[jira] [Commented] (SLING-8602) Add support for PrincipalAccessControlList and ac-management by principal

Thu, 19 Sep 2019 09:47:08 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-8602?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16933579#comment-16933579
 ] 

angela commented on SLING-8602:
-------------------------------

[~edn], from an oak repository point of view there exists no such limitation. 
from an adobe aem pov it might be fair to say it the initial request that lead 
to the new feature was mostly limited to repository init and initial content 
packages... but who knows. regarding your follow up question, i don't think i 
either have knowledge of ac related sling rest view, it's actions or 
jcr-contentloader. do these feature today support other non-acl policies 
(thinking e.g. of {{PrincipalSetPolicy}} or {{NamedPolicy}} implementations?

> Add support for PrincipalAccessControlList and ac-management by principal
> -------------------------------------------------------------------------
>
>                 Key: SLING-8602
>                 URL: https://issues.apache.org/jira/browse/SLING-8602
>             Project: Sling
>          Issue Type: New Feature
>          Components: Repoinit
>            Reporter: angela
>            Assignee: Robert Munteanu
>            Priority: Major
>              Labels: Sling-12-ReleaseNotes
>             Fix For: Repoinit Parser 1.2.8, Repoinit JCR 1.1.14
>
>         Attachments: SLING-8602-jcr-2.patch, SLING-8602-jcr.patch, 
> SLING-8602-parser-2.patch, SLING-8602-parser.patch
>
>
> with JCR-4429 comes a new type of {{JackrabbitAccessControlList}} that allows 
> to provide native support for access control management by principal as 
> defined by 
> {{org.apache.jackrabbit.api.security.JackrabbitAccessControlManager}}.  
> now that there exists a new authorization model in Oak (OAK-8190) that 
> implements these extensions, it would be desirable if the repo-init would 
> cover access control management by principal.
> note: while the original aim of OAK-8190 was to store permissions for system 
> users (aka service users) separately, the implementation in 
> _oak-authorization-principalbased_ is not limited to system users and doesn't 
> mandate the policies to be stored with a user node. the location of the 
> access controlled node is an implementation detail that can be changed. see 
> Jackrabbit API and 
> http://jackrabbit.apache.org/oak/docs/security/authorization/principalbased.html
>  for additional details.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to