[jira] [Comment Edited] (SLING-6422) Allow for specifying oak restrictions with repoinit

Tue, 13 Jun 2017 03:13:39 -0700 

    [ 
https://issues.apache.org/jira/browse/SLING-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16047529#comment-16047529
 ] 

Nitin Nizhawan edited comment on SLING-6422 at 6/13/17 9:52 AM:
----------------------------------------------------------------

[~bdelacretaz] I further verified that vault package manager also respects 
ordering. To verify I specified following aces
{code}
    <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   
rep:privileges="{Name}[rep:readProperties]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   
rep:ntNames="{Name}[abc,def]"/>
    </allow>
    <allow1   jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users" 
  rep:privileges="{Name}[jcr:addChildNodes]">
        <rep:restrictions     jcr:primaryType="rep:Restrictions"   
rep:ntNames="{Name}[abc,def]"/>
    </allow1>
{code}
Since in above case restrictions and principal are same, package manager merged 
the privileges as follows
{code}
    <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   
rep:privileges="{Name}[rep:readProperties,jcr:addChildNodes]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   
rep:ntNames="{Name}[abc,def]"/>
    </allow>
{code}


Then I tried with order reversed for restriction values as follows
{code}
 <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   
rep:privileges="{Name}[rep:readProperties]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   
rep:ntNames="{Name}[abc,def]"/>
    </allow>
    <allow1   jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users" 
  rep:privileges="{Name}[jcr:addChildNodes]">
        <rep:restrictions     jcr:primaryType="rep:Restrictions"   
rep:ntNames="{Name}[def,abc]"/>
    </allow1>
{code}
In above case package manager did not merge ACEs because I think it also 
considers restrictions different. So, I suppose we should also consider 
restrictions with different ordering of values different. 
Also, the example date based restriction provider at \[0\] assumes ordered 
values
WDYT?

\[0\] 
http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html



was (Author: nitin.nizhawan):
[~bdelacretaz] I further verified that vault package manager also respects 
ordering. To verify I specified following aces
{code}
    <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   
rep:privileges="{Name}[rep:readProperties]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   
rep:ntNames="{Name}[abc,def]"/>
    </allow>
    <allow1   jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users" 
  rep:privileges="{Name}[jcr:addChildNodes]">
        <rep:restrictions     jcr:primaryType="rep:Restrictions"   
rep:ntNames="{Name}[abc,def]"/>
    </allow1>
{code}
Since in above case restrictions and principal are same, package manager merged 
the privileges as follows
{code}
    <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   
rep:privileges="{Name}[rep:readProperties,jcr:addChildNodes]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   
rep:ntNames="{Name}[abc,def]"/>
    </allow>
{code}


Then I tried with order reversed for restriction values as follows
{code}
 <allow  jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users"   
rep:privileges="{Name}[rep:readProperties]">
        <rep:restrictions  jcr:primaryType="rep:Restrictions"   
rep:ntNames="{Name}[abc,def]"/>
    </allow>
    <allow1   jcr:primaryType="rep:GrantACE"    rep:principalName="forms-users" 
  rep:privileges="{Name}[jcr:addChildNodes]">
        <rep:restrictions     jcr:primaryType="rep:Restrictions"   
rep:ntNames="{Name}[def,abc]"/>
    </allow1>
{code}
In above case package manager did not merge ACEs because I think it also 
considers restrictions different. So, I suppose we should also consider 
restrictions with different ordering of values different. WDYT?

> Allow for specifying oak restrictions with repoinit
> ---------------------------------------------------
>
>                 Key: SLING-6422
>                 URL: https://issues.apache.org/jira/browse/SLING-6422
>             Project: Sling
>          Issue Type: New Feature
>          Components: Repoinit
>            Reporter: Nitin Nizhawan
>         Attachments: SLING6422ApplyRestrictionsV2.patch, 
> SLING6422ApplyRestrictionsV3.patch, 
> SLING6422_interpretparsedrestrictionclause.patch, SLING-6422.patch
>
>
> Allow for specifying oak restrictions with repoinit. Currently repoinit 
> allows one to ADD remove ACLs but there is no way to specify oak restrictions.
> http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to