[
https://issues.apache.org/jira/browse/SLING-10134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17282910#comment-17282910
]
Angela Schreiber commented on SLING-10134:
------------------------------------------
[~Henry Kuijpers], i guess there is a slight misconception in Sling repo-init
about principals: it assumes that a given Principal for which access control is
defined is always backed by a user or a group.... that might be the case but
user management does not need to be the only source of principals.
it commonly is true though for service users as you use in your example. also
note: for service users i would recommend to use the new principal-based access
control setup if that is already configured as part of your repository
authorization setup). it has the added benefit that access control setup is
stored with the user node and thus removing the service user would
automatically get rid of the ac-setup.
repo init:
{code}
create service user sv-read-apps-website-components
set principal ACL for sv-read-apps-website-components
allow jcr:read on /apps/website/components
end
{code}
the corresponding Apache Jackrabbit Oak documentation/exercises:
-
http://jackrabbit.apache.org/oak/docs/security/authorization/principalbased.html
-
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-exercise/src/test/java/org/apache/jackrabbit/oak/exercise/security/authorization/principalbased/
> Deleting ACEs for users that don't exist is impossible
> ------------------------------------------------------
>
> Key: SLING-10134
> URL: https://issues.apache.org/jira/browse/SLING-10134
> Project: Sling
> Issue Type: Bug
> Components: Repoinit
> Affects Versions: Repoinit JCR 1.1.30
> Reporter: Henry Kuijpers
> Priority: Major
>
> We're looking into using Sling Repo Init to clean up old permissions that
> have been left behind in our instances over time. We used the following
> syntax:
> delete service user sv-read-apps-website-components
> set ACL for sv-read-apps-website-components
> remove * on /apps/website/components
> end
> We get the following error: 09.02.2021 21:57:38.961 *ERROR* [CM Event
> Dispatcher (Fire ConfigurationEvent:
> pid=org.apache.sling.jcr.repoinit.RepositoryInitializer.25c1f862-75bd-4cd9-9ca1-b612f8752544)]
> com.adobe.granite.repository.impl.SlingRepositoryManager Exception in a
> SlingRepositoryInitializer: RepositoryInitializerFactory, references=[],
> scripts=2 java.lang.RuntimeException: Failed to set ACL
> (java.lang.IllegalStateException: Authorizable not
> found:sv-read-apps-website-components) AclLine REMOVE_ALL
> {paths=[/apps/website/components]} at
> org.apache.sling.jcr.repoinit.impl.AclVisitor.setAcl(AclVisitor.java:63)
> [org.apache.sling.jcr.repoinit:1.1.8] at
> org.apache.sling.jcr.repoinit.impl.AclVisitor.visitSetAclPrincipal(AclVisitor.java:84)
> [org.apache.sling.jcr.repoinit:1.1.8] at
> org.apache.sling.repoinit.parser.operations.SetAclPrincipals.accept(SetAclPrincipals.java:53)
> [org.apache.sling.repoinit.parser:1.2.2] ....
> I think it's fine that the authorizable is not found: It doesn't have to
> exist, in order to be able to remove ACEs, which is exactly what we are
> trying to achieve: remove left behind ACEs for our deleted service users.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
