You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "angela (JIRA)" <ji...@apache.org> on 2017/01/17 17:28:26 UTC
[jira] [Commented] (OAK-4959) Review the security aspect of
bundling configuration
[ https://issues.apache.org/jira/browse/OAK-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15826434#comment-15826434 ]
angela commented on OAK-4959:
-----------------------------
[~chetanm], i will take a look asap... just from the description it looks quite odd to register a {{PrincipalConfiguration}} for this (but you probably agree if I read your comment). Can I ask you some more general questions regarding original description?
- does it need to be stored under jcr:system/rep:documentStore/bundlor? and if yes, why?
- why does it need to be writeable using JCR API?
- is there a reason for not making this an OSGi configuration? Since the system console is by definition a system-admin tool (and any access by someone else was a most severe security issue) that would look like a better fit to me than some arbitrary location in the repository that up to now has not stored any sensitive configuration.
> Review the security aspect of bundling configuration
> ----------------------------------------------------
>
> Key: OAK-4959
> URL: https://issues.apache.org/jira/browse/OAK-4959
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: documentmk
> Reporter: Chetan Mehrotra
> Assignee: Chetan Mehrotra
> Labels: bundling
> Fix For: 1.5.18, 1.6
>
> Attachments: OAK-4959-v1.patch
>
>
> The config for node bundling feature in DocumentNodeStore is currently stored under {{jcr:system/rep:documentStore/bundlor}}. This task is meant to
> * Review the access control aspect - This config should be only updatetable by system admin
> * Config under here should be writeable via JCR api
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)