Author: angela
Date: Mon Feb 15 17:51:50 2016
New Revision: 1730580
URL: http://svn.apache.org/viewvc?rev=1730580&view=rev
Log:
OAK-4016 : Document composite authorization setup (WIP)
minor improvement: security doc
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md?rev=1730580&r1=1730579&r2=1730580&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
(original)
+++
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authentication/externalloginmodule.md
Mon Feb 15 17:51:50 2016
@@ -126,7 +126,7 @@ for the [ExternalLoginModuleFactory]/[Ex
| `PARAM_IDP_NAME` | String | \- | Name of the external IDP
to be retrieved from the `ExternalIdentityProviderManager` |
| `PARAM_SYNC_HANDLER_NAME` | String | \- | Name of the sync handler
to be retrieved from the `SyncManager` |
| | | |
|
-| *Optional (OSGi-setup)* | | |
|
+| _Optional (OSGi-setup)_ | | |
|
| `JAAS_RANKING` | int | 50 | Ranking of the
`ExternalLoginModule` in the JAAS configuration, see [LoginModuleFactory] |
| `JAAS_CONTROL_FLAG` | String | SUFFICIENT | See
[LoginModuleControlFlag] for supported values. |
| `JAAS_REALM_NAME` | String | \- | See [LoginModuleFactory]
|
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md?rev=1730580&r1=1730579&r2=1730580&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
(original)
+++
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/authorization/composite.md
Mon Feb 15 17:51:50 2016
@@ -20,25 +20,78 @@ Combining Multiple Authorization Models
### General Notes
-_TODO_
+Since Oak 1.4 it is possible to combine multiple authorization models within
the
+default security setup.
+
+The main entry point for the aggregation of multiple authorization models is
the
+[CompositeAuthorizationConfiguration], which is in charge of generating
composite
+variants of the `AccessControlManager`, `PermissionProvider` and
`RestrictionProvider`
+if multiple authorization modules have been configured (see section
+[Implementation Details](#details) below.
+
+_Please note:_
+Despite the fact that Oak supports the aggregation of multiple authorization
+models, this extension is only recommended for experts that have in-depth
+knowledge and understanding of Jackrabbit/Oak authorization concepts. Doing so
+might otherwise result in severe security issues and heavily impact overall
performance.
<a name="api_extensions"/>
### API Extensions
+There are two interfaces required to make a given authorization model
deployable
+in an aggregated setup:
+
+- [PolicyOwner]: Extension to the `AccessControlManager`, that allows a given
implementation to claim responsibility for handling certain
`AccessControlPolicy` implementations.
+- [AggregatedPermissionProvider]: Subclass of `PermissionProvider` which is
mandated for permission evaluation once multiple providers are configured.
+
+#### PolicyOwner
+
+_TODO_
+
+#### AggregatedPermissionProvider
+
_TODO_
<a name="details"/>
### Implementation Details
+#### Access Control
+
+_TODO_
+
+#### Permission Evaluation
+
+_TODO_
+
+#### Restriction Management
+
+Support for multiple restriction providers has already been been present with
the
+default authorization implementation since Oak 1.0. The mechnism described in
+section [Restriction Management](restriction.html) is not affected by the new
functionality.
+
+The `CompositeAuthorizationConfiguration` is in charge of collecting
+the `RestrictionProvider`s from the aggregated modules and expose the complete
+set of restrictions in order to meet the API contract.
+
+Nevertheless, each authorization model is in charge of exposing, validating
and
+evaluating the subset of restrictions it can handle through the access control
API
+extensions and the permission evaluation, respectively. Similarly, a given
module
+may decide to provide no support for restrictions. Examples include modules
that
+provide different types of `AccessControlPolicy`, where restrictions may
simply
+not apply (see for example `oak-authorization-cug`).
<a name="configuration"/>
### Configuration
-_TODO_
+There are no implementation specific configuration options associated with
+the `CompositeAuthorizationConfiguration`.
<a name="pluggability"/>
### Pluggability
+_TODO_
<!-- hidden references -->
-[OAK-1268]: https://issues.apache.org/jira/browse/OAK-1268
\ No newline at end of file
+[PolicyOwner]:
/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/PolicyOwner.html
+[AggregatedPermissionProvider]:
/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/permission/AggregatedPermissionProvider.html
+[CompositeAuthorizationConfiguration]:
/oak/docs/apidocs/org/apache/jackrabbit/oak/security/authorization/composite/CompositeAuthorizationConfiguration.html
\ No newline at end of file
Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md?rev=1730580&r1=1730579&r2=1730580&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md
(original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege.md Mon
Feb 15 17:51:50 2016
@@ -90,10 +90,14 @@ The [PrivilegeConfiguration] is the Oak
implementation of the `PrivilegeManager` interface is based on Oak API and can
equally be used for privilege related tasks in the Oak layer.
-Please note: While it's in theory possible to replace the default privilege
+<a name="pluggability"/>
+### Pluggability
+
+_Please note:_ While it's in theory possible to replace the default privilege
management implementation in Oak, this is only recommended if you have in depth
knowledge and understanding of Jackrabbit/Oak internals and are familiar with
-the security risk associated with it.
+the security risk associated with it. Doing so, will most likely require a
re-write
+of the default access control and permission evaluation.
<!-- references -->
[PrivilegeConfiguration]:
/oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConfiguration.html
Modified:
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md
URL:
http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md?rev=1730580&r1=1730579&r2=1730580&view=diff
==============================================================================
---
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md
(original)
+++
jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/privilege/default.md
Mon Feb 15 17:51:50 2016
@@ -139,5 +139,5 @@ The corresponding errors are all of type
<a name="configuration"/>
### Configuration
-There are implementation specific configuration options associated with the
+There are no implementation specific configuration options associated with the
privilege management implementation.
\ No newline at end of file
