You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@jackrabbit.apache.org by Jörg Hoh <jh...@googlemail.com.INVALID> on 2020/05/19 15:50:44 UTC
Specify a group as impersonators
Hi,
On a test system (Oak 1.8-based) I have a number of users, which are
supposed to test my application; in order to do so multiple roles
(implemented as a set of JCR groups) are required. I cannot assign them all
these roles at once, because many of them would conflict in terms of
permissions.
Instead of creating a bunch of individual (JCR-) users for each of my
testers, I want to have personalized accounts, which then can impersonate
into a number of prepared JCR-user accounts (role accounts) to execute the
tests.
This makes the user-management much easier, as these testers authenticate
via an IDP, and I cannot/don't want to provide each tester multiple IDP
accounts.
Therefor I would like to configure these role accounts with any member of
the "testers" group being able to impersonate into such an role account.
Based on my experiments this is not possible right now, I can only assign
users as impersonators, but not groups.
Is my observation correct, or did I miss something? I would like to avoid
the iterate through all members of the "testers" group and add them,
because the members of my testers group is likely to change every now and
then, and I would like to avoid to update the impersonators property all
the time.
regards,
Jörg
--
http://cqdump.wordpress.com
Twitter: @joerghoh
Re: Specify a group as impersonators
Posted by Angela Schreiber <an...@adobe.com.INVALID>.
Hi Joerg
Yes, your observation is correct. Currently group principals cannot be added as impersonators.
Quite frankly, I don't recall why exactly we didn't allow for this. The evaluation if impersonation is granted takes a Subject as parameter, which also may contain group principals. So, expensive group membership resolution wouldn't be needed at this point. Maybe JIRA contains the information I don't recall right now.... otherwise feel free to create an improvement request.
Kind regards
Angela
________________________________
From: Jörg Hoh <jh...@googlemail.com.INVALID>
Sent: Tuesday, May 19, 2020 5:50 PM
To: users@jackrabbit.apache.org <us...@jackrabbit.apache.org>
Subject: Specify a group as impersonators
Hi,
On a test system (Oak 1.8-based) I have a number of users, which are
supposed to test my application; in order to do so multiple roles
(implemented as a set of JCR groups) are required. I cannot assign them all
these roles at once, because many of them would conflict in terms of
permissions.
Instead of creating a bunch of individual (JCR-) users for each of my
testers, I want to have personalized accounts, which then can impersonate
into a number of prepared JCR-user accounts (role accounts) to execute the
tests.
This makes the user-management much easier, as these testers authenticate
via an IDP, and I cannot/don't want to provide each tester multiple IDP
accounts.
Therefor I would like to configure these role accounts with any member of
the "testers" group being able to impersonate into such an role account.
Based on my experiments this is not possible right now, I can only assign
users as impersonators, but not groups.
Is my observation correct, or did I miss something? I would like to avoid
the iterate through all members of the "testers" group and add them,
because the members of my testers group is likely to change every now and
then, and I would like to avoid to update the impersonators property all
the time.
regards,
Jörg
--
http://cqdump.wordpress.com
Twitter: @joerghoh