[
https://issues.apache.org/jira/browse/SLING-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15767221#comment-15767221
]
Bertrand Delacretaz edited comment on SLING-6422 at 12/21/16 2:47 PM:
----------------------------------------------------------------------
The first step is to define a suitable syntax in the repoinit language for
those restrictions.
So far the language only supports an optional "nodetypes" clause (see test [1])
which is not implemented by the JCR repoinit module, so has no effect.
I have little experience with those restrictions but as per [2] it looks like
each restriction is expressed with a name and 1..N values. And custom
restrictions can be created, so the syntax must be flexible.
Here's a first set of examples of what those restriction definitions could look
like in repoinit, comments are welcome. I think it makes sense to define
keywords for the common restriction types (nodetypes, glob, namespaces) as well
as a generic syntax for other built-in and custom restrictions.
In these examples, {{allow ...}} represents repoinit ACL definitions with the
existing syntax
{code}
# explicit form for common restriction types
allow ... nodetypes sling:Folder, my:Type
allow ... nodetypes nt:file glob *.jsp
allow ... glob *.jsp
allow ... namespaces http://sling.apache.org/nt glob *.html
# generic form for any restriction type
allow ... restriction(rep:glob, *.jsp, *.txt) restriction(rep:ntNames,
sling:Folder) restriction(rep:prefixes, sling)
allow ... restriction(my:custom, "13:00UTC, 23:59UTC")
allow ... restriction(my:string, "It's \"quoted\"", "second string")
{code}
Note that supporting just the generic {{restriction(name, values)}} form would
be simpler at the cost of breaking parser compatibility with the existing
{{nodetypes}} option. However, as that option has currently no effect in the
only implementation that we have (our repoinit JCR module), we might keep that
{{nodetypes}} option in the language, have it do nothing as it currently does
and log a deprecation warning when it's used.
[1]
https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/repoinit/parser/src/test/resources/testcases/test-30.txt
[2]
http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html
was (Author: bdelacretaz):
The first step is to define a suitable syntax in the repoinit language for
those restrictions.
So far the language only supports an optional "nodetypes" clause (see test [1])
which is not implemented by the JCR repoinit module, so has no effect.
I have little experience with those restrictions but as per [2] it looks like
each restriction is expressed with a name and 1..N values. And custom
restrictions can be created, so the syntax must be flexible.
Here's a first set of examples of what those restriction definitions could look
like in repoinit, comments are welcome. I think it makes sense to define
keywords for the common restriction types (nodetypes, glob, namespaces) as well
as a generic syntax for other built-in and custom restrictions.
In these examples, {{allow ...}} represents repoinit ACL definitions with the
existing syntax
{code}
# explicit form for common restriction types
allow ... nodetypes sling:Folder, my:Type
allow ... nodetypes nt:file glob *.jsp
allow ... glob *.jsp
allow ... namespaces http://sling.apache.org/nt glob *.html
# generic form for any restriction type
allow ... restriction(rep:glob, *.jsp, *.txt) restriction(rep:ntNames,
sling:Folder) restriction(rep:prefixes, sling)
allow ... restriction(my:custom, "13:00UTC, 23:59UTC")
allow ... restriction(my:string, "It's \"quoted\"", "second string")
{code}
[1]
https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/repoinit/parser/src/test/resources/testcases/test-30.txt
[2]
http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html
> Allow for specifying oak restrictions with repoinit
> ---------------------------------------------------
>
> Key: SLING-6422
> URL: https://issues.apache.org/jira/browse/SLING-6422
> Project: Sling
> Issue Type: New Feature
> Components: Repoinit
> Reporter: Nitin Nizhawan
>
> Allow for specifying oak restrictions with repoinit. Currently repoinit
> allows one to ADD remove ACLs but there is no way to specify oak restrictions.
> http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
