You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Bertrand Delacretaz (JIRA)" <ji...@apache.org> on 2016/05/20 10:19:12 UTC
[jira] [Commented] (SLING-5355) Create service users and ACLs from
the provisioning model
[ https://issues.apache.org/jira/browse/SLING-5355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15293119#comment-15293119 ]
Bertrand Delacretaz commented on SLING-5355:
--------------------------------------------
At revision 1744682 I have implemented this based on the SLING-5449 repository initialization language. Here are some minimal docs to allow for testing this.
The {{repoinit.txt}} partial provisioning model at [1] contains an example repoinit section as follows:
{code}
[:repoinit]
create path /repoinit/fromProvisioningModel
create service user userFromProvisioningModel
set ACL for userFromProvisioningModel
allow jcr:read on /repoinit/fromProvisioningModel
deny jcr:write on /repoinit/fromProvisioningModel
end
{code}
The tests of the {{repoinit/it}} module verify that those statements are correctly executed.
The {{org.apache.sling.repoinit.jcr.RepositoryInitializer}} component reads the provisioning model text using a configurable URL, which defaults to {{context:/resources/provisioning/model.txt}} to get the model that our {{maven-slingstart-plugin}} embeds in the launchpad, the {{context:}} protocol being handled by the launchpad's {{ContextProtocolHandler}}.
Configuring a different URL and if needed creating a protocol handler will allow other launchers to provide the provisioning model, or directly provide repoinit statements.
The name of the {{:repoinit}} model section used in the above example is configurable in the {{RepositoryInitializer}}, or can be omitted if the configured URL provides repoinit statements directly.
The {{repoinit.txt}} partial model at [1] also indicates which updated or additional bundles are needed to activate this, currently that's
{code}
[artifacts startLevel=2]
org.apache.sling/org.apache.sling.repoinit.oak-jcr/0.0.1-SNAPSHOT
org.apache.sling/org.apache.sling.repoinit.parser/0.0.1-SNAPSHOT
org.apache.sling/org.apache.sling.provisioning.model/1.4.2
[artifacts]
org.apache.sling/org.apache.sling.junit.core/1.0.14
org.apache.sling/org.apache.sling.testing.tools/1.0.10
org.apache.sling/org.apache.sling.jcr.api/2.3.1-SNAPSHOT
org.apache.sling/org.apache.sling.jcr.base/2.3.3-SNAPSHOT
org.apache.sling/org.apache.sling.jcr.oak.server/1.0.1-SNAPSHOT
{code}
The {{repoinit.oak.jcr}} bundle needs to be active before the {{SlingRepository}} starts, for its initializer to be taken into account.
[1] https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/repoinit/it/src/main/provisioning/repoinit.txt
> Create service users and ACLs from the provisioning model
> ---------------------------------------------------------
>
> Key: SLING-5355
> URL: https://issues.apache.org/jira/browse/SLING-5355
> Project: Sling
> Issue Type: New Feature
> Components: Service User Mapper
> Reporter: Bertrand Delacretaz
> Assignee: Bertrand Delacretaz
>
> As discussed in the "Removing loginAdministrative, how to test that, and service username conventions" thread on our dev list [1] we need to be able to create service users and set the corresponding ACLs from our provisioning model.
> This should be implemented using distinct utility classes, one for the users and one for the ACLs, that take simple mini-languages as input. This will allow for reusing these utilities in test code for example.
> [1] http://markmail.org/message/kcvuhwfdald2dyuz
> *Edit: high-level requirements*
> As discussed in the "SLING-5355 - configs vs. content for ACLs and service users" thread - http://markmail.org/message/tzno2via2wjckhuc
> * HR1 - Create service users and set their ACLs as defined in the Sling instance's provisioning model.
> * HR2 - Create initial paths like /var/discovery, so that ACLs can be set on them.
> * HR3 - Make the full text of the ACL definitions available at runtime for auditing purposes (see Michael Marth's Dec.17 comment in SLING-5355). Also useful for upgrades where merging with conflict detection is needed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)