You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@jackrabbit.apache.org by th...@apache.org on 2018/11/09 09:46:57 UTC
svn commit: r1846224 [1/8] - in /jackrabbit/site/live/oak/docs: ./ features/
query/ security/ security/accesscontrol/ security/authentication/
security/authentication/external/ security/authentication/token/
security/authorization/ security/permission/...
Author: thomasm
Date: Fri Nov 9 09:46:57 2018
New Revision: 1846224
URL: http://svn.apache.org/viewvc?rev=1846224&view=rev
Log:
OAK-936: Site checkin for project Oak Documentation-1.10-SNAPSHOT
Modified:
jackrabbit/site/live/oak/docs/clustering.html
jackrabbit/site/live/oak/docs/features/oak-run-nodestore-connection-options.html
jackrabbit/site/live/oak/docs/query/lucene.html
jackrabbit/site/live/oak/docs/security/accesscontrol.html
jackrabbit/site/live/oak/docs/security/accesscontrol/default.html
jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html
jackrabbit/site/live/oak/docs/security/authentication.html
jackrabbit/site/live/oak/docs/security/authentication/default.html
jackrabbit/site/live/oak/docs/security/authentication/external/defaultusersync.html
jackrabbit/site/live/oak/docs/security/authentication/external/externallogin_examples.html
jackrabbit/site/live/oak/docs/security/authentication/externalloginmodule.html
jackrabbit/site/live/oak/docs/security/authentication/preauthentication.html
jackrabbit/site/live/oak/docs/security/authentication/token/default.html
jackrabbit/site/live/oak/docs/security/authentication/tokenmanagement.html
jackrabbit/site/live/oak/docs/security/authorization.html
jackrabbit/site/live/oak/docs/security/authorization/composite.html
jackrabbit/site/live/oak/docs/security/authorization/cug.html
jackrabbit/site/live/oak/docs/security/authorization/restriction.html
jackrabbit/site/live/oak/docs/security/introduction.html
jackrabbit/site/live/oak/docs/security/permission.html
jackrabbit/site/live/oak/docs/security/permission/default.html
jackrabbit/site/live/oak/docs/security/permission/evaluation.html
jackrabbit/site/live/oak/docs/security/permission/permissionsandprivileges.html
jackrabbit/site/live/oak/docs/security/principal.html
jackrabbit/site/live/oak/docs/security/principal/cache.html
jackrabbit/site/live/oak/docs/security/privilege.html
jackrabbit/site/live/oak/docs/security/privilege/default.html
jackrabbit/site/live/oak/docs/security/user.html
jackrabbit/site/live/oak/docs/security/user/default.html
jackrabbit/site/live/oak/docs/security/user/differences.html
jackrabbit/site/live/oak/docs/security/user/expiry.html
jackrabbit/site/live/oak/docs/security/user/groupaction.html
jackrabbit/site/live/oak/docs/security/user/history.html
jackrabbit/site/live/oak/docs/security/user/membership.html
Modified: jackrabbit/site/live/oak/docs/clustering.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/clustering.html?rev=1846224&r1=1846223&r2=1846224&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/clustering.html (original)
+++ jackrabbit/site/live/oak/docs/clustering.html Fri Nov 9 09:46:57 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-11-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20181109" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Clustering</title>
<link rel="stylesheet" href="./css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-11-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -172,7 +180,11 @@
<li><a href="nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -240,12 +252,13 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- --><div class="section">
+ -->
+<div class="section">
<div class="section">
<h3><a name="Clustering"></a>Clustering</h3>
<p>Clustering is currently supported for the MongoDB and RDBMs storage subsystems.</p>
<p>To use clustering, simply connect multiple Oak instances with the same backend storage.</p>
-<p>Please note the RDBMS storage is work in progress, and will soon be fully tested and supported as well. Both the MongoDB and the RDBMs storage subsystems internally use the same cluster mechanism.</p></div></div>
+<p>Both the MongoDB and the RDBMs storage subsystems internally use the same cluster mechanism.</p></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/features/oak-run-nodestore-connection-options.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/features/oak-run-nodestore-connection-options.html?rev=1846224&r1=1846223&r2=1846224&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/features/oak-run-nodestore-connection-options.html (original)
+++ jackrabbit/site/live/oak/docs/features/oak-run-nodestore-connection-options.html Fri Nov 9 09:46:57 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-11-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20181109" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Oak Run NodeStore Connection</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-11-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,24 +251,22 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- --><h1>Oak Run NodeStore Connection</h1>
+ -->
+<h1>Oak Run NodeStore Connection</h1>
<p><tt>@since Oak 1.7.6</tt></p>
<p>This page provide details around various options supported by some of the oak-run commands to connect to NodeStore repository. By default most of these commands (unless documented) would connect in read only mode.</p>
<p>These options are supported by following command (See <a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-6210">OAK-6210</a>)</p>
-
<ul>
-
+
<li>console</li>
-
<li>index</li>
-
<li>tika</li>
</ul>
-<p>Depending on your setup you would need to configure the NodeStore and BlobStore in use for commands to work. Some commands may not require the BlobStore details. Check the specific oak-run command help to see if access to BlobStore is required or not. </p>
+<p>Depending on your setup you would need to configure the NodeStore and BlobStore in use for commands to work. Some commands may not require the BlobStore details. Check the specific oak-run command help to see if access to BlobStore is required or not.</p>
<div class="section">
<h2><a name="Read_Write_Mode"></a>Read Write Mode</h2>
<p>By default most commands would connect to NodeStore in read only mode. This ensure that oak-run commands can be safely used with productions setup and does not cause any side effect.</p>
-<p>For some operations read-write access would be required. This can be done by passing <tt>--read-write</tt> option. In read-write mode it should be ensured that Oak version from oak-run is matching with Oak version used by application to create the repository. </p>
+<p>For some operations read-write access would be required. This can be done by passing <tt>--read-write</tt> option. In read-write mode it should be ensured that Oak version from oak-run is matching with Oak version used by application to create the repository.</p>
