[jira] [Commented] (SLING-9871) Specifying order of ACEs through repoinit directives

Thu, 18 Mar 2021 03:51:08 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-9871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17304039#comment-17304039
 ] 

Bertrand Delacretaz commented on SLING-9871:
--------------------------------------------

bq. I'm not sure how we would be able to uniquely identify which ACE is which 
in that scenario for the purpose of ordering them...

That's a key point here, you need such IDs to get a meaningful ordering if 
changes can happen without coordination, which is IIUC the case here.

If there's a way to attach IDs or tags to ACL entries, _first_ and _last_ for 
example might be considered to be "categories", i.e. all ACL entries with 
"first" come before the ones which have no category, and all the ones in the 
"last" category come after them.

This would remove my concern about "first" being dangerous, as there's no way 
to ensure a unique "first" entry - if that's a category within which order does 
not matter that could work.

If Oak supported custom {{Privilege}}, those "tags" might be added to ACL 
entries as do-nothing privileges, but I don't know if that's possible.



> Specifying order of ACEs through repoinit directives
> ----------------------------------------------------
>
>                 Key: SLING-9871
>                 URL: https://issues.apache.org/jira/browse/SLING-9871
>             Project: Sling
>          Issue Type: Improvement
>          Components: Repoinit
>            Reporter: Ashish Chopra
>            Priority: Major
>
> As of writing this, repoinit processor (among other things not relevant to 
> this JIRA) collects {{create path}} statements and {{set ACL}} statements 
> declared in all the feature-models applicable to feature-aggregate under 
> consideration.
> Upon repository initialization, it applies all the {{create path}} 
> statements, followed by all the {{set ACL}} statements. However, the order in 
> which {{set ACL}} statements declared across feature models are applied isn't 
> defined (currently, it seems to be based on feature-model-name, 
> alphabetically ascending).
> This causes issues at times because we want the order of the ACEs to be 
> maintained (e.g., "deny"s for everyone at a given path must be the first ACE, 
> followed by "allow"s for specific, non-system-user principals)
> Repoinit should be able to support this requirement.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to