You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-issues@jackrabbit.apache.org by "Angela Schreiber (Jira)" <ji...@apache.org> on 2021/01/21 12:47:00 UTC
[jira] [Commented] (OAK-9332) Document best practices and
anti-patterns in repository tree traversal
[ https://issues.apache.org/jira/browse/OAK-9332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17269274#comment-17269274 ]
Angela Schreiber commented on OAK-9332:
---------------------------------------
[~miroslav], thanks for initiating this. looking at the documentation i found we have a few things documented in the _dos_and_donts.md_. so just from the top of my head a few ideas (definitely not a comprehensive list0
access control setup:
- model your JCR hierarchies with access control requirements in mind
- use 'principle of least privilege': only grant privileges absolutely needed
- limit the scope of your access control setup by identifying the items that need to be accessible/writable
- use allowing access control entries, try to avoid denies and remember that no access control setup is an implicit deny
- avoid access control setup for regular user principals, grant access for group principals instead
- access control setup for system user: leverage principal-based access control if available in your security setup. this avoids mixing permissions for your application with non-application content
- avoid redundant ac setup. effective permissions are inherited down the hierarchy and through declared and inherited group membership
regarding general jcr usage:
- use oak:Unstructured instead of nt:unstructured if childnodes don't have an order
depending on how low the list gets in the end we might move the best-practices to the individual sections and then link it from the general 'best-practices' page as we do e.g. in the _error_codes.md_
> Document best practices and anti-patterns in repository tree traversal
> ------------------------------------------------------------------------
>
> Key: OAK-9332
> URL: https://issues.apache.org/jira/browse/OAK-9332
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: doc
> Reporter: Miroslav Smiljanic
> Priority: Major
>
> When using JCR API, there is more than one way to perform tree/path traversal:
> {code:java}
> Node c = session.getNode("/a/b/c");
> Node d = null;
> //get child node
> d = session.getNode("/a/b/c/d");
> d = c.getNode("d");
> // get parent node
> c = d.getParent();
> c = session.getNode("/a/b/c");
> {code}
> To traverse a path using Node API with performs better compared to Session API.
> {noformat}
> > java -jar target/oak-benchmarks-*-SNAPSHOT.jar benchmark GetParentNodeWithNodeAPI GetParentNodeWithSessionAPI Oak-Segment-Tar
> Apache Jackrabbit Oak 1.37-SNAPSHOT
> # GetParentNodeWithNodeAPI C min 10% 50% 90% max N mean
> Oak-Segment-Tar 1 2 2 2 3 5 25891 2
> # GetParentNodeWithSessionAP C min 10% 50% 90% max N mean
> Oak-Segment-Tar 1 26 27 29 32 40 2069 29{noformat}
> Example where Session API is used: https://issues.apache.org/jira/browse/SLING-10011
> Considering Oak implementation details (tree repository structure, ACL evaluation, ...) the best practice for path traversal should be explicitly documented.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)