<p>A newer version of oak-run can read repository created by older version of Oak (as Oak is backward compatible) However if writes are done by newer version of oak-run (which is more recent than Oak version used by repository application) then it may cause issues due to change in storage format.</p></div>
<div class="section">
<h2><a name="NodeStore"></a>NodeStore</h2>
@@ -264,38 +274,59 @@
<h3><a name="SegmentNodeStore"></a>SegmentNodeStore</h3>
<p>To connect to SegmentNodeStore just specify the path to folder used by SegmentNodeStore for storing the repository content</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">java -jar oak-run <command> /path/to/segmentstore
+<div>
+<div>
+<pre class="source">java -jar oak-run <command> /path/to/segmentstore
</pre></div></div>
+
<p>If <tt>--read-write</tt> option is enabled then it must be ensured that target repository is not in use. Otherwise oak-run would not be able access the NodeStore.</p></div>
<div class="section">
<h3><a name="DocumentNodeStore_-_Mongo"></a>DocumentNodeStore - Mongo</h3>
<p>To connect to Mongo specify the MongoURI</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">java -jar oak-run <command> mongodb://server:port
+<div>
+<div>
+<pre class="source">java -jar oak-run <command> mongodb://server:port
</pre></div></div>
+
<p>It support some other options like cache size, cache distribution etc. Refer to help output via <tt>-h</tt> to see supported options</p></div>
<div class="section">
<h3><a name="DocumentNodeStore_-_RDB"></a>DocumentNodeStore - RDB</h3>
-<p>«TBD»</p></div></div>
+<p>To connect to a relational database specify the JDBC URL and add database user and password as optional arguments:</p>
+
+<div>
+<div>
+<pre class="source">java -cp ... org.apache.jackrabbit.oak.run.Main <command> jdbc:... --rdbjdbcuser user --rdbjdbcpasswd password
+</pre></div></div>
+
+<p>Note that the oak-run JAR file lacks several RDB specific JAR files that need to be added to the classpath:</p>
+<ol style="list-style-type: decimal">
+
+<li>tomcat-jdbc-8.5.*.jar (Apache Tomcat JDBC connection pool)</li>
+<li>juli-6.0.*.jar (Apache Tomcat Logger)</li>
+<li>Whatever JDBC driver is needed to connect to the database</li>
+</ol></div></div>
<div class="section">
<h2><a name="BlobStore"></a>BlobStore</h2>
<div class="section">
<h3><a name="FileDataStore"></a>FileDataStore</h3>
<p>Specify the path to directory used by <tt>FileDataStore</tt> via <tt>--fds-path</tt> option</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">java -jar oak-run <command> /path/to/segmentstore --fds-path=/path/to/fds
-</pre></div></div></div>
+<div>
+<div>
+<pre class="source">java -jar oak-run <command> /path/to/segmentstore --fds-path=/path/to/fds
+</pre></div></div>
+</div>
<div class="section">
<h3><a name="S3DataStore"></a>S3DataStore</h3>
<p>Specify the path to config file which contains connection details related to S3 bucket to be used via <tt>-s3ds</tt> option</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">java -jar oak-run <command> /path/to/segmentstore --s3ds=/path/to/S3DataStore.config
+<div>
+<div>
+<pre class="source">java -jar oak-run <command> /path/to/segmentstore --s3ds=/path/to/S3DataStore.config
</pre></div></div>
-<p>The file should be a valid config file as configured S3DataStore in OSGi setup for pid <tt>org.apache.jackrabbit.oak.plugins.blob.datastore.S3DataStore.config</tt>. </p>
+
+<p>The file should be a valid config file as configured S3DataStore in OSGi setup for pid <tt>org.apache.jackrabbit.oak.plugins.blob.datastore.S3DataStore.config</tt>.</p>
<p>Do change the <tt>path</tt> property to location based on system from where command is being used. If you are running the command on the setup where the Oak application is running then ensure that <tt>path</tt> is set to a different location.</p></div></div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/query/lucene.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/query/lucene.html?rev=1846224&r1=1846223&r2=1846224&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/query/lucene.html (original)
+++ jackrabbit/site/live/oak/docs/query/lucene.html Fri Nov 9 09:46:57 2018
@@ -1404,7 +1404,7 @@ Copied 8.5 MB in 218.7 ms
+ nt:base
+ properties
- jcr:primaryType = "nt:unstructured"
- + jcr:title
+ + tags
- facets = true
- propertyIndex = true
</pre></div></div>
@@ -1426,7 +1426,7 @@ Copied 8.5 MB in 218.7 ms
+ nt:base
+ properties
- jcr:primaryType = "nt:unstructured"
- + jcr:title
+ + tags
- facets = true
- propertyIndex = true
</pre></div></div>
Modified: jackrabbit/site/live/oak/docs/security/accesscontrol.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol.html?rev=1846224&r1=1846223&r2=1846224&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol.html Fri Nov 9 09:46:57 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-11-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20181109" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Access Control Management</title>
<link rel="stylesheet" href="../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-11-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,117 +251,95 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Access_Control_Management"></a>Access Control Management</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
-<p>This section covers fundamental concepts of the access control related APIs provided by JCR and Jackrabbit as well as the extensions points defined by Oak. </p>
+<p>This section covers fundamental concepts of the access control related APIs provided by JCR and Jackrabbit as well as the extensions points defined by Oak.</p>
<p>If you are already familiar with the API and looking for examples you may directly read <a href="accesscontrol/editing.html">Using the Access Control Management API</a> for a comprehensive list of method calls as well as examples that may be used to edit the access control content of the repository.</p>
<p><a name="jcr_api"></a></p></div>
<div class="section">
<h3><a name="JCR_API"></a>JCR API</h3>
<p>Access Control Management is an optional feature defined by <a class="externalLink" href="http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html">JSR 283</a> consisting of</p>
-
<blockquote>
+
<p>• Privilege discovery: Determining the privileges that a user has in relation to a node.</p>
<p>• Assigning access control policies: Setting the privileges that a user has in relation to a node using access control policies specific to the implementation.</p>
</blockquote>
<p>Whether or not a given implementation supports access control management is defined by the <tt>Repository.OPTION_ACCESS_CONTROL_SUPPORTED</tt> descriptor.</p>
<p>Since Oak comes with a dedicated <a href="privilege.html">privilege management</a> this section focuses on reading and editing access control information. The main interfaces defined by JSR 283 are:</p>
-
<ul>
-
+
<li><tt>AccessControlManager</tt>: Main entry point for access control related operations</li>
-
<li><tt>AccessControlPolicy</tt>: Marker interface for any kind of policies defined by the implementation.
