Author: angela
Date: Tue Mar 3 11:24:08 2015
New Revision: 1663663
URL: http://svn.apache.org/r1663663
Log:
OAK-2563
Cleanup and document security related error codes
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md?rev=1663663&r1=1663662&r2=1663663&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md
(original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/oak_api/error_codes.md Tue
Mar 3 11:24:08 2015
@@ -45,65 +45,32 @@ information about the issue. This page i
#### User Validation
-| Code | Message
|
-|-------------------|----------------------------------------------------------|
-| 0020 | Admin user cannot be disabled
|
-| 0021 | Invalid jcr:uuid for authorizable (creation)
|
-| 0022 | Changing Id, principal name after creation
|
-| 0023 | Invalid jcr:uuid for authorizable (mod)
|
-| 0024 | Password may not be plain text
|
-| 0025 | Attempt to remove id, principalname or pw
|
-| 0026 | Mandatory property rep:principalName missing
|
-| 0027 | The admin user cannot be removed
|
-| 0028 | Attempt to create outside of configured scope
|
-| 0029 | Intermediate folders not rep:AuthorizableFolder
|
-| 0030 | Missing uuid for group (check for cyclic membership)
|
-| 0031 | Cyclic group membership
|
-| 0032 | Attempt to set password with system user
|
-| 0033 | Attempt to add rep:pwd node to a system user
|
+see section [User Management](../security/user.html#validation)
#### Privilege Validation
-| Code | Message
|
-|-------------------|----------------------------------------------------------|
-| 0041 | Modification of existing privilege definition X
|
-| 0042 | Un-register privilege X
|
-| 0043 | Next bits not updated
|
-| 0044 | Privilege store not initialized
|
-| 0045 | Modification of existing privilege definition X
|
-| 0046 | Modification of existing privilege definition X
|
-| 0047 | Invalid declared aggregate name X
|
-| 0048 | PrivilegeBits are missing
|
-| 0049 | PrivilegeBits already in used
|
-| 0050 | Singular aggregation is equivalent to existing
privilege.|
-| 0051 | Declared aggregate X is not a registered privilege
|
-| 0052 | Detected circular aggregation
|
-| 0053 | Custom aggregate privilege X is already covered.
|
+see section [Privilege Management](../security/privilege.html#validation)
#### Token Validation
-see section [Token Management](../security/authentication/tokenmanagement.html)
+see section [Token
Management](../security/authentication/tokenmanagement.html#validation)
### Type Access
-#### Access Validation
-_todo_
-
#### Permission Validation
-_todo_
+see section [Permissions](../security/permission.html#validation)
### Type Access Control
#### Default Access Control Validation
-_todo_
+see section [Access Control
Management](../security/accesscontrol.html#validation)
#### CUG Validation
-see section [Closed User Groups](../security/authorization/cug.html)
-
+see section [Closed User Groups](../security/accesscontrol/cug.html#validation)
<!-- hidden references -->
[OAK-764]: https://issues.apache.org/jira/browse/OAK-764
\ No newline at end of file
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1663663&r1=1663662&r2=1663663&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
(original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
Tue Mar 3 11:24:08 2015
@@ -257,6 +257,27 @@ the node they are bound to. The node typ
}
}
+<a name="validation"/>
+##### Validation
+
+The consistency of this content structure is asserted by a dedicated
`AccessControlValidator`.
