You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2019/10/15 08:43:29 UTC
svn commit: r1868475 - in
/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security: accesscontrol.md
authorization/principalbased.md
Author: angela
Date: Tue Oct 15 08:43:28 2019
New Revision: 1868475
URL: http://svn.apache.org/viewvc?rev=1868475&view=rev
Log:
OAK-8693 : respect PARAM_READ_PATHS configuration option - update documentation
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/principalbased.md
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1868475&r1=1868474&r2=1868475&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md Tue Oct 15 08:43:28 2019
@@ -95,6 +95,7 @@ that may be used for a custom implementa
- `AbstractAccessControlList`: abstract base implementation of the `JackrabbitAccessControlList` interface
- `ImmutableACL`: immutable subclass of `AbstractAccessControlList`
- `ACE`: abstract subclass that implements common methods of a mutable access control list.
+- `ReadPolicy`: implementation of `NamedAccessControlPolicy` used to represent the configured [readable paths](permission/default.html#configuration).
#### Restriction Management
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/principalbased.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/principalbased.md?rev=1868475&r1=1868474&r2=1868475&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/principalbased.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/principalbased.md Tue Oct 15 08:43:28 2019
@@ -150,6 +150,14 @@ All privileges registered with the repos
The principal-based authorization model doesn't come with a dedicated `RestrictionProvider`. Instead it is built to
handle any restriction defined by the Oak authorization setup.
+##### Readable Paths
+
+If the principal-based authorization is used together with the default implementation, it will respect the [readable-paths
+configuration](../permission/default.html#configuration). For trees located at or below the readable paths
+`AccessControlManager.getEffectivePolicies(String absPath)` will include a `NamedAccessControlPolicy`.
+Note, that in accordance to the default authorization model, this effective policy is not currently not included when
+looking up effective policies by principal.
+
<a name="details_permission_eval"></a>
#### Permission Evaluation
@@ -195,6 +203,12 @@ However, in order to minimize excessive
- _entry:_ granting privileges, _redundant_: same privileges with additional restrictions
- _entry:_ granting privileges, _redundant:_ subset of these privileges
+##### Readable Paths
+
+Since [OAK-8671](https://issues.apache.org/jira/browse/OAK-8671) principal-based authorization respects the readable
+paths configuration option present with the default authorization model. For any tree located at or below these configured
+paths read-access is always granted.
+
##### Administrative Access
The principal-based authorization doesn't enforce any special handling for administrative principals. When implementing