-
<ul>
-
+
<li><tt>AccessControlList</tt>: mutable policy that may have a list of entries.</li>
-
<li><tt>NamedAccessControlPolicy</tt>: opaque immutable policy with a JCR name.</li>
- </ul></li>
-
+</ul>
+</li>
<li><tt>AccessControlEntry</tt>: association of privilege(s) with a given principal bound to a given node by the <tt>AccessControlList</tt>.</li>
</ul>
<p>The JCR access control management has the following characteristics:</p>
-
<ul>
-
+
<li><i>path-based</i>: policies are bound to nodes; a given node may have multiple policies; the <tt>null</tt> path identifies repository level policies.</li>
-
<li><i>transient</i>: access control related modifications are always transient</li>
-
<li><i>binding</i>: policies are decoupled from the repository; in order to bind a policy to a node or apply modifications made to an existing policy <tt>AccessControlManager.setPolicy</tt> must be called.</li>
-
<li><i>effect</i>: policies bound to a given node only take effect upon <tt>Session.save()</tt>. Access to properties is defined by the their parent node.</li>
-
<li><i>scope</i>: a given policy may not only affect the node it is bound to but may have an effect on accessibility of items elsewhere in the workspace.</li>
</ul>
<p><a name="jackrabbit_api"></a></p></div>
<div class="section">
<h3><a name="Jackrabbit_API"></a>Jackrabbit API</h3>
<p>The Jackrabbit API defines various access control related extensions to the JCR API in order to cover common needs such as for example:</p>
-
<ul>
-
+
<li><i>deny access</i>: access control entries can be defined to deny privileges at a given path (JCR only defines allowing access control entries)</li>
-
<li><i>restrictions</i>: limit the effect of a given access control entry by the mean of restrictions</li>
-
<li><i>convenience</i>:
-
<ul>
-
+
<li>reordering of access control entries in a access control list</li>
-
<li>retrieve the path of the node a given policy is (or can be) bound to</li>
- </ul></li>
-
+</ul>
+</li>
<li><i>principal-based</i>:
-
<ul>
-
+
<li>principal-based access control management API (in contrast to the path-based default specified by JSR 283)</li>
-
<li>privilege discovery for a set of principals</li>
- </ul></li>
+</ul>
+</li>
</ul>
<p>The following interfaces and extensions are defined:</p>
-
<ul>
-
+
<li><tt>JackrabbitAccessControlManager</tt></li>
-
<li><tt>JackrabbitAccessControlPolicy</tt></li>
-
<li><tt>JackrabbitAccessControlList</tt></li>
-
<li><tt>JackrabbitAccessControlEntry</tt></li>
</ul>
<p><a name="api_extensions"></a></p></div>
<div class="section">
<h3><a name="API_Extensions"></a>API Extensions</h3>
<p>Oak defines the following interfaces extending the access control management API:</p>
-
<ul>
-
-<li><tt>PolicyOwner</tt>: Interface to improve pluggability of the access control management and allows to termine if a giving manager handles a given policy.</li>
-
+
+<li><tt>PolicyOwner</tt>: Interface to improve pluggability of the access control management and allows to termine if a giving manager handles a given policy.</li>
<li><tt>AccessControlConstants</tt>: Constants related to access control management.</li>
</ul>
<p>In addition it provides some access control related base classes in <tt>org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol</tt> that may be used for a custom implementation:</p>
-
<ul>
-
+
<li><tt>AbstractAccessControlList</tt>: abstract base implementation of the <tt>JackrabbitAccessControlList</tt> interface
-
<ul>
-
+
<li><tt>ImmutableACL</tt>: immutable subclass of <tt>AbstractAccessControlList</tt></li>
-
<li><tt>ACE</tt>: abstract subclass that implements common methods of a mutable access control list.</li>
- </ul></li>
+</ul>
+</li>
</ul>
<div class="section">
<h4><a name="Restriction_Management"></a>Restriction Management</h4>
@@ -358,13 +348,10 @@
<div class="section">
<h3><a name="Utilities"></a>Utilities</h3>
<p>The jcr-commons module present with Jackrabbit provide some access control related utilities that simplify the creation of new policies and entries such as for example:</p>
-
<ul>
-
+
<li><tt>AccessControlUtils.getAccessControlList(Session, String)</tt></li>
-
<li><tt>AccessControlUtils.getAccessControlList(AccessControlManager, String)</tt></li>
-
<li><tt>AccessControlUtils.addAccessControlEntry(Session, String, Principal, String[], boolean)</tt></li>
</ul>
<p>See <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-jcr-commons/src/main/java/org/apache/jackrabbit/commons/jackrabbit/authorization/AccessControlUtils.java">org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils</a> for the complete list of methods.</p>
@@ -372,26 +359,27 @@
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
-<div class="source">
-<div class="source"><pre class="prettyprint">String path = node.getPath();
+<div>
+<div>
+<pre class="source">String path = node.getPath();
JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, path);
acl.addEntry(principal, privileges, true);
acMgr.setPolicy(path, acl);
session.save();
</pre></div></div>
+
<p><a name="default_implementation"></a></p></div></div></div>
<div class="section">
<h3><a name="Characteristics_of_the_Default_Implementation"></a>Characteristics of the Default Implementation</h3>
-<p>The behavior of the default access control implementation is described in sections <a href="accesscontrol/default.html">Access Control Management: The Default Implementation</a><br />and <a href="authorization/restriction.html">Restriction Management</a>.</p>
+<p>The behavior of the default access control implementation is described in sections <a href="accesscontrol/default.html">Access Control Management: The Default Implementation</a><br />
+and <a href="authorization/restriction.html">Restriction Management</a>.</p>
<p><a name="configuration"></a></p></div>
<div class="section">
<h3><a name="Configuration"></a>Configuration</h3>
