[
https://issues.apache.org/jira/browse/OAK-9761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9761:
----------------------------------
Description:
Today permission evaluation contains a shortcut for evaluation of read access
when a given session is known to have full read access on a given subtree i.e.
including reading all access control content stored below that tree.
In case {{TreePermission.canReadAll()}} returns true the {{SecureNodeState}}
will no longer create a permission-evaluating wrapper around child items.
However, due to the nature of the default access control management that allows
for nested allow-deny entries, {{TreePermission.canReadAll()}} returns false
unless the subject is known to have full administrative access.
This goal of this improvement is to investigate additional optimizations for
cases where read-access to regular items is granted in a given subtree like it
is e.g. the case of those paths that are defined to be always readable (see
e.g.
https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java#L107-L113)
cc: [~joerghoh], [[email protected]]
was:
Today permission evaluation contains a shortcut for evaluation of read access
when a given session is known to have full read access on a given subtree i.e.
including reading all access control content stored below that tree.
In case {{TreePermission.canReadAll()}} returns true the {{SecureNodeState}}
will no longer create a permission-evaluating wrapper around child items.
However, due to the nature of the default access control management that allows
for nested allow-deny entries, {{TreePermission.canReadAll()}} returns false
unless the subject is known to have full administrative access.
This goal of this improvement is to investigate additional optimizations for
cases where read-access to regular items is granted in a given subtree like it
is e.g. the case of those paths that are defined to be always readable (see
e.g.
https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java#L107-L113)
> Investigate evaluation improvement for subtrees with read access to all
> regular nodes/properties
> ------------------------------------------------------------------------------------------------
>
> Key: OAK-9761
> URL: https://issues.apache.org/jira/browse/OAK-9761
> Project: Jackrabbit Oak
> Issue Type: Epic
> Components: authorization-principalbased, core, security,
> security-spi
> Reporter: Angela Schreiber
> Assignee: Angela Schreiber
> Priority: Major
>
> Today permission evaluation contains a shortcut for evaluation of read access
> when a given session is known to have full read access on a given subtree
> i.e. including reading all access control content stored below that tree.
> In case {{TreePermission.canReadAll()}} returns true the {{SecureNodeState}}
> will no longer create a permission-evaluating wrapper around child items.
> However, due to the nature of the default access control management that
> allows for nested allow-deny entries, {{TreePermission.canReadAll()}} returns
> false unless the subject is known to have full administrative access.
> This goal of this improvement is to investigate additional optimizations for
> cases where read-access to regular items is granted in a given subtree like
> it is e.g. the case of those paths that are defined to be always readable
> (see e.g.
> https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java#L107-L113)
> cc: [~joerghoh], [[email protected]]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
