[
https://issues.apache.org/jira/browse/OAK-2947?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14974482#comment-14974482
]
angela commented on OAK-2947:
-----------------------------
what i meant was: along with the service-user mapping we define the set of
groups that can be impersonated. upon {{impersonateFromService}} evaluate the
groups the target user is member of and built the subject just for those
groups. the idea is that you ultimately only act on behave of this user in his
function of member of group a,b,c (and not doing stuff that he/she might be
able to do otherwise). i don't see any privilege escalation with this... but i
am not sure if that would cover all cases.
> Allow configured system user(s) to impersonate regular users
> ------------------------------------------------------------
>
> Key: OAK-2947
> URL: https://issues.apache.org/jira/browse/OAK-2947
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: core
> Affects Versions: 1.2
> Reporter: angela
> Assignee: angela
> Attachments: OAK-2947.patch
>
>
> Based on some private discussion on how to implement a feature that allows a
> given subject to continue working on 'his' modifications after changes being
> persisted, we ([~djaeggi], [~chaotic] and [~anchela]) thought that it would
> be beneficial to have a configuration option in Oak that allows certain
> system users to impersonate regular users irrespective on the
> {{rep:impersonators}} properties present with those users.
> [~fmeschbe] additionally proposed to allow for a configuration that not only
> states the name(s) of the service users but also limits the sudo-rights to
> members of a certain group: for example the impersonation ability of a
> potential system user "impersonate-content-authors" could be limited to
> impersonate members of the "content-authors" group.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
