[
https://issues.apache.org/jira/browse/OAK-4959?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chetan Mehrotra updated OAK-4959:
---------------------------------
Attachment: OAK-4959-v1.patch
[initial patch|^OAK-4959-v1.patch] for the same to get feedback. Some minor
tweaks might be required later post full testsuite run results
It follows the approach used by {{ExternalIdentityValidatorProvider}}. It
introduces {{BundlingConfigSecurityValidator}} which registers itself as a
{{PrincipalConfiguration}} and provides a {{SubtreeValidator}} for path
_/jcr:system/rep:documentStore/bundlor_ and allows only those modifications
where the session has a system or admin principal associated with it
Key aspects
* Its not possible to just register a {{SecurityConfiguration}} for just
providing a {{Validator}}. So as a workaround it has to register a
{{PrincipalConfiguration}} which returns a Empty principal provider
* It modifies the default config for {{SecurityProviderRegistration}} so that
it waits for the {{BundlingConfigSecurityValidator}} registration
[~anchela] Please review the proposed patch.
> Review the security aspect of bundling configuration
> ----------------------------------------------------
>
> Key: OAK-4959
> URL: https://issues.apache.org/jira/browse/OAK-4959
> Project: Jackrabbit Oak
> Issue Type: Task
> Components: documentmk
> Reporter: Chetan Mehrotra
> Assignee: Chetan Mehrotra
> Labels: bundling
> Fix For: 1.5.18, 1.6
>
> Attachments: OAK-4959-v1.patch
>
>
> The config for node bundling feature in DocumentNodeStore is currently stored
> under {{jcr:system/rep:documentStore/bundlor}}. This task is meant to
> * Review the access control aspect - This config should be only updatetable
> by system admin
> * Config under here should be writeable via JCR api
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
