[
https://issues.apache.org/jira/browse/SLING-9956?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated SLING-9956:
------------------------------------
Description:
based on my reading of
https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandler.java#L56
i don't see how the converter would handle service user permissions that are
defined for the repository level that in JCR access control management API are
defined using a {{null}} path.
with the default authorization module in oak the corresponding ACL is stored at
the root node with a dedicated policy node named {{rep:repoPolicy}} (see
http://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#representation)
i guess this bug requires 3 steps:
- adjust the regexp in the handler
- adjust "Acl" class (which reprents an Ace) to make sure repo-level aces are
properly identified (e.g. extra method isRepositoryLevel or set the correct
path field to null)
- adjust
https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/acl/DefaultAclManager.java#L242
to proper create repository level entries with repo-init. according to
https://sling.apache.org/documentation/bundles/repository-initialization.html
this is achieved using the following special path:
{code}
set ACL for alice,bob
allow jcr:namespaceManagement on :repository
end
{code}
was:
based on my reading of
https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandler.java#L56
i don't see how the converter would handle service user permissions that are
defined for the repository level that in JCR access control management API are
defined using a {{null}} path.
with the default authorization module in oak the corresponding ACL is stored at
the root node with a dedicated policy node named {{rep:repoPolicy}} (see
http://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#representation)
i guess this bug requires 2 steps:
- adjust the regexp in the handler
- adjust "Acl" class (which reprents an Ace) to make sure repo-level aces are
properly identified (e.g. extra method isRepositoryLevel or set the correct
path field to null)
- adjust
https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/acl/DefaultAclManager.java#L242
to proper create repository level entries with repo-init. according to
https://sling.apache.org/documentation/bundles/repository-initialization.html
this is achieved using the following special path:
{code}
set ACL for alice,bob
allow jcr:namespaceManagement on :repository
end
{code}
> RepPolicyEntryHandler ignores ACEs on repository level
> ------------------------------------------------------
>
> Key: SLING-9956
> URL: https://issues.apache.org/jira/browse/SLING-9956
> Project: Sling
> Issue Type: Bug
> Components: Content-Package to Feature Model Converter
> Reporter: Angela Schreiber
> Priority: Major
>
> based on my reading of
> https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandler.java#L56
> i don't see how the converter would handle service user permissions that are
> defined for the repository level that in JCR access control management API
> are defined using a {{null}} path.
> with the default authorization module in oak the corresponding ACL is stored
> at the root node with a dedicated policy node named {{rep:repoPolicy}} (see
> http://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#representation)
> i guess this bug requires 3 steps:
> - adjust the regexp in the handler
> - adjust "Acl" class (which reprents an Ace) to make sure repo-level aces are
> properly identified (e.g. extra method isRepositoryLevel or set the correct
> path field to null)
> - adjust
> https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/acl/DefaultAclManager.java#L242
> to proper create repository level entries with repo-init. according to
> https://sling.apache.org/documentation/bundles/repository-initialization.html
> this is achieved using the following special path:
> {code}
> set ACL for alice,bob
> allow jcr:namespaceManagement on :repository
> end
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
