Angela Schreiber created OAK-9761:
-------------------------------------
Summary: Investigate evaluation improvement for subtrees with read
access to all regular nodes/properties
Key: OAK-9761
URL: https://issues.apache.org/jira/browse/OAK-9761
Project: Jackrabbit Oak
Issue Type: Epic
Components: authorization-principalbased, core, security, security-spi
Reporter: Angela Schreiber
Assignee: Angela Schreiber
Today permission evaluation contains a shortcut for evaluation of read access
when a given session is known to have full read access on a given subtree i.e.
including reading all access control content stored below that tree.
In case {{TreePermission.canReadAll()}} returns true the {{SecureNodeState}}
will no longer create a permission-evaluating wrapper around child items.
However, due to the nature of the default access control management that allows
for nested allow-deny entries, {{TreePermission.canReadAll()}} returns false
unless the subject is known to have full administrative access.
This goal of this improvement is to investigate additional optimizations for
cases where read-access to regular items is granted in a given subtree like it
is e.g. the case of those paths that are defined to be always readable (see
e.g.
https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java#L107-L113)
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
