[jira] [Commented] (SLING-9090) AclLine.Action.REMOVE and AclLine.Action.REMOVE_ALL not handled in jcr implementation

Mon, 02 Mar 2020 05:39:28 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-9090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17049212#comment-17049212
 ] 

angela commented on SLING-9090:
-------------------------------

Hi Mohit

I don't think you have to worry about the extra with-path statement for the 
service user.
The reason why I came across this is in the first place, that I am working on 
defining principal-based permission setup for service users (see announcement 
on dl-dev)... so, for new AEM installations that would mean that service-users 
get installed below a new subtree (i.e. 
/home/users/system/cq:services/internal/*), which allows for principal-based 
permission setup.

So, for new installations your service user will once this completed anyway 
have an intermediate path specified....
Unless we see that it's mandatory we won't move around service users in 
existing installations and as you noticed, repo-init is a bit limited and 
doesn't touch existing service users even if the rel-path specified does not 
match.

The effective permissions must stay the same for built-in service users but 
obviously the remove-ace will really be needed and will be needed in a 
non-breaking way... also the prinipal-based permission setup doesn't allow for 
deny-entries, since we always claimed that service users never should have 
denies. So, either way.... I will keep an eye on the Sling issue.

Thanks and kind regards
Angela


> AclLine.Action.REMOVE and AclLine.Action.REMOVE_ALL not handled in jcr 
> implementation
> -------------------------------------------------------------------------------------
>
>                 Key: SLING-9090
>                 URL: https://issues.apache.org/jira/browse/SLING-9090
>             Project: Sling
>          Issue Type: Bug
>          Components: Repoinit
>            Reporter: Angela Schreiber
>            Priority: Major
>
> [~bdelacretaz], while the documentation and the parser code provides the 
> ability to remove an individual or all access control entries, it seems the 
> JCR implementation doesn't actually support it.
> using it may lead to odd side effects or failures.... so, i think either the 
> parser should remove the support for Action.REMOVE and Action.REMOVE_ALL or 
> the jcr implementation part should respect it... at the very minimum it 
> should spot any usage of it and fail the repo-init if there is no way to 
> implement it properly. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to