You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by an...@apache.org on 2015/03/03 10:07:20 UTC
svn commit: r1663559 - in /jackrabbit/oak/trunk/oak-doc/src/site/markdown:
oak_api/error_codes.md security/accesscontrol/cug.md
security/authentication/tokenmanagement.md
Author: angela
Date: Tue Mar 3 09:07:20 2015
New Revision: 1663559
URL: http://svn.apache.org/r1663559
Log:
OAK-2563 : Cleanup and document security related error codes (user mgt, token mgt, cug))
Added:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md?rev=1663559&r1=1663558&r2=1663559&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md Tue Mar 3 09:07:20 2015
@@ -43,6 +43,25 @@ information about the issue. This page i
| 0025 | Mandatory child node X not included in a new node |
| 0026 | Mandatory child node X can not be removed |
+#### User Validation
+
+| Code | Message |
+|-------------------|----------------------------------------------------------|
+| 0020 | Admin user cannot be disabled |
+| 0021 | Invalid jcr:uuid for authorizable (creation) |
+| 0022 | Changing Id, principal name after creation |
+| 0023 | Invalid jcr:uuid for authorizable (mod) |
+| 0024 | Password may not be plain text |
+| 0025 | Attempt to remove id, principalname or pw |
+| 0026 | Mandatory property rep:principalName missing |
+| 0027 | The admin user cannot be removed |
+| 0028 | Attempt to create outside of configured scope |
+| 0029 | Intermediate folders not rep:AuthorizableFolder |
+| 0030 | Missing uuid for group (check for cyclic membership) |
+| 0031 | Cyclic group membership |
+| 0032 | Attempt to set password with system user |
+| 0033 | Attempt to add rep:pwd node to a system user |
+
#### Privilege Validation
| Code | Message |
@@ -61,16 +80,30 @@ information about the issue. This page i
| 0052 | Detected circular aggregation |
| 0053 | Custom aggregate privilege X is already covered. |
-#### User Validation
+#### Token Validation
+
+see section [Token Management](../security/authentication/tokenmanagement.html)
-_todo_
### Type Access
+#### Access Validation
+_todo_
+
#### Permission Validation
+_todo_
+
+
+### Type Access Control
+
+#### Default Access Control Validation
_todo_
+#### CUG Validation
+
+see section [Closed User Groups](../security/authorization/cug.html)
+
<!-- hidden references -->
[OAK-764]: https://issues.apache.org/jira/browse/OAK-764
\ No newline at end of file
Added: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md?rev=1663559&view=auto
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md (added)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md Tue Mar 3 09:07:20 2015
@@ -0,0 +1,72 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+Managing Access with Closed User Groups (CUG)
+--------------------------------------------------------------------------------
+
+### General
+
+_todo_
+
+### CUG API
+
+_todo_
+
+### Characteristics of the CUG Implementation
+
+_todo_
+
+#### CUG Representation in the Repository
+
+##### Content Structure
+
+_todo_
+
+##### Validation
+
+The consistency of this content structure both on creation and modification is
+asserted by a dedicated `TokenValidator`. The corresponding error are
+all of type `AccessControl` with the following codes:
+
+| Code | Message |
+|-------------------|----------------------------------------------------------|
+| 0020 | Attempt to change primary type of/to cug policy |
+| 0021 | Wrong primary type of 'rep:cugPolicy' node |
+| 0022 | Access controlled not not of mixin 'rep:CugMixin' |
+
+### Configuration
+
+_todo_
+
+#### Configuration Parameters
+
+_todo_
+
+
+#### Examples
+
+_todo_
+
+### Pluggability
+
+_todo_
+
+##### Examples
+
+_todo_
+
+<!-- references -->
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md?rev=1663559&r1=1663558&r2=1663559&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md Tue Mar 3 09:07:20 2015
@@ -176,6 +176,25 @@ definition:
}
}
+##### Validation
+
+The consistency of this content structure both on creation and modification is
+asserted by a dedicated `TokenValidator`. The corresponding error are
+all of type `Constraint` with the following codes:
+
+| Code | Message |
+|-------------------|----------------------------------------------------------|
+| 0060 | Attempt to create reserved token property in other ctx |
+| 0061 | Attempt to change existing token key |
+| 0062 | Change primary type of existing node to rep:Token |
+| 0063 | Creation/Manipulation of tokens without using provider |
+| 0064 | Create a token outside of configured scope |
+| 0065 | Invalid location of token node |
+| 0066 | Invalid token key |
+| 0067 | Mandatory token expiration missing |
+| 0068 | Invalid location of .tokens node |
+| 0069 | Change type of .tokens parent node |
+
### Configuration
The Oak token management comes with it's own [TokenConfiguration] which allows