<p>The configuration of the access control management implementation is handled within the <a href="/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.html">AuthorizationConfiguration</a>, which is used for all authorization related matters. This class provides the following two access control related methods:</p>
-
<ul>
-
+
<li><tt>getAccessControlManager</tt>: get a new ac manager instance.</li>
-
<li><tt>getRestrictionProvider</tt>: get a new instance of the restriction provider.</li>
</ul>
<div class="section">
@@ -400,18 +388,13 @@ session.save();
<p><a name="further_reading"></a></p></div></div>
<div class="section">
<h3><a name="Further_Reading"></a>Further Reading</h3>
-
<ul>
-
+
<li><a href="accesscontrol/differences.html">Differences wrt Jackrabbit 2.x</a></li>
-
<li><a href="accesscontrol/default.html">Access Control Management: The Default Implementation</a></li>
-
<li><a href="accesscontrol/editing.html">Using the Access Control Management API</a></li>
-
<li><a href="authorization/restriction.html">Restriction Management</a></li>
-</ul>
-<!-- hidden references --></div></div>
+</ul><!-- hidden references --></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/accesscontrol/default.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol/default.html?rev=1846224&r1=1846223&r2=1846224&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol/default.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol/default.html Fri Nov 9 09:46:57 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-11-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20181109" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Access Control Management : The Default Implementation</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-11-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,7 +251,8 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
---><div class="section">
+-->
+<div class="section">
<h2><a name="Access_Control_Management_:_The_Default_Implementation"></a>Access Control Management : The Default Implementation</h2>
<div class="section">
<h3><a name="General"></a>General</h3>
@@ -256,57 +269,32 @@
<div class="section">
<h4><a name="Access_Control_Policies"></a>Access Control Policies</h4>
<p>The Oak access control management exposes two types of policies that cover all use case defined by the specification and required by the default setup:</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
+<tr class="a">
+<th> Name </th>
+<th> Policy </th>
+<th> Description </th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td> Default ACL </td>
+<td> <tt>JackrabbitAccessControlList</tt> </td>
+<td> access control on individual nodes </td></tr>
<tr class="a">
-
-<th>Name </th>
-
-<th>Policy </th>
-
-<th>Description </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td>Default ACL </td>
-
-<td><tt>JackrabbitAccessControlList</tt> </td>
-
-<td>access control on individual nodes </td>
- </tr>
-
-<tr class="a">
-
-<td>Repo-Level ACL </td>
-
-<td><tt>JackrabbitAccessControlList</tt> </td>
-
-<td>repo-level access control for the <tt>null</tt> path </td>
- </tr>
-
-<tr class="b">
-
-<td>Read Policy </td>
-
-<td><tt>NamedAccessControlPolicy</tt> </td>
-
-<td>trees that are configured to be readable to everyone </td>
- </tr>
-
+<td> Repo-Level ACL </td>
+<td> <tt>JackrabbitAccessControlList</tt> </td>
+<td> repo-level access control for the <tt>null</tt> path </td></tr>
+<tr class="b">
+<td> Read Policy </td>
+<td> <tt>NamedAccessControlPolicy</tt> </td>
+<td> trees that are configured to be readable to everyone </td></tr>
<tr class="a">
-
<td> </td>
-
<td> </td>
-
-<td> </td>
- </tr>
- </tbody>
+<td> </td></tr>
+</tbody>
</table>
<div class="section">
<h5><a name="Default_ACL"></a>Default ACL</h5>
@@ -321,26 +309,20 @@
<h5><a name="Read_Policy"></a>Read Policy</h5>
<p>These immutable policy has been introduced in Oak 1.0 in order to allow for opening up trees that need to be readable to all sessions irrespective of other effective policies.</p>
<p>By default these policies are bound to the following trees:</p>
-
<ul>
-
+
<li><tt>/jcr:system/rep:namespaces</tt>: stores all registered namespaces</li>
-
<li><tt>/jcr:system/jcr:nodeTypes</tt>: stores all registered node types</li>
-
<li><tt>/jcr:system/rep:privileges</tt>: stores all registered privileges</li>
</ul>
<p>The default set can be changed or extended by setting the corresponding configuration option. However, it is important to note that many JCR API calls rely on the accessibility of the namespace, nodetype and privilege information. Removing the corresponding paths from the configuration will most probably have undesired effects.</p></div></div>
<div class="section">
<h4><a name="Access_Control_Entries"></a>Access Control Entries</h4>
<p>The access control entries present in a given list are subject to the following rules applied upon editing but not enforced by <tt>CommitHook</tt>s:</p>
-
<ul>
-
+
<li><i>uniqueness</i>: a given entry may only appear onces in a list</li>
-
<li><i>merging</i>: if an entry exists for a given principal with the same allow-status and restrictions, the existing entry will be updated without being moved in the list.</li>
-
<li><i>redundancy</i>: if an new entry makes an existing entry (partially) redundant the existing entry will be updated or removed altogether.</li>
</ul></div>
<div class="section">
@@ -351,8 +333,9 @@
<h3><a name="Representation_in_the_Repository"></a>Representation in the Repository</h3>
<p>All access control policies defined with an Oak repository are stores child of the node they are bound to. The node type definition used to represent access control content:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">[rep:AccessControllable]
+<div>
+<div>
+<pre class="source">[rep:AccessControllable]
mixin
+ rep:policy (rep:Policy) protected IGNORE
