anchela commented on pull request #14:
URL:
https://github.com/apache/sling-org-apache-sling-jcr-repoinit/pull/14#issuecomment-815807614
@kwin , @bdelacretaz , afaik the changes in SLING-9449 were needed because
repo-init is mostly non-destructive. when adding an intermediate path to
existing service user and defining principal-based access control, the
intermediate path was being ignored, which in some cases led to principal-based
ac setup not being supported (because the user already existed in a given
repository).
the besteffort fallback was to verify that equivalent resource-based ac
setup was present, which however led to regressions because in Adobe AEM
resource-based ac setup is historically defined in content packages. in other
word: in case of altered permission setup the equivalent resource-based entries
were not yet installed and thus the check failed.
having said that:
with SLING-9857 repoinit comes with extended language that allows to enforce
the intermediate path specified with users/groups/system-users. consequently,
it's possible to make sure that principal-based access control setup can be
installed (if the principal is supported). IMHO it might therefore be better to
omit the potentially troublesome check for equivalent resource-based entries
altogether and throw an exception if no {{PrincipalAccessControlList}} exists
for the specified principal (i.e. directly after {{LOG.info("No
PrincipalAccessControlList available for principal {}", principal);}}. it would
also make the reason for the failure transparent and likely easier to analyze
and fix (i.e. adding 'with forced path or actually realizing that
principal-based ac setup is not support by default for groups or regular users).
the risk of regression is from my point of view the same than with the
proposed change.
hope that helps.
cc: @karlpauls , @cziegeler
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
