[jira] [Commented] (SLING-7061) Access control setup of repository-level permissions (i.e. null path)

Thu, 24 Aug 2017 05:56:21 -0700 

    [ 
https://issues.apache.org/jira/browse/SLING-7061?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16140002#comment-16140002
 ] 

Timothee Maret commented on SLING-7061:
---------------------------------------

[~bdelacretaz] IIUC the syntax you propose is concise, but it limits the 
principals concerned by an {{set}}, {{end}} block to a fixed number of 
principals. If we need to set different ACLs for different principals, then we 
would need multiple {{set}}, {{end}} blocks.

Since the order of ACEs is meaningful, I wanted to confirm with you if an 
execution order is already defined between the {{set}}, {{end}} blocks. Do we 
guarantee that repoinit blocks are evaluated in order ?

> Access control setup of repository-level permissions (i.e. null path)
> ---------------------------------------------------------------------
>
>                 Key: SLING-7061
>                 URL: https://issues.apache.org/jira/browse/SLING-7061
>             Project: Sling
>          Issue Type: Improvement
>          Components: Repoinit
>    Affects Versions: Repoinit Parser 1.1.0
>            Reporter: angela
>            Assignee: Timothee Maret
>             Fix For: Repoinit Parser 1.1.2, Repoinit JCR 1.1.6
>
>
> If I am not mistaken it is currently not possible to create access control 
> setup for principals at the 'null' path, which according to JSR 283 is to be 
> used to setup repository level permissions such as 
> - node type definition management (i.e. registering new node types)
> - namespace management (i.e. registering new namespaces)
> - privilege management (i.e. registering new privileges)
> - workspace management (i.e. creating/removing workspaces)
> All of these operations are not bound to a path (like e.g. removing an item 
> or creating a new version for a given node) but instead take global effect on 
> the whole JCR repository... that's why permissions for these operations 
> cannot be granted at a given path.
> In the default authorization model shipped with Jackrabbit and Oak the -null- 
> path access control policy is stored with a dedicated _rep:repoPolicy_ node 
> located with the root node and 
> For service user definitions we need to be able to define entries for the 
> -null- path policy for the reasons explained above. Thanks for extending the 
> repo-init accordingly.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to