@@ -386,14 +369,16 @@
- * (UNDEFINED) protected
- * (UNDEFINED) protected multiple
</pre></div></div>
+
<div class="section">
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Regular_ACL_at_content"></a>Regular ACL at /content</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">"": {
+<div>
+<div>
+<pre class="source">"": {
"jcr:primaryType": "rep:root",
"content": {
"jcr:primaryType": "oak:Unstructured",
@@ -417,12 +402,14 @@
}
}
}
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h6><a name="Repo-Level_Policy"></a>Repo-Level Policy</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">"": {
+<div>
+<div>
+<pre class="source">"": {
"jcr:primaryType": "rep:root",
"jcr:mixinTypes": "rep:RepoAccessControllable",
"rep:repoPolicy": {
@@ -434,7 +421,9 @@
}
}
}
-</pre></div></div></div></div></div></div>
+</pre></div></div>
+
+<p><a name="xml_import"></a></p></div></div></div></div>
<div class="section">
<h3><a name="XML_Import"></a>XML Import</h3>
<p>As of OAK 1.0 access control content can be imported both with Session and Workspace import.</p>
@@ -443,118 +432,64 @@
<p>The different <tt>ImportBehavior</tt> flags are implemented as follows: - <tt>ABORT</tt>: throws an <tt>AccessControlException</tt> if the principal is unknown - <tt>IGNORE</tt>: ignore the entry defining the unknown principal - <tt>BESTEFFORT</tt>: import the access control entry with an unknown principal.</p>
<p>In order to get the same best effort behavior as present with Jackrabbit 2.x the configuration parameters of the <tt>AuthorizationConfiguration</tt> must contain the following entry:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">importBehavior = "besteffort"
+<div>
+<div>
+<pre class="source">importBehavior = "besteffort"
</pre></div></div>
+
<p>See also (<a class="externalLink" href="https://issues.apache.org/jira/browse/OAK-1350">OAK-1350</a>))</p>
<p><a name="validation"></a></p></div>
<div class="section">
<h3><a name="Validation"></a>Validation</h3>
<p>The consistency of this content structure is asserted by a dedicated <tt>AccessControlValidator</tt>. The corresponding errors are all of type <tt>AccessControl</tt> with the following codes:</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
+<tr class="a">
+<th> Code </th>
+<th> Message </th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td> 0001 </td>
+<td> Generic access control violation </td></tr>
+<tr class="a">
+<td> 0002 </td>
+<td> Access control entry node expected </td></tr>
+<tr class="b">
+<td> 0003 </td>
+<td> Invalid policy name </td></tr>
+<tr class="a">
+<td> 0004 </td>
+<td> Invalid policy node: Order of children is not stable </td></tr>
+<tr class="b">
+<td> 0005 </td>
+<td> Access control policy within access control content </td></tr>
+<tr class="a">
+<td> 0006 </td>
+<td> Isolated policy node </td></tr>
+<tr class="b">
+<td> 0007 </td>
+<td> Isolated access control entry </td></tr>
+<tr class="a">
+<td> 0008 </td>
+<td> ACE without principal name </td></tr>
+<tr class="b">
+<td> 0009 </td>
+<td> ACE without privileges </td></tr>
<tr class="a">
-
-<th>Code </th>
-
-<th>Message </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td>0001 </td>
-
-<td>Generic access control violation </td>
- </tr>
-
-<tr class="a">
-
-<td>0002 </td>
-
-<td>Access control entry node expected </td>
- </tr>
-
-<tr class="b">
-
-<td>0003 </td>
-
-<td>Invalid policy name </td>
- </tr>
-
-<tr class="a">
-
-<td>0004 </td>
-
-<td>Invalid policy node: Order of children is not stable </td>
- </tr>
-
-<tr class="b">
-
-<td>0005 </td>
-
-<td>Access control policy within access control content </td>
- </tr>
-
-<tr class="a">
-
-<td>0006 </td>
-
-<td>Isolated policy node </td>
- </tr>
-
-<tr class="b">
-
-<td>0007 </td>
-
-<td>Isolated access control entry </td>
- </tr>
-
-<tr class="a">
-
-<td>0008 </td>
-
-<td>ACE without principal name </td>
- </tr>
-
-<tr class="b">
-
-<td>0009 </td>
-
-<td>ACE without privileges </td>
- </tr>
-
-<tr class="a">
-
-<td>0010 </td>
-
-<td>ACE contains invalid privilege name </td>
- </tr>
-
-<tr class="b">
-
-<td>0011 </td>
-
-<td>ACE uses abstract privilege </td>
- </tr>
-
-<tr class="a">
-
-<td>0012 </td>
-
-<td>Repository level policies defined with non-root node </td>
- </tr>
-
-<tr class="b">
-
-<td>0013 </td>
-
-<td>Duplicate ACE found in policy </td>
- </tr>
- </tbody>
+<td> 0010 </td>
+<td> ACE contains invalid privilege name </td></tr>
+<tr class="b">
+<td> 0011 </td>
+<td> ACE uses abstract privilege </td></tr>
+<tr class="a">
+<td> 0012 </td>
+<td> Repository level policies defined with non-root node </td></tr>
+<tr class="b">
+<td> 0013 </td>
+<td> Duplicate ACE found in policy </td></tr>
+</tbody>
</table>
<p><a name="configuration"></a></p></div>
<div class="section">
@@ -562,67 +497,39 @@
<div class="section">
<h4><a name="Configuration_Parameters"></a>Configuration Parameters</h4>
<p>The default implementation supports the following configuration parameters:</p>
-
<table border="0" class="table table-striped">
- <thead>
-
+<thead>
+
<tr class="a">
-
-<th>Parameter </th>
-
-<th>Type </th>
-
-<th>Default </th>
- </tr>
- </thead>
- <tbody>
-
-<tr class="b">
-
-<td><tt>PARAM_RESTRICTION_PROVIDER</tt> </td>
-
-<td>RestrictionProvider </td>
-
-<td>RestrictionProviderImpl </td>
- </tr>
-
-<tr class="a">
-
-<td><tt>PARAM_READ_PATHS</tt> </td>
-
-<td>Set<String> </td>
-
-<td>paths to namespace, nodetype and privilege root nodes </td>
- </tr>
-
-<tr class="b">
-
-<td><tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
-
-<td>String (“abort”, “ignore”, “besteffort”) </td>
-
-<td>“abort” </td>
- </tr>
-
+<th> Parameter </th>
+<th> Type </th>
+<th> Default </th></tr>
+</thead><tbody>
+
+<tr class="b">
+<td> <tt>PARAM_RESTRICTION_PROVIDER</tt> </td>
+<td> RestrictionProvider </td>
+<td> RestrictionProviderImpl </td></tr>
+<tr class="a">
