On 12/29/15, 1:24 PM, "Bertrand Delacretaz" <bdelacre...@apache.org> wrote:
>On Tue, Dec 29, 2015 at 11:29 AM, Carsten Ziegeler <cziege...@apache.org>
>wrote:
>...
>>> If "admin safe" mode is enabled, loginAdmin fails *unless* the code
>>> that calls is is marked with the reason why it's needed.
>>
>> Don't want to be a pita, but that requirement is not in the issue :)..
>
>I said "IMO" ;-)
>
>Anyway we can use this discussion to clarify that requirement, and
>update the ticket later.
I think that is a general problem with service users and it should not be
solved only for “admin sessions”. We could have a way to express the
requirements of code, the requirements of an “admin session” is typically
jcr:all on root and it is a particular example of this requirements language.
@ServiceRequirement(permission=jcr:all, path=/)
>
>>... Why can't we simply use the same concept as for the service users?
>> The caller bundle needs to be in a list of allowed bundles...
>
>If we accept that the granularity is at the bundle level then yes,
>that would work, the SLING-5135 requirement then becomes
>
>>> If "admin safe" mode is enabled, loginAdmin fails *unless* it's called
>>> from
>>> a bundle that's in the list of allowed bundles.
An alternative way to spin this is to actually deprecate loginAdmin and keep
the loginService as the only login API for such things. An admin session should
be obtain via loginService if the service is mapped to “admin” user. We can
have the white list of bundles and services that are allowed to map to “admin"
and that can be implemented at validator level.
Marius
