svn commit: r1868475 - in /jackrabbit/oak/trunk/oak-doc/src/site/markdown/security: accesscontrol.md authorization/principalbased.md

[an...@apache.org]

Author: angela
Date: Tue Oct 15 08:43:28 2019
New Revision: 1868475

URL: http://svn.apache.org/viewvc?rev=1868475&view=rev
Log:
OAK-8693 : respect PARAM_READ_PATHS configuration option - update documentation

Modified:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/principalbased.md

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1868475&r1=1868474&r2=1868475&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md Tue Oct 15 08:43:28 2019
@@ -95,6 +95,7 @@ that may be used for a custom implementa
 - `AbstractAccessControlList`: abstract base implementation of the `JackrabbitAccessControlList` interface
     - `ImmutableACL`: immutable subclass of `AbstractAccessControlList`
     - `ACE`: abstract subclass that implements common methods of a mutable access control list.
+- `ReadPolicy`: implementation of `NamedAccessControlPolicy` used to represent the configured [readable paths](permission/default.html#configuration).
 
 #### Restriction Management
 

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/principalbased.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/principalbased.md?rev=1868475&r1=1868474&r2=1868475&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/principalbased.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/principalbased.md Tue Oct 15 08:43:28 2019
@@ -150,6 +150,14 @@ All privileges registered with the repos
 The principal-based authorization model doesn't come with a dedicated `RestrictionProvider`. Instead it is built to
 handle any restriction defined by the Oak authorization setup.
 
+##### Readable Paths
+
+If the principal-based authorization is used together with the default implementation, it will respect the [readable-paths 
+configuration](../permission/default.html#configuration). For trees located at or below the readable paths 
+`AccessControlManager.getEffectivePolicies(String absPath)` will include a `NamedAccessControlPolicy`.
+Note, that in accordance to the default authorization model, this effective policy is not currently not included when 
+looking up effective policies by principal.
+
 <a name="details_permission_eval"></a>
 #### Permission Evaluation
  
@@ -195,6 +203,12 @@ However, in order to minimize excessive
 - _entry:_ granting privileges, _redundant_: same privileges with additional restrictions
 - _entry:_ granting privileges, _redundant:_ subset of these privileges 
 
+##### Readable Paths
+
+Since [OAK-8671](https://issues.apache.org/jira/browse/OAK-8671) principal-based authorization respects the readable 
+paths configuration option present with the default authorization model. For any tree located at or below these configured 
+paths read-access is always granted.
+
 ##### Administrative Access
 
 The principal-based authorization doesn't enforce any special handling for administrative principals. When implementing