[
https://issues.apache.org/jira/browse/SLING-5355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15293119#comment-15293119
]
Bertrand Delacretaz commented on SLING-5355:
--------------------------------------------
At revision 1744682 I have implemented this based on the SLING-5449 repository
initialization language. Here are some minimal docs to allow for testing this.
The {{repoinit.txt}} partial provisioning model at [1] contains an example
repoinit section as follows:
{code}
[:repoinit]
create path /repoinit/fromProvisioningModel
create service user userFromProvisioningModel
set ACL for userFromProvisioningModel
allow jcr:read on /repoinit/fromProvisioningModel
deny jcr:write on /repoinit/fromProvisioningModel
end
{code}
The tests of the {{repoinit/it}} module verify that those statements are
correctly executed.
The {{org.apache.sling.repoinit.jcr.RepositoryInitializer}} component reads the
provisioning model text using a configurable URL, which defaults to
{{context:/resources/provisioning/model.txt}} to get the model that our
{{maven-slingstart-plugin}} embeds in the launchpad, the {{context:}} protocol
being handled by the launchpad's {{ContextProtocolHandler}}.
Configuring a different URL and if needed creating a protocol handler will
allow other launchers to provide the provisioning model, or directly provide
repoinit statements.
The name of the {{:repoinit}} model section used in the above example is
configurable in the {{RepositoryInitializer}}, or can be omitted if the
configured URL provides repoinit statements directly.
The {{repoinit.txt}} partial model at [1] also indicates which updated or
additional bundles are needed to activate this, currently that's
{code}
[artifacts startLevel=2]
org.apache.sling/org.apache.sling.repoinit.oak-jcr/0.0.1-SNAPSHOT
org.apache.sling/org.apache.sling.repoinit.parser/0.0.1-SNAPSHOT
org.apache.sling/org.apache.sling.provisioning.model/1.4.2
[artifacts]
org.apache.sling/org.apache.sling.junit.core/1.0.14
org.apache.sling/org.apache.sling.testing.tools/1.0.10
org.apache.sling/org.apache.sling.jcr.api/2.3.1-SNAPSHOT
org.apache.sling/org.apache.sling.jcr.base/2.3.3-SNAPSHOT
org.apache.sling/org.apache.sling.jcr.oak.server/1.0.1-SNAPSHOT
{code}
The {{repoinit.oak.jcr}} bundle needs to be active before the
{{SlingRepository}} starts, for its initializer to be taken into account.
[1]
https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/repoinit/it/src/main/provisioning/repoinit.txt
> Create service users and ACLs from the provisioning model
> ---------------------------------------------------------
>
> Key: SLING-5355
> URL: https://issues.apache.org/jira/browse/SLING-5355
> Project: Sling
> Issue Type: New Feature
> Components: Service User Mapper
> Reporter: Bertrand Delacretaz
> Assignee: Bertrand Delacretaz
>
> As discussed in the "Removing loginAdministrative, how to test that, and
> service username conventions" thread on our dev list [1] we need to be able
> to create service users and set the corresponding ACLs from our provisioning
> model.
> This should be implemented using distinct utility classes, one for the users
> and one for the ACLs, that take simple mini-languages as input. This will
> allow for reusing these utilities in test code for example.
> [1] http://markmail.org/message/kcvuhwfdald2dyuz
> *Edit: high-level requirements*
> As discussed in the "SLING-5355 - configs vs. content for ACLs and service
> users" thread - http://markmail.org/message/tzno2via2wjckhuc
> * HR1 - Create service users and set their ACLs as defined in the Sling
> instance's provisioning model.
> * HR2 - Create initial paths like /var/discovery, so that ACLs can be set on
> them.
> * HR3 - Make the full text of the ACL definitions available at runtime for
> auditing purposes (see Michael Marth's Dec.17 comment in SLING-5355). Also
> useful for upgrades where merging with conflict detection is needed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
