[
https://issues.apache.org/jira/browse/OAK-2947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14971866#comment-14971866
]
Rob Ryan edited comment on OAK-2947 at 10/23/15 9:23 PM:
---------------------------------------------------------
How about something like:
To enable impersonation the target user must already have, or allow the
creation of a node under the user something like:
oak:impersonators/<systemuserAuthorizableId>
This way existing permission implementation can be used to decide the question
of whether a given system user can impersonate a given user.
We have use cases where a system user must be able to impersonate substantially
*all* the users aside from admin and system users in order to implement
existing access control mechanisms.
I'm sure there are other cases where a more restrictive range of impersonation
targets is appropriate in some cases.
As we learned with the configuration of system users themselves one central
'array' list of which system users can impersonate is impractical in a
modularized system.
was (Author: [email protected]):
How about something like:
To enable impersonation the target user must already have, or allow the
creation of a node under the user something like:
oak:impersonators/<systemuserAuthorizableId>
This way existing permission implementation can be used to decide the question
of whether a given system user can impersonate a given user.
I also see value in the proposal to be able to configure
> Allow configured system user(s) to impersonate regular users
> ------------------------------------------------------------
>
> Key: OAK-2947
> URL: https://issues.apache.org/jira/browse/OAK-2947
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: core
> Affects Versions: 1.2
> Reporter: angela
> Assignee: angela
> Attachments: OAK-2947.patch
>
>
> Based on some private discussion on how to implement a feature that allows a
> given subject to continue working on 'his' modifications after changes being
> persisted, we ([~djaeggi], [~chaotic] and [~anchela]) thought that it would
> be beneficial to have a configuration option in Oak that allows certain
> system users to impersonate regular users irrespective on the
> {{rep:impersonators}} properties present with those users.
> [~fmeschbe] additionally proposed to allow for a configuration that not only
> states the name(s) of the service users but also limits the sudo-rights to
> members of a certain group: for example the impersonation ability of a
> potential system user "impersonate-content-authors" could be limited to
> impersonate members of the "content-authors" group.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
