[
https://issues.apache.org/jira/browse/OAK-7952?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16716563#comment-16716563
]
angela commented on OAK-7952:
-----------------------------
[~kwin], i am pretty sure that this is not related to oak but is a consequence
of the new service user mapping format, that allows for aggregation of multiple
service principals that basically replaces the need for group membership. this
is on the sling layer. but definitely not an oak issue.
> JCR System users do no longer consider group ACEs of groups they are member of
> ------------------------------------------------------------------------------
>
> Key: OAK-7952
> URL: https://issues.apache.org/jira/browse/OAK-7952
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core
> Affects Versions: 1.8.3
> Reporter: Konrad Windszus
> Priority: Major
> Attachments: OAK-7952_test-servlet.java
>
>
> In Oak 1.8.3 the JCR system users (JCR-3802) do no longer consider the access
> control entries bound to a group principal (belonging to a group they are
> member of). Only direct ACEs seem to be considered.
> I used the attached simple servlet to test read access of an existing
> service-user "workflow-service". Unfortunately it throws a
> {{javax.jcr.PathNotFoundException}} although the service user should inherit
> read access to the accessed path via its group membership. It works
> flawlessly in case the system user has direct read access to that path.
> Some more information about {{SlingRepository.createServiceSession(...)}}.
> Internally the service user implementation does a lookup of the actual
> service user name and then does impersonation from a new admin session
> (https://github.com/apache/sling-org-apache-sling-jcr-base/blob/de884b669836aacb2666da1e7bae1a6735de3bdb/src/main/java/org/apache/sling/jcr/base/AbstractSlingRepository2.java#L197)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
