[jira] [Commented] (OAK-2947) Allow configured system user(s) to impersonate regular users

Mon, 26 Oct 2015 09:08:23 -0700 

    [ 
https://issues.apache.org/jira/browse/OAK-2947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14974463#comment-14974463
 ] 

Alexander Klimetschek commented on OAK-2947:
--------------------------------------------

I am not sure I understand how this should be done in Sling... keep using an 
admin session in impersonateFromService() (so actually no service user at all) 
and then do whatever "is allowed to impersonate" check there?

For security reasons, we want to limit what the service user can impersonate 
into (e.g. no admin users). For that, the approach of setting the impersonators 
property on each target user is problematic:
- it requires to manage that property for every user, if new users are added 
through various ways it could be difficult to get the event, if the service 
user changes you have to migrate all users
- users themselves could modify the property themselves, and in our case break 
essential application functionality (the service user is used for ensuring 
correct metadata on observation)

> Allow configured system user(s) to impersonate regular users
> ------------------------------------------------------------
>
>                 Key: OAK-2947
>                 URL: https://issues.apache.org/jira/browse/OAK-2947
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: core
>    Affects Versions: 1.2
>            Reporter: angela
>            Assignee: angela
>         Attachments: OAK-2947.patch
>
>
> Based on some private discussion on how to implement a feature that allows a 
> given subject to continue working on 'his' modifications after changes being 
> persisted, we ([~djaeggi], [~chaotic] and [~anchela]) thought that it would 
> be beneficial to have a configuration option in Oak that allows certain 
> system users to impersonate regular users irrespective on the 
> {{rep:impersonators}} properties present with those users.
> [~fmeschbe] additionally proposed to allow for a configuration that not only 
> states the name(s) of the service users but also limits the sudo-rights to 
> members of a certain group: for example the impersonation ability of a 
> potential system user "impersonate-content-authors" could be limited to 
> impersonate members of the "content-authors" group.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to