+The corresponding errors are all of type `AccessControl` with the following
codes:
+
+| Code | Message
|
+|-------------------|----------------------------------------------------------|
+| 0001 | Generic access control violation
|
+| 0002 | Access control entry node expected
|
+| 0003 | Invalid policy name
|
+| 0004 | Invalid policy node: Order of children is not stable
|
+| 0005 | Access control policy within access control content
|
+| 0006 | Isolated policy node
|
+| 0007 | Isolated access control entry
|
+| 0008 | ACE without principal name
|
+| 0009 | ACE without privileges
|
+| 0010 | ACE contains invalid privilege name
|
+| 0011 | ACE uses abstract privilege
|
+| 0012 | Repository level policies defined with non-root node
|
+| 0013 | Duplicate ACE found in policy
|
#### XML Import
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md?rev=1663663&r1=1663662&r2=1663663&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md
(original)
+++
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/cug.md
Tue Mar 3 11:24:08 2015
@@ -36,6 +36,7 @@ _todo_
_todo_
+<a name="validation"/>
##### Validation
The consistency of this content structure both on creation and modification is
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md?rev=1663663&r1=1663662&r2=1663663&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
(original)
+++
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/tokenmanagement.md
Tue Mar 3 11:24:08 2015
@@ -176,10 +176,11 @@ definition:
}
}
+<a name="validation"/>
##### Validation
The consistency of this content structure both on creation and modification is
-asserted by a dedicated `TokenValidator`. The corresponding error are
+asserted by a dedicated `TokenValidator`. The corresponding errors are
all of type `Constraint` with the following codes:
| Code | Message
|
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md?rev=1663663&r1=1663662&r2=1663663&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md
(original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/permission.md Tue
Mar 3 11:24:08 2015
@@ -370,6 +370,17 @@ implementation (`VersionablePathHook`).
mixin
- * (PATH) protected ABORT
+<a name="validation"/>
+##### Validation
+
+The consistency of this content structure is asserted by a dedicated
`PermissionValidator`.
+The corresponding errors are all of type `Access` with the following codes:
+
+| Code | Message
|
+|-------------------|----------------------------------------------------------|
+| 0000 | Generic access violation
|
+| 0021 | Version storage: Node creation without version history
|
+| 0022 | Version storage: Removal of intermediate node
|
<a name="api_extensions"/>
### API Extensions
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md?rev=1663663&r1=1663662&r2=1663663&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
(original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md Tue
Mar 3 11:24:08 2015
@@ -150,6 +150,28 @@ Note the protection status of all child
as they prevent modification of the privilege definitions using regular JCR
write operations.
+<a name="validation"/>
+##### Validation
+
+The consistency of this content structure is asserted by a dedicated
`PrivilegeValidator`.
+The corresponding errors are all of type `Constraint` with the following codes:
+
+| Code | Message
|
+|-------------------|----------------------------------------------------------|
+| 0041 | Modification of existing privilege definition X
|
+| 0042 | Un-register privilege X
|
+| 0043 | Next bits not updated
|
+| 0044 | Privilege store not initialized
|
+| 0045 | Modification of existing privilege definition X
|
+| 0046 | Modification of existing privilege definition X
|
+| 0047 | Invalid declared aggregate name X
|
+| 0048 | PrivilegeBits are missing
|
+| 0049 | PrivilegeBits already in used
|
+| 0050 | Singular aggregation is equivalent to existing
privilege.|
+| 0051 | Declared aggregate X is not a registered privilege
|
+| 0052 | Detected circular aggregation
|
+| 0053 | Custom aggregate privilege X is already covered.
|
+
### API Extensions
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md?rev=1663663&r1=1663662&r2=1663663&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md Tue Mar 3
11:24:08 2015
@@ -173,6 +173,29 @@ The following block lists the built-in n
+ * (rep:Members) = rep:Members protected multiple
- * (WEAKREFERENCE) protected < 'rep:Authorizable'
+<a name="validation"/>
+##### Validation
+
+The consistency of this content structure is asserted by a dedicated
`UserValidator`.
+The corresponding errors are all of type `Constraint` with the following codes:
+
+| Code | Message
|
+|-------------------|----------------------------------------------------------|
+| 0020 | Admin user cannot be disabled
|
+| 0021 | Invalid jcr:uuid for authorizable (creation)
|
+| 0022 | Changing Id, principal name after creation
|
+| 0023 | Invalid jcr:uuid for authorizable (mod)
|
+| 0024 | Password may not be plain text
|
+| 0025 | Attempt to remove id, principalname or pw
|
+| 0026 | Mandatory property rep:principalName missing
|
+| 0027 | The admin user cannot be removed
|
+| 0028 | Attempt to create outside of configured scope
|
+| 0029 | Intermediate folders not rep:AuthorizableFolder
|
+| 0030 | Missing uuid for group (check for cyclic membership)
|
+| 0031 | Cyclic group membership
|
+| 0032 | Attempt to set password with system user
|
+| 0033 | Attempt to add rep:pwd node to a system user
|
+
#### XML Import
As of Oak 1.0 user and group nodes can be imported both with Session and
Workspace