+<td> <tt>PARAM_READ_PATHS</tt> </td>
+<td> Set<String> </td>
+<td> paths to namespace, nodetype and privilege root nodes </td></tr>
+<tr class="b">
+<td> <tt>PARAM_IMPORT_BEHAVIOR</tt> </td>
+<td> String (“abort”, “ignore”, “besteffort”) </td>
+<td> “abort” </td></tr>
<tr class="a">
-
-<td> </td>
-
<td> </td>
-
<td> </td>
- </tr>
- </tbody>
+<td> </td></tr>
+</tbody>
</table>
<p>Differences to Jackrabbit 2.x:</p>
-
<ul>
-
+
<li>The “omit-default-permission” configuration option present with the Jackrabbit’s AccessControlProvider implementations is no longer supported with Oak.</li>
-
<li>As of OAK no extra access control content is installed by default which renders that flag superfluous.</li>
-</ul>
-<!-- hidden references --></div></div></div>
+</ul><!-- hidden references --></div></div></div>
</div>
</div>
</div>
Modified: jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html
URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html?rev=1846224&r1=1846223&r2=1846224&view=diff
==============================================================================
--- jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html (original)
+++ jackrabbit/site/live/oak/docs/security/accesscontrol/editing.html Fri Nov 9 09:46:57 2018
@@ -1,13 +1,13 @@
<!DOCTYPE html>
<!--
- | Generated by Apache Maven Doxia Site Renderer 1.7.4 at 2018-02-21
+ | Generated by Apache Maven Doxia Site Renderer 1.8.1 at 2018-11-09
| Rendered using Apache Maven Fluido Skin 1.6
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
- <meta name="Date-Revision-yyyymmdd" content="20180221" />
+ <meta name="Date-Revision-yyyymmdd" content="20181109" />
<meta http-equiv="Content-Language" content="en" />
<title>Jackrabbit Oak – Using the Access Control Management API</title>
<link rel="stylesheet" href="../../css/apache-maven-fluido-1.6.min.css" />
@@ -52,6 +52,7 @@
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Main APIs <b class="caret"></b></a>
<ul class="dropdown-menu">
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" title="JCR API">JCR API</a></li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" title="Jackrabbit API">Jackrabbit API</a></li>
<li><a href="../../oak_api/overview.html" title="Oak API">Oak API</a></li>
</ul>
</li>
@@ -66,7 +67,12 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore">Composite NodeStore</a></li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a></li>
+ <li class="dropdown-submenu">
+<a href="../../plugins/blobstore.html" title="Blob Storage">Blob Storage</a>
+ <ul class="dropdown-menu">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access">Direct Binary Access</a></li>
+ </ul>
+ </li>
<li class="dropdown-submenu">
<a href="../../query/query.html" title="Query">Query</a>
<ul class="dropdown-menu">
@@ -136,7 +142,7 @@
<div id="breadcrumbs">
<ul class="breadcrumb">
- <li id="publishDate">Last Published: 2018-02-21<span class="divider">|</span>
+ <li id="publishDate">Last Published: 2018-11-09<span class="divider">|</span>
</li>
<li id="projectVersion">Version: 1.10-SNAPSHOT</li>
</ul>
@@ -155,12 +161,14 @@
<li><a href="../../architecture/nodestate.html" title="The Node State Model"><span class="none"></span>The Node State Model</a> </li>
<li class="nav-header">Main APIs</li>
<li><a href="http://www.day.com/specs/jcr/2.0/index.html" class="externalLink" title="JCR API"><span class="none"></span>JCR API</a> </li>
+ <li><a href="https://jackrabbit.apache.org/jcr/jcr-api.html" class="externalLink" title="Jackrabbit API"><span class="none"></span>Jackrabbit API</a> </li>
<li><a href="../../oak_api/overview.html" title="Oak API"><span class="none"></span>Oak API</a> </li>
<li class="nav-header">Features and Plugins</li>
<li><a href="../../nodestore/overview.html" title="Node Storage"><span class="icon-chevron-down"></span>Node Storage</a>
<ul class="nav nav-list">
<li><a href="../../nodestore/documentmk.html" title="Document NodeStore"><span class="icon-chevron-down"></span>Document NodeStore</a>
<ul class="nav nav-list">
+ <li><a href="../../nodestore/document/mongo-document-store.html" title="MongoDB DocumentStore"><span class="none"></span>MongoDB DocumentStore</a> </li>
<li><a href="../../nodestore/document/node-bundling.html" title="Node Bundling"><span class="none"></span>Node Bundling</a> </li>
<li><a href="../../nodestore/document/secondary-store.html" title="Secondary Store"><span class="none"></span>Secondary Store</a> </li>
<li><a href="../../nodestore/persistent-cache.html" title="Persistent Cache"><span class="none"></span>Persistent Cache</a> </li>
@@ -171,7 +179,11 @@
<li><a href="../../nodestore/compositens.html" title="Composite NodeStore"><span class="none"></span>Composite NodeStore</a> </li>
</ul>
</li>
- <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="none"></span>Blob Storage</a> </li>
+ <li><a href="../../plugins/blobstore.html" title="Blob Storage"><span class="icon-chevron-down"></span>Blob Storage</a>
+ <ul class="nav nav-list">
+ <li><a href="../../features/direct-binary-access.html" title="Direct Binary Access"><span class="none"></span>Direct Binary Access</a> </li>
+ </ul>
+ </li>
<li><a href="../../query/query.html" title="Query"><span class="icon-chevron-down"></span>Query</a>
<ul class="nav nav-list">
<li><a href="../../query/query-engine.html" title="Query Engine"><span class="none"></span>Query Engine</a> </li>
@@ -239,37 +251,35 @@
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
- --><div class="section">
+ -->
+<div class="section">
<h2><a name="Using_the_Access_Control_Management_API"></a>Using the Access Control Management API</h2>
+<p><a name="read"></a></p>
<div class="section">
<h3><a name="Reading"></a>Reading</h3>
<div class="section">
<h4><a name="Privilege_Discovery"></a>Privilege Discovery</h4>
<p>Discover/test privileges for the editing session:</p>
-
<ul>
-
+
<li><tt>AccessControlManager</tt>
