[jira] [Commented] (SLING-6422) Allow for specifying oak restrictions with repoinit

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (SLING-6422) Allow for specifying oak restrictions with repoinit

JIRA jira@apache.org

    [ https://issues.apache.org/jira/browse/SLING-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16047529#comment-16047529 ]

Nitin Nizhawan commented on SLING-6422:
---------------------------------------

[~bdelacretaz] I further verified that vault package manager also respects ordering. To verify I specified following aces
{code}
    <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[rep:readProperties]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow>
    <allow1   jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[jcr:addChildNodes]">
        <rep:restrictions     jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow1>
{code}
Since in above case restrictions and principal are same, package manager merged the privileges as follows
{code}
    <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[rep:readProperties,jcr:addChildNodes]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow>
{code}


Then I tried with order reversed for restriction values as follows
{code}
 <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[rep:readProperties]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[abc,def]"/>
    </allow>
    <allow1   jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   rep:privileges="{Name}[jcr:addChildNodes]">
        <rep:restrictions     jcr:primaryType="rep:Restrictions"   rep:ntNames="{Name}[def,abc]"/>
    </allow1>
{code}
In above case package manager did not merge ACEs because I think it also considers restrictions different. So, I suppose we should also consider restrictions with different ordering of values different. WDYT?

> Allow for specifying oak restrictions with repoinit
> ---------------------------------------------------
>
>                 Key: SLING-6422
>                 URL: https://issues.apache.org/jira/browse/SLING-6422
>             Project: Sling
>          Issue Type: New Feature
>          Components: Repoinit
>            Reporter: Nitin Nizhawan
>         Attachments: SLING6422ApplyRestrictionsV2.patch, SLING6422ApplyRestrictionsV3.patch, SLING6422_interpretparsedrestrictionclause.patch, SLING-6422.patch
>
>
> Allow for specifying oak restrictions with repoinit. Currently repoinit allows one to ADD remove ACLs but there is no way to specify oak restrictions.
> http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)