[jira] [Commented] (OAK-9775) ACEs with unsupported restrictions must be cleared upon editing

Thu, 19 May 2022 13:37:05 -0700 


    [ 
https://issues.apache.org/jira/browse/OAK-9775?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17539787#comment-17539787
 ] 

Brendan Robert commented on OAK-9775:
-------------------------------------

Also the validation error produced by this makes no sense today.  For example:
org.apache.jackrabbit.oak.api.CommitFailedException: OakAccessControl0013: 
Duplicate ACE '/rep:policy/deny21' found in policy
        at 
org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.accessViolation(AccessControlValidator.java:309)
 [org.apache.jackrabbit.oak-core:1.40.0.T20211119100624-06dae64]
        at 
org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.checkValidPolicy(AccessControlValidator.java:210)
 [org.apache.jackrabbit.oak-core:1.40.0.T20211119100624-06dae64]
The duplication check is based on the policy content not the node names; 
however the conflicting policy node path is not provided nor are the policy 
node values.  A developer or admin receiving this error doesn't have a lot of 
data points to triage the problem in this case.

> ACEs with unsupported restrictions must be cleared upon editing
> ---------------------------------------------------------------
>
>                 Key: OAK-9775
>                 URL: https://issues.apache.org/jira/browse/OAK-9775
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: core, security
>            Reporter: Angela Schreiber
>            Assignee: Angela Schreiber
>            Priority: Critical
>             Fix For: 1.44.0
>
>
> if the tree presentation of an access control list contains restrictions that 
> are not supported the restriction provider will ignore them upon reading the 
> policy from the content repository.
> this will lead to ACEs being generated that contain an incomplete restriction 
> set. however, the access control manager fails to detect them as incomplete 
> or invalid, which upon editing of the policy will lead to 
> - incomplete ACEs being written back _or_
> - AccessControlValidator failing in case the incomplete ACEs result in 
> duplications
> instead ACEs containing unsupported restrictions must be detected and removed 
> from the policy upon editing (with a error being logged).
> how to get there:
> - custom restrictions being written to the repository and the custom 
> restriction provider being uninstalled from the security setup
> - using newer restrictions and then using that repository content with an 
> older oak version that doesn't support those restrictions



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to