-
<ul>
-
+
<li><tt>hasPrivileges(String, Privilege[])</tt></li>
-
<li><tt>getPrivileges(String)</tt></li>
- </ul></li>
+</ul>
+</li>
</ul>
<p>Discover/test privileges for a set of principal that may differ from those associated with the reading subject. Note that this method requires editing session to be able to have <tt>READ_ACCESS_CONTROL</tt> permission on the node associated with the specified path.</p>
-
<ul>
-
+
<li><tt>JackrabbitAccessControlManager</tt>
-
<ul>
-
+
<li><tt>hasPrivileges(String, Set<Principal>, Privilege[])</tt></li>
-
<li><tt>getPrivileges(String, Set<Principal>, Privilege[])</tt></li>
- </ul></li>
+</ul>
+</li>
</ul>
<div class="section">
<h5><a name="Note"></a>Note</h5>
@@ -277,123 +287,122 @@
<p>See section <a href="../permission/permissionsandprivileges.html">Permissions vs Privileges</a> for an comprehensive overview on the differences between testing permissions on <tt>Session</tt> and privileges on <tt>AccessControlManager</tt>.</p></div></div>
<div class="section">
<h4><a name="Reading_Policies"></a>Reading Policies</h4>
-
<ul>
-
+
<li>
+
<p><tt>AccessControlManager</tt></p>
-
<ul>
-
+
<li><tt>getApplicablePolicies(String)</tt></li>
-
<li><tt>getPolicies(String)</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li>
+
<p><tt>JackrabbitAccessControlManager</tt></p>
-
<ul>
-
+
<li><tt>getApplicablePolicies(Principal)</tt></li>
-
<li><tt>getPolicies(Principal)</tt></li>
- </ul></li>
+</ul>
+</li>
</ul>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Read_policies_bound_to_a_node"></a>Read policies bound to a node</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">AccessControlManager acMgr = session.getAccessControlManager();
+<div>
+<div>
+<pre class="source">AccessControlManager acMgr = session.getAccessControlManager();
AccessControlPolicy[] policies = acMgr.getPolicies("/content");
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h6><a name="Read_policies_that_have_not_yet_been_bound_to_the_node"></a>Read policies that have not yet been bound to the node</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">AccessControlManager acMgr = session.getAccessControlManager();
+<div>
+<div>
+<pre class="source">AccessControlManager acMgr = session.getAccessControlManager();
AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/content");
-</pre></div></div></div></div></div>
+</pre></div></div>
+</div></div></div>
<div class="section">
<h4><a name="Reading_Policy_Content"></a>Reading Policy Content</h4>
-
<ul>
-
+
<li>
+
<p><tt>AccessControlList</tt></p>
-
<ul>
-
+
<li><tt>getAccessControlEntries()</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li>
+
<p><tt>JackrabbitAccessControlList</tt></p>
-
<ul>
-
+
<li><tt>getRestrictionNames()</tt></li>
-
<li><tt>getRestrictionType(String)</tt></li>
-
<li><tt>isEmpty()</tt></li>
-
<li><tt>size()</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li>
+
<p><tt>PrincipalSetPolicy</tt></p>
-
<ul>
-
+
<li><tt>getPrincipals()</tt></li>
- </ul></li>
+</ul>
+</li>
</ul></div>
<div class="section">
<h4><a name="Reading_Effective_Policies"></a>Reading Effective Policies</h4>
-
<ul>
-
-<li><tt>AccessControlManager</tt>
-
+
+<li>
+
+<p><tt>AccessControlManager</tt></p>
<ul>
-
+
<li><tt>getEffectivePolicies(String)</tt></li>
- </ul></li>
</ul>
+</li>
+<li>
+<p><tt>JackrabbitAccessControlManager</tt></p>
<ul>
-
-<li><tt>JackrabbitAccessControlManager</tt>
-
-<ul>
-
+
<li><tt>getEffectivePolicies(Set<Principal>)</tt></li>
- </ul></li>
-</ul></div></div>
+</ul>
+</li>
+</ul>
+<p><a name="write"></a></p></div></div>
<div class="section">
<h3><a name="Writing"></a>Writing</h3>
<div class="section">
<h4><a name="Adding_Policies"></a>Adding Policies</h4>
-
<ul>
-
+
<li><tt>AccessControlManager</tt>
-
<ul>
-
+
<li><tt>setPolicy(String, AccessControlPolicy)</tt></li>
- </ul></li>
+</ul>
+</li>
</ul>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Bind_a_policy_to_a_node"></a>Bind a policy to a node</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/content");
+<div>
+<div>
+<pre class="source">AccessControlPolicyIterator it = acMgr.getApplicablePolicies("/content");
while (it.hasNext()) {
AccessControlPolicy policy = it.nextPolicy();
if (policy instanceof NamedAccessControlPolicy && "myPolicy".equals((NamedAccessControlPolicy) policy).getName()) {
@@ -401,137 +410,124 @@ while (it.hasNext()) {
session.save();
}
}
-</pre></div></div></div></div></div>
+</pre></div></div>
+</div></div></div>
<div class="section">
<h4><a name="Modifying_Policies"></a>Modifying Policies</h4>
<p>Modification of policies is specific to the policy type. JCR/Jackrabbit API only define a single mutable type of policies: the access control list. Depending on the access control implementation there may be other mutable policies.</p>
-
<ul>
-
+
<li>
+
<p><tt>AccessControlList</tt></p>
-
<ul>
-
+
<li><tt>addAccessControlEntry(Principal, Privilege[])</tt></li>
-
<li><tt>removeAccessControlEntry(AccessControlEntry)</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li>
+
<p><tt>JackrabbitAccessControlList</tt></p>
-
<ul>
-
+
<li><tt>addAccessControlEntry(Principal, Privilege[], boolean)</tt></li>
-
<li><tt>addAccessControlEntry(Principal, Privilege[], boolean, Map<String, Value>)</tt></li>
-
<li><tt>addAccessControlEntry(Principal, Privilege[], boolean, Map<String, Value>, Map<String, Value[]>)</tt></li>
-
<li><tt>orderBefore(AccessControlEntry, AccessControlEntry)</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li>
+
<p><tt>PrincipalSetPolicy</tt></p>
-
<ul>
-
+
<li><tt>addPrincipals(Principal...)</tt></li>
-
<li><tt>removePrincipals(Principal...)</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li>
+
<p><tt>AccessControlUtils</tt></p>
-
<ul>
-
+
<li><tt>getAccessControlList(Session, String)</tt></li>
-
<li><tt>getAccessControlList(AccessControlManager, String)</tt></li>
-
