[jira] [Commented] (SLING-8602) Add support for PrincipalAccessControlList and ac-management by principal

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[jira] [Commented] (SLING-8602) Add support for PrincipalAccessControlList and ac-management by principal

Oliver Lietz (Jira)

    [ https://issues.apache.org/jira/browse/SLING-8602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16903931#comment-16903931 ]

angela commented on SLING-8602:

proposed patch for _sling-repoinit-parser_ and _sling-jcr-repoinit_ attached. the patch partially includes work required for the blocking issues, but i tried to limit those changes to those parts that are needed to create a patch that passes unit tests. the ITs don't have any dependency to the task at hand and are broken as soon as jackrabbit/oak version is adjusted in the pom.xml (this is covered by SLING-8627).

[~karlpauls], [~rombert], same as in SLING-8619 i didn't know what the process is to update the corresponding section of the Sling documentation (if there exists any). if you want me to. i can write a short instruction for the principal-based access control management with repo-init and post it here.

> Add support for PrincipalAccessControlList and ac-management by principal
> -------------------------------------------------------------------------
>                 Key: SLING-8602
>                 URL: https://issues.apache.org/jira/browse/SLING-8602
>             Project: Sling
>          Issue Type: New Feature
>          Components: Repoinit
>            Reporter: angela
>            Priority: Major
>         Attachments: SLING-8602-jcr.patch, SLING-8602-parser.patch
> with JCR-4429 comes a new type of {{JackrabbitAccessControlList}} that allows to provide native support for access control management by principal as defined by {{org.apache.jackrabbit.api.security.JackrabbitAccessControlManager}}.  
> now that there exists a new authorization model in Oak (OAK-8190) that implements these extensions, it would be desirable if the repo-init would cover access control management by principal.
> note: while the original aim of OAK-8190 was to store permissions for system users (aka service users) separately, the implementation in _oak-authorization-principalbased_ is not limited to system users and doesn't mandate the policies to be stored with a user node. the location of the access controlled node is an implementation detail that can be changed. see Jackrabbit API and http://jackrabbit.apache.org/oak/docs/security/authorization/principalbased.html for additional details.

This message was sent by Atlassian JIRA