[
https://issues.apache.org/jira/browse/SLING-6963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16057132#comment-16057132
]
angela edited comment on SLING-6963 at 6/21/17 12:32 PM:
-
proposed patch incorporating initial review findings. more tests and fixes for
issues spotted during testing will follow soon => SLING-6963-with-tests.patch
[~fmeschbe], [~cziegeler], [~asanso], one more thing that i think would be
worth discussing is the format of the mapping. for simplicity i now extended it
such that i can either define a user name (original + fallback) or a comma
separated set of principal names surrounded by square brackets. after having
worked on alternative declarations i found this one to be the most stable and
self-explaining variant that really reflects the intention of this issue that a
service can be bound to a set of system-principals (and from a authorization
pov define aggregation of tasks to be completed) instead of limiting it to a
1:1 mapping.
was (Author: anchela):
proposed patch incorporating initial review findings. more tests and fixes for
issues spotted during testing will follow soon.
> Service user declaration based on principal names
> -
>
> Key: SLING-6963
> URL: https://issues.apache.org/jira/browse/SLING-6963
> Project: Sling
> Issue Type: Improvement
> Components: Service User Mapper
>Reporter: angela
> Attachments: SLING-6963-with-tests.patch
>
>
> Currently {{SlingRepository.loginService}} relies on a configuration that
> maps services/subservices to a single service user by it's name/ID. Heavy
> usage of this concept over the last years has reveal a couple of findings, we
> missed when inventing the service user concept:
> - it is prone to redundant of permission setup when defining permissions for
> individual service users that often share common needs while at the same time
> being responsible for completing distinct special operations (e.g.
> _read-content_ (common) and _write-special-subtree_ (special operation)
> - some services require a combination of different operations reflected by
> existing groups and we ended up having service users being put into groups in
> order to avoid permission duplication (ultimately leaving us with somewhat
> intransparent permission setup for a given service).
> Learning from these findings I like would proposed an alternative way of
> registering service users that would allow for specifying a set of principal
> names, effectively declaring all tasks a given service is designed to
> complete. this would allow to re-use existing service users and thus avoid
> duplication of permission setup for both cases mentioned above.
> Also, implementing this alternative mapping would allow to get rid of the
> double repository login as it is currently present within
> {{AbstractSlingRepository2#createServiceSession}} and as such have a positive
> impact on performance.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)