> Hi,
>
> On Thu, Aug 5, 2021 at 8:00 PM Daniel Klco <dk...@apache.org> wrote:
> > ...I've been working on a web console plugin for users to test and
> validate
> > their RepoInit scripts on an instance of Sling. It would not be expected
> to
> > be installed in production, but something for developers to install in a
> > local instance....
>
> Any code that gets written is bound to end up in production some day ;-)
>
> More seriously, I think nowadays we'd rather create command-line
> utilities for such things, but I don't think we have a good framework
> for doing that at this point.
>
> Jbang scripts [1] for example might be a nice way to do that if
> someone has good ideas.
>
That makes a lot of sense to me, a CLI tool seems more useful since it
would require less setup than having to install then whitelist a bundle.
The question I have though is how would I get access to the running OSGi
context? I've done JCR over RMI, but I'm not seeing a good way to invoke
services remotely.
>
> This is just a general comment, I'm not opposed to a webconsole plugin
> in this case.
>
> > ...Please review the project in the Sling Whiteboard:
> >
> https://github.com/apache/sling-whiteboard/tree/master/org.apache.sling.repoinit.webconsole
> ...
>
> I was going to say that you should use the incoming request's identity
> instead of calling loginAdministrative [2] but I forgot if that's
> possible in a web console plugin.
> The current code causes a privilege escalation, which might be ok for
> a console plugin but that IMHO we should avoid if possible.
>
Thus the non-production callout :-D
>
> -Bertrand
>
> [1] https://www.jbang.dev/
> [2]
> https://github.com/apache/sling-whiteboard/blob/c369b1bbba2c990cfe05d706efdb1ba5050f5fa6/org.apache.sling.repoinit.webconsole/src/main/java/org/apache/sling/repoinit/webconsole/RepoInitWebConsole.java#L152
>
Re: [DISCUSS] Sling RepoInit Webconsole
Posted by Daniel Klco <da...@gmail.com>.
Thanks Carsten. Made since once I looked into the webconsole security
provider. This also makes the process as simple as "install this bundle".
I'm also going to look into a combination of Eric and Bertrand's concepts
to enable a test of the repoinit scripts. The key here (IMO) is that you
have to be able to configure the version of the parser and repoinit library
as support for various commands varies by version.
Since we're promoting RepoInit as *the* way to set up a Sling repository,
anything we can do from a tooling perspective to make it easier to develop
significantly helps, especially those who are not as familiar with the
RepoInit grammar.
On Sat, Aug 7, 2021 at 4:21 AM Carsten Ziegeler <cz...@apache.org>
wrote:
>
> Am 06.08.2021 um 14:40 schrieb Bertrand Delacretaz:
> > I was going to say that you should use the incoming request's identity
> > instead of calling loginAdministrative [2] but I forgot if that's
> > possible in a web console plugin.
> >
> > The current code causes a privilege escalation, which might be ok for
> > a console plugin but that IMHO we should avoid if possible.
> >
>
> Privilege escalation should really be avoided. Just for the record, a
> webconsole plugin can use the current user / resource resolver - if
> Sling's webconsole security provider is enabled.
>
> Regards
> Carsten
>
> --
> Carsten Ziegeler
> Adobe
> cziegeler@apache.org
>
Re: [DISCUSS] Sling RepoInit Webconsole
Posted by Carsten Ziegeler <cz...@apache.org>.
Am 06.08.2021 um 14:40 schrieb Bertrand Delacretaz:
> I was going to say that you should use the incoming request's identity
> instead of calling loginAdministrative [2] but I forgot if that's
> possible in a web console plugin.
>
> The current code causes a privilege escalation, which might be ok for
> a console plugin but that IMHO we should avoid if possible.
>
Privilege escalation should really be avoided. Just for the record, a
webconsole plugin can use the current user / resource resolver - if
Sling's webconsole security provider is enabled.
Regards
Carsten
--
Carsten Ziegeler
Adobe
cziegeler@apache.org
Re: [DISCUSS] Sling RepoInit Webconsole
Posted by Bertrand Delacretaz <bd...@apache.org>.
On Fri, Aug 6, 2021 at 2:40 PM Bertrand Delacretaz
<bd...@apache.org> wrote:
> ...Jbang scripts [1] for example might be a nice way to do that...
I tried that [1] and that works well, at least if your goal is only to
check the syntax of repoinit scripts.
To run that script, use:
$ jbang trust add https://github.com/apache/sling-whiteboard/
$ cat > /tmp/xx <<EOF
create path /testing
create user leonardo
EOF
$ jbang https://github.com/apache/sling-whiteboard/blob/master/jbang/RepoinitValidator.java
< /tmp/xx
Repoinit parsing successful:
[CreatePath [testing], CreateUser leonardo]
The alias+catalog features of jbang [2] would allow for using a
simpler script name.
To go further and apply the repoinit operations to an actual
repository you'd need to pull in more bundles, I haven't tried if
that's practical or if you'd end up downloading half the Web.
-Bertrand
[1] https://github.com/apache/sling-whiteboard/blob/master/jbang/RepoinitValidator.java
[2] https://www.jbang.dev/documentation/guide/latest/alias_catalogs.html
Re: [DISCUSS] Sling RepoInit Webconsole
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Thu, Aug 5, 2021 at 8:00 PM Daniel Klco <dk...@apache.org> wrote:
> ...I've been working on a web console plugin for users to test and validate
> their RepoInit scripts on an instance of Sling. It would not be expected to
> be installed in production, but something for developers to install in a
> local instance....
Any code that gets written is bound to end up in production some day ;-)
More seriously, I think nowadays we'd rather create command-line
utilities for such things, but I don't think we have a good framework
for doing that at this point.
Jbang scripts [1] for example might be a nice way to do that if
someone has good ideas.
This is just a general comment, I'm not opposed to a webconsole plugin
in this case.
> ...Please review the project in the Sling Whiteboard:
> https://github.com/apache/sling-whiteboard/tree/master/org.apache.sling.repoinit.webconsole ...
I was going to say that you should use the incoming request's identity
instead of calling loginAdministrative [2] but I forgot if that's
possible in a web console plugin.
The current code causes a privilege escalation, which might be ok for
a console plugin but that IMHO we should avoid if possible.
-Bertrand
[1] https://www.jbang.dev/
[2] https://github.com/apache/sling-whiteboard/blob/c369b1bbba2c990cfe05d706efdb1ba5050f5fa6/org.apache.sling.repoinit.webconsole/src/main/java/org/apache/sling/repoinit/webconsole/RepoInitWebConsole.java#L152