This is an automated email from the ASF dual-hosted git repository. angela pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git
The following commit(s) were added to refs/heads/trunk by this push: new e796745ebe OAK-10563 : Document mapping of actions to privileges e796745ebe is described below commit e796745ebeee3205bf499034a0fd25e9d3f2cde2 Author: angela <anch...@adobe.com> AuthorDate: Thu Nov 23 17:53:17 2023 +0100 OAK-10563 : Document mapping of actions to privileges --- oak-doc/src/site/markdown/security/permission.md | 2 + .../permission/permissionsandprivileges.md | 2 +- oak-doc/src/site/markdown/security/privilege.md | 3 ++ .../site/markdown/security/privilege/default.md | 3 +- .../privilege/mappingprivilegestoactions.md | 59 ++++++++++++++++++++++ 5 files changed, 67 insertions(+), 2 deletions(-) diff --git a/oak-doc/src/site/markdown/security/permission.md b/oak-doc/src/site/markdown/security/permission.md index 59450b737d..eb963aad94 100644 --- a/oak-doc/src/site/markdown/security/permission.md +++ b/oak-doc/src/site/markdown/security/permission.md @@ -152,6 +152,8 @@ Not used in Oak 1.0: #### Mapping of JCR Actions to Oak Permissions +See also section ['Mapping Privileges to JCR/Jackrabbit Actions'](privilege/mappingprivilegestoactions.html). + `ACTION_READ`: - access control content: `Permissions.READ_ACCESS_CONTROL` diff --git a/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md b/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md index 79bb580eb0..f31c57f25d 100644 --- a/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md +++ b/oak-doc/src/site/markdown/security/permission/permissionsandprivileges.md @@ -106,6 +106,6 @@ requires the ability to read access control content on the target path. - [Mapping Privileges to Items](../privilege/mappingtoitems.html) - [Mapping API Calls to Privileges](../privilege/mappingtoprivileges.html) - +- [Mapping Privileges to JCR/Jackrabbit Actions](../privilege/mappingprivilegestoactions.html) diff --git a/oak-doc/src/site/markdown/security/privilege.md b/oak-doc/src/site/markdown/security/privilege.md index 97c90bff29..d9a8c508ed 100644 --- a/oak-doc/src/site/markdown/security/privilege.md +++ b/oak-doc/src/site/markdown/security/privilege.md @@ -112,6 +112,9 @@ of the default access control and permission evaluation. - Mapping Privileges to Items and API Calls - [Mapping Privileges to Items](privilege/mappingtoitems.html) - [Mapping API Calls to Privileges](privilege/mappingtoprivileges.html) +- Mapping JCR/Jackrabbit Actions + - [Mapping Privileges to JCR/Jackrabbit Actions](privilege/mappingprivilegestoactions.html) + - [Mapping of JCR Actions to Oak Permissions](permission.html#mapping-of-jcr-actions-to-oak-permissions) <!-- references --> diff --git a/oak-doc/src/site/markdown/security/privilege/default.md b/oak-doc/src/site/markdown/security/privilege/default.md index 13fbcd8438..f7e36bf6ac 100644 --- a/oak-doc/src/site/markdown/security/privilege/default.md +++ b/oak-doc/src/site/markdown/security/privilege/default.md @@ -92,7 +92,8 @@ The new Privileges introduced with Oak 1.0 have the following effect: #### Mapping Privileges to Items and API Calls An overview on how the built-in privileges map to API calls and individual items can be found in ['Mapping Privileges to Items'](mappingtoitems.html) -and ['Mapping API Calls to Privileges'](mappingtoprivileges.html) +and ['Mapping API Calls to Privileges'](mappingtoprivileges.html). +See also ['Mapping Privileges to JCR/Jackrabbit Actions'](mappingprivilegestoactions.html) and ['Mapping of JCR Actions to Oak Permissions'](../permission.html#mapping-of-jcr-actions-to-oak-permissions) <a name="representation"></a> ### Representation in the Repository diff --git a/oak-doc/src/site/markdown/security/privilege/mappingprivilegestoactions.md b/oak-doc/src/site/markdown/security/privilege/mappingprivilegestoactions.md new file mode 100644 index 0000000000..35d488badb --- /dev/null +++ b/oak-doc/src/site/markdown/security/privilege/mappingprivilegestoactions.md @@ -0,0 +1,59 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + --> +### Mapping Jcr Actions to Privileges + +| Jcr/Jackrabbit Action | Privilege | +|------------------------------|------------------------------------------------------------------------| +| ACTION_READ | jcr:read | +| ACTION_READ on node | rep:readNodes | +| ACTION_READ on prop | rep:readProperties | +| ACTION_SET_PROPERTY | jcr:modifyProperties | +| ACTION_ADD_PROPERTY | rep:addProperties | +| ACTION_MODIFY_PROPERTY | rep:alterProperties | +| ACTION_REMOVE_PROPERTY | rep:removeProperties | +| ACTION_ADD_NODE | jcr:addChildNodes on parent | +| ACTION_REMOVE_NODE | jcr:removeNode on target + jcr:removeChildNodes on parent | +| ACTION_REMOVE on prop | rep:removeProperties | +| ACTION_REMOVE on node | jcr:removeNode on target + jcr:removeChildNodes on parent | +| ACTION_NODE_TYPE_MANAGEMENT | jcr:nodeTypeManagement | +| - (combination of actions) | jcr:write (NOTE: add/remove node requires privileges granted on parent) | +| - (combination of actions) | rep:write (NOTE: add/remove node requires privileges granted on parent) | +| ACTION_USER_MANAGEMENT | rep:userManagement | +| ACTION_LOCKING | jcr:lockManagement | +| ACTION_VERSIONING | jcr:versionManagement | +| - | rep:indexDefinitionManagement | +| ACTION_READ_ACCESS_CONTROL | jcr:readAccessControl | +| ACTION_MODIFY_ACCESS_CONTROL | jcr:modifyAccessControl | +| - | rep:privilegeManagement | +| - | jcr:nodeTypeDefinitionManagement | +| - | jcr:namespaceManagement | +| - | jcr:all | + +Mapping for unsupported operations in Oak + +| Jcr/Jackrabbit Action | Privilege | +|-----------------------|-------------------------| +| - | jcr:retentionManagement | +| - | jcr:lifecycleManagement | +| - | jcr:workspaceManagement | + +### Further Reading + +- [Mapping Privileges to Items](mappingtoitems.html) +- [Mapping API Calls to Privileges](mappingtoprivileges.html) +- [Mapping of JCR Actions to Oak Permissions](../permission.html#mapping-of-jcr-actions-to-oak-permissions) +