<li><tt>addAccessControlEntry(Session, String, Principal, String[], boolean)</tt></li>
-
<li><tt>addAccessControlEntry(Session, String, Principal, Privilege[], boolean)</tt></li>
-
<li><tt>grantAllToEveryone(Session, String)</tt></li>
-
<li><tt>denyAllToEveryone(Session, String)</tt></li>
- </ul></li>
+</ul>
+</li>
</ul>
<div class="section">
<h5><a name="Retrieve_Principals"></a>Retrieve Principals</h5>
<p>The default and recommended ways to obtain <tt>Principal</tt>s for access control management is through the principal management API:</p>
-
<ul>
-
+
<li><tt>PrincipalManager</tt> (see section <a href="../principal.html">Principal Management</a>)
-
<ul>
-
+
<li><tt>getPrincipal(String)</tt></li>
-
<li><tt>getPrivilege(String)</tt></li>
- </ul></li>
+</ul>
+</li>
</ul>
<p>One way of representing principals in the repository is by the means of user management: If user management is supported in a given Oak repository (see <a class="externalLink" href="http://svn.apache.org/repos/asf/jackrabbit/trunk/jackrabbit-api/src/main/java/org/apache/jackrabbit/api/JackrabbitRepository.java">OPTION_USER_MANAGEMENT_SUPPORTED</a> repository descriptor), principals associated with a given user/group can be obtained by calling:</p>
-
<ul>
-
+
<li><tt>Authorizable</tt> (see section <a href="../user.html">User Management</a>)
-
<ul>
-
+
<li><tt>getPrincipal()</tt></li>
- </ul></li>
+</ul>
+</li>
</ul>
<p>Note however, that this will only work for principals backed by a user/group. Principals provided by a different principal management implementation won’t be accessible through user management.</p></div>
<div class="section">
<h5><a name="Retrieve_Privileges"></a>Retrieve Privileges</h5>
-
<ul>
-
+
<li>
+
<p><tt>PrivilegeManager</tt> (see section <a href="../privilege.html">Privilege Management</a>)</p>
-
<ul>
-
+
<li><tt>getRegisteredPrivileges()</tt></li>
-
<li><tt>getPrivilege(String)</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li>
+
<p><tt>AccessControlManager</tt></p>
-
<ul>
-
+
<li><tt>getSupportedPrivileges(String)</tt></li>
-
<li><tt>privilegeFromName(String)</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li>
+
<p><tt>AccessControlUtils</tt></p>
-
<ul>
-
+
<li><tt>privilegesFromNames(Session session, String... privilegeNames)</tt></li>
-
<li><tt>privilegesFromNames(AccessControlManager accessControlManager, String... privilegeNames)</tt></li>
- </ul></li>
-
+</ul>
+</li>
<li>
-<p><tt>Privilege</tt>: defines name constants for the privileges defined by JCR</p></li>
+
+<p><tt>Privilege</tt>: defines name constants for the privileges defined by JCR</p>
+</li>
</ul></div>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Modify_an_AccessControlList"></a>Modify an AccessControlList</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = null;
+<div>
+<div>
+<pre class="source">JackrabbitAccessControlList acl = null;
// try if there is an acl that has been set before
for (AccessControlPolicy policy : acMgr.getPolicies("/content")) {
if (policy instanceof JackrabbitAccessControlList) {
@@ -548,12 +544,14 @@ if (acl != null) {
acMgr.setPolicy(acl.getPath(), acl);
session.save();
}
-</pre></div></div></div>
+</pre></div></div>
+</div>
<div class="section">
<h6><a name="Create_or_Modify_an_AccessControlList"></a>Create or Modify an AccessControlList</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = null;
+<div>
+<div>
+<pre class="source">JackrabbitAccessControlList acl = null;
// try if there is an acl that has been set before
for (AccessControlPolicy policy : acMgr.getPolicies("/content")) {
if (policy instanceof JackrabbitAccessControlList) {
@@ -582,10 +580,12 @@ if (acl != null) {
session.save();
}
</pre></div></div>
+
<p>or alternatively use <tt>AccessControlUtils</tt>:</p>
-<div class="source">
-<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, "/content");
+<div>
+<div>
+<pre class="source">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, "/content");
if (acl != null) {
PrincipalManager principalManager = jackrabbitSession.getPrincipalManager();
Principal principal = principalManager.getPrincipal("jackrabbit");
@@ -595,32 +595,35 @@ if (acl != null) {
acMgr.setPolicy(acl.getPath(), acl);
session.save();
}
-</pre></div></div></div></div></div>
+</pre></div></div>
+</div></div></div>
<div class="section">
<h4><a name="Removing_Policies"></a>Removing Policies</h4>
-
<ul>
-
+
<li><tt>AccessControlManager</tt>
-
<ul>
-
+
<li><tt>removePolicy(String, AccessControlPolicy)</tt></li>
- </ul></li>
+</ul>
+</li>
</ul>
<div class="section">
<h5><a name="Examples"></a>Examples</h5>
<div class="section">
<h6><a name="Remove_a_policy"></a>Remove a policy</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">for (AccessControlPolicy policy : acMgr.getPolicies("/content");
+<div>
+<div>
+<pre class="source">for (AccessControlPolicy policy : acMgr.getPolicies("/content");
if (policy instanceof NamedAccessControlPolicy && "myPolicy".equals((NamedAccessControlPolicy) policy).getName()) {
acMgr.removePolicy("/content", policy);
session.save();
}
}
-</pre></div></div></div></div></div></div>
+</pre></div></div>
+
+<p><a name="repository_level"></a></p></div></div></div></div>
<div class="section">
<h3><a name="Access_Control_on_Repository_Level"></a>Access Control on Repository Level</h3>
<div class="section">
@@ -629,8 +632,9 @@ if (acl != null) {
<div class="section">
<h6><a name="Allow_a_Principal_to_Register_Namespaces"></a>Allow a Principal to Register Namespaces</h6>
-<div class="source">
-<div class="source"><pre class="prettyprint">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, null);
+<div>
+<div>
+<pre class="source">JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(session, null);
if (acl != null) {
PrincipalManager principalManager = jackrabbitSession.getPrincipalManager();
Principal principal = principalManager.getPrincipal("dinosaur");