This is an automated email from the ASF dual-hosted git repository.
angela pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git
The following commit(s) were added to refs/heads/trunk by this push:
new e796745ebe OAK-10563 : Document mapping of actions to privileges
e796745ebe is described below
commit e796745ebeee3205bf499034a0fd25e9d3f2cde2
Author: angela <[email protected]>
AuthorDate: Thu Nov 23 17:53:17 2023 +0100
OAK-10563 : Document mapping of actions to privileges
---
oak-doc/src/site/markdown/security/permission.md | 2 +
.../permission/permissionsandprivileges.md | 2 +-
oak-doc/src/site/markdown/security/privilege.md | 3 ++
.../site/markdown/security/privilege/default.md | 3 +-
.../privilege/mappingprivilegestoactions.md | 59 ++++++++++++++++++++++
5 files changed, 67 insertions(+), 2 deletions(-)
diff --git a/oak-doc/src/site/markdown/security/permission.md
b/oak-doc/src/site/markdown/security/permission.md
index 59450b737d..eb963aad94 100644
--- a/oak-doc/src/site/markdown/security/permission.md
+++ b/oak-doc/src/site/markdown/security/permission.md
@@ -152,6 +152,8 @@ Not used in Oak 1.0:
#### Mapping of JCR Actions to Oak Permissions
+See also section ['Mapping Privileges to JCR/Jackrabbit
Actions'](privilege/mappingprivilegestoactions.html).
+
`ACTION_READ`:
- access control content: `Permissions.READ_ACCESS_CONTROL`
diff --git
a/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md
b/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md
index 79bb580eb0..f31c57f25d 100644
--- a/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md
+++ b/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md
@@ -106,6 +106,6 @@ requires the ability to read access control content on the
target path.
- [Mapping Privileges to Items](../privilege/mappingtoitems.html)
- [Mapping API Calls to Privileges](../privilege/mappingtoprivileges.html)
-
+- [Mapping Privileges to JCR/Jackrabbit
Actions](../privilege/mappingprivilegestoactions.html)
diff --git a/oak-doc/src/site/markdown/security/privilege.md
b/oak-doc/src/site/markdown/security/privilege.md
index 97c90bff29..d9a8c508ed 100644
--- a/oak-doc/src/site/markdown/security/privilege.md
+++ b/oak-doc/src/site/markdown/security/privilege.md
@@ -112,6 +112,9 @@ of the default access control and permission evaluation.
- Mapping Privileges to Items and API Calls
- [Mapping Privileges to Items](privilege/mappingtoitems.html)
- [Mapping API Calls to Privileges](privilege/mappingtoprivileges.html)
+- Mapping JCR/Jackrabbit Actions
+ - [Mapping Privileges to JCR/Jackrabbit
Actions](privilege/mappingprivilegestoactions.html)
+ - [Mapping of JCR Actions to Oak
Permissions](permission.html#mapping-of-jcr-actions-to-oak-permissions)
<!-- references -->
diff --git a/oak-doc/src/site/markdown/security/privilege/default.md
b/oak-doc/src/site/markdown/security/privilege/default.md
index 13fbcd8438..f7e36bf6ac 100644
--- a/oak-doc/src/site/markdown/security/privilege/default.md
+++ b/oak-doc/src/site/markdown/security/privilege/default.md
@@ -92,7 +92,8 @@ The new Privileges introduced with Oak 1.0 have the following
effect:
#### Mapping Privileges to Items and API Calls
An overview on how the built-in privileges map to API calls and individual
items
can be found in ['Mapping Privileges to Items'](mappingtoitems.html)
-and ['Mapping API Calls to Privileges'](mappingtoprivileges.html)
+and ['Mapping API Calls to Privileges'](mappingtoprivileges.html).
+See also ['Mapping Privileges to JCR/Jackrabbit
Actions'](mappingprivilegestoactions.html) and ['Mapping of JCR Actions to Oak
Permissions'](../permission.html#mapping-of-jcr-actions-to-oak-permissions)
<a name="representation"></a>
### Representation in the Repository
diff --git
a/oak-doc/src/site/markdown/security/privilege/mappingprivilegestoactions.md
b/oak-doc/src/site/markdown/security/privilege/mappingprivilegestoactions.md
new file mode 100644
index 0000000000..35d488badb
--- /dev/null
+++ b/oak-doc/src/site/markdown/security/privilege/mappingprivilegestoactions.md
@@ -0,0 +1,59 @@
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ -->
+### Mapping Jcr Actions to Privileges
+
+| Jcr/Jackrabbit Action | Privilege
|
+|------------------------------|------------------------------------------------------------------------|
+| ACTION_READ | jcr:read
|
+| ACTION_READ on node | rep:readNodes
|
+| ACTION_READ on prop | rep:readProperties
|
+| ACTION_SET_PROPERTY | jcr:modifyProperties
|
+| ACTION_ADD_PROPERTY | rep:addProperties
|
+| ACTION_MODIFY_PROPERTY | rep:alterProperties
|
+| ACTION_REMOVE_PROPERTY | rep:removeProperties
|
+| ACTION_ADD_NODE | jcr:addChildNodes on parent
|
+| ACTION_REMOVE_NODE | jcr:removeNode on target +
jcr:removeChildNodes on parent |
+| ACTION_REMOVE on prop | rep:removeProperties
|
+| ACTION_REMOVE on node | jcr:removeNode on target +
jcr:removeChildNodes on parent |
+| ACTION_NODE_TYPE_MANAGEMENT | jcr:nodeTypeManagement
|
+| - (combination of actions) | jcr:write (NOTE: add/remove node requires
privileges granted on parent) |
+| - (combination of actions) | rep:write (NOTE: add/remove node requires
privileges granted on parent) |
+| ACTION_USER_MANAGEMENT | rep:userManagement
|
+| ACTION_LOCKING | jcr:lockManagement
|
+| ACTION_VERSIONING | jcr:versionManagement
|
+| - | rep:indexDefinitionManagement
|
+| ACTION_READ_ACCESS_CONTROL | jcr:readAccessControl
|
+| ACTION_MODIFY_ACCESS_CONTROL | jcr:modifyAccessControl
|
+| - | rep:privilegeManagement
|
+| - | jcr:nodeTypeDefinitionManagement
|
+| - | jcr:namespaceManagement
|
+| - | jcr:all
|
+
+Mapping for unsupported operations in Oak
+
+| Jcr/Jackrabbit Action | Privilege |
+|-----------------------|-------------------------|
+| - | jcr:retentionManagement |
+| - | jcr:lifecycleManagement |
+| - | jcr:workspaceManagement |
+
+### Further Reading
+
+- [Mapping Privileges to Items](mappingtoitems.html)
+- [Mapping API Calls to Privileges](mappingtoprivileges.html)
+- [Mapping of JCR Actions to Oak
Permissions](../permission.html#mapping-of-jcr-actions-to-oak-permissions)
+
