You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/03/03 10:07:20 UTC

svn commit: r1663559 - in /jackrabbit/oak/trunk/oak-doc/src/site/markdown: oak_api/error_codes.md security/accesscontrol/cug.md security/authentication/tokenmanagement.md

Author: angela
Date: Tue Mar  3 09:07:20 2015
New Revision: 1663559

URL: http://svn.apache.org/r1663559
Log:
OAK-2563 : Cleanup and document security related error codes (user mgt, token mgt, cug))

Added:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md
Modified:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md?rev=1663559&r1=1663558&r2=1663559&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md Tue Mar  3 09:07:20 2015
@@ -43,6 +43,25 @@ information about the issue. This page i
 | 0025              | Mandatory child node X not included in a new node        |
 | 0026              | Mandatory child node X can not be removed                |
 
+#### User Validation
+
+| Code              | Message                                                  |
+|-------------------|----------------------------------------------------------|
+| 0020              | Admin user cannot be disabled                            |
+| 0021              | Invalid jcr:uuid for authorizable (creation)             |
+| 0022              | Changing Id, principal name after creation               |
+| 0023              | Invalid jcr:uuid for authorizable (mod)                  |
+| 0024              | Password may not be plain text                           |
+| 0025              | Attempt to remove id, principalname or pw                |
+| 0026              | Mandatory property rep:principalName missing             |
+| 0027              | The admin user cannot be removed                         |
+| 0028              | Attempt to create outside of configured scope            |
+| 0029              | Intermediate folders not rep:AuthorizableFolder          |
+| 0030              | Missing uuid for group (check for cyclic membership)     |
+| 0031              | Cyclic group membership                                  |
+| 0032              | Attempt to set password with system user                 |
+| 0033              | Attempt to add rep:pwd node to a system user             |
+
 #### Privilege Validation
 
 | Code              | Message                                                  |
@@ -61,16 +80,30 @@ information about the issue. This page i
 | 0052              | Detected circular aggregation                            |
 | 0053              | Custom aggregate privilege X is already covered.         |
 
-#### User Validation
+#### Token Validation
+
+see section [Token Management](../security/authentication/tokenmanagement.html)
 
-_todo_
 
 ### Type Access
 
+#### Access Validation
+_todo_
+
 #### Permission Validation
+_todo_
+
+
+### Type Access Control
+
+#### Default Access Control Validation
 
 _todo_
 
+#### CUG Validation
+
+see section [Closed User Groups](../security/authorization/cug.html)
+
 
 <!-- hidden references -->
 [OAK-764]: https://issues.apache.org/jira/browse/OAK-764
\ No newline at end of file

Added: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md?rev=1663559&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md (added)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md Tue Mar  3 09:07:20 2015
@@ -0,0 +1,72 @@
+<!--
+   Licensed to the Apache Software Foundation (ASF) under one or more
+   contributor license agreements.  See the NOTICE file distributed with
+   this work for additional information regarding copyright ownership.
+   The ASF licenses this file to You under the Apache License, Version 2.0
+   (the "License"); you may not use this file except in compliance with
+   the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+-->
+
+Managing Access with Closed User Groups (CUG)
+--------------------------------------------------------------------------------
+
+### General
+
+_todo_
+
+### CUG API
+
+_todo_
+
+### Characteristics of the CUG Implementation
+
+_todo_
+
+#### CUG Representation in the Repository
+
+##### Content Structure
+
+_todo_
+
+##### Validation
+
+The consistency of this content structure both on creation and modification is
+asserted by a dedicated `TokenValidator`. The corresponding error are
+all of type `AccessControl` with the following codes:
+
+| Code              | Message                                                  |
+|-------------------|----------------------------------------------------------|
+| 0020              | Attempt to change primary type of/to cug policy          |
+| 0021              | Wrong primary type of 'rep:cugPolicy' node               |
+| 0022              | Access controlled not not of mixin 'rep:CugMixin'        |
+
+### Configuration
+
+_todo_
+
+#### Configuration Parameters
+
+_todo_
+
+
+#### Examples
+
+_todo_
+
+### Pluggability
+
+_todo_
+
+##### Examples
+
+_todo_
+
+<!-- references -->
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md?rev=1663559&r1=1663558&r2=1663559&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md Tue Mar  3 09:07:20 2015
@@ -176,6 +176,25 @@ definition:
         }
     }
 
+##### Validation
+
+The consistency of this content structure both on creation and modification is
+asserted by a dedicated `TokenValidator`. The corresponding error are
+all of type `Constraint` with the following codes:
+
+| Code              | Message                                                  |
+|-------------------|----------------------------------------------------------|
+| 0060              | Attempt to create reserved token property in other ctx   |
+| 0061              | Attempt to change existing token key                     |
+| 0062              | Change primary type of existing node to rep:Token        |
+| 0063              | Creation/Manipulation of tokens without using provider   |
+| 0064              | Create a token outside of configured scope               |
+| 0065              | Invalid location of token node                           |
+| 0066              | Invalid token key                                        |
+| 0067              | Mandatory token expiration missing                       |
+| 0068              | Invalid location of .tokens node                         |
+| 0069              | Change type of .tokens parent node                       |
+
 ### Configuration
 
 The Oak token management comes with it's own [TokenConfiguration] which allows