[jira] [Reopened] (OAK-210) granularity of persisted data
[ https://issues.apache.org/jira/browse/OAK-210?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Guggisberg reopened OAK-210: --- i don't agree with the resolution 'Incomplete'. the description is IMO pretty clear. granularity of persisted data - Key: OAK-210 URL: https://issues.apache.org/jira/browse/OAK-210 Project: Jackrabbit Oak Issue Type: Improvement Components: mk Reporter: Stefan Guggisberg Assignee: Stefan Guggisberg the current persistence granularity is _single nodes_ (a node consists of properties and child node information). instead of storing/retrieving single nodes it would IMO make sense to store subtree aggregates of specific nodes. the choice of granularity could be based on simple filter criteria (e.g. property value). dynamic persistence granularity would help reducing the number of records and r/w operations on the underlying store, thus improving performance. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1133) Observation listener PLUS
[ https://issues.apache.org/jira/browse/OAK-1133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813767#comment-13813767 ] Michael Dürig commented on OAK-1133: I think once the suggested refactorings from OAK-1143 are done, it should be quite easy to extend the current observation mechanism to cater of most/all of the requirements listed here and also include things from the patch on OAK-1120 as well as including the {{ExcludeExternal}} semantics from OAK-1121 Observation listener PLUS - Key: OAK-1133 URL: https://issues.apache.org/jira/browse/OAK-1133 Project: Jackrabbit Oak Issue Type: New Feature Components: commons, jcr Reporter: Alexander Klimetschek Labels: performance Oak should provide an *extended and efficient JCR observation listener* mechanism to support common use cases not handled well by the restricted options of the JCR observation (only base path, node types and raw events). Those cases require listeners to register much more broadly and then filter out their specific cases themselves, thus putting too many events into the observation system and creating a huge overhead due to asynchronous access to the modified JCR data to do the filtering. This easily is a big performance bottleneck with many writes and thus many events. Previous discussions [on the list|http://markmail.org/message/oyq7fnfrveceemoh] and in OAK-1120. The goals should be: * performance: handle filtering as early as possible, during the commit, where access to the modified data is already present * provide robust implementation for typical filtering cases * provide an asynchronous listener mechanism as in JCR * minimize effect on the lower levels on Oak (a visible addition in oak-commons or oak-jcr should be enough) * for delete events, allow filtering on the to-be-deleted data (currently not possible in jcr listeners that run after the fact) * ignore external cluster events by default; have an extra option if you really want to register for external events * if possible: design as an extension of the jcr observation to simplify migration for existing code * if possible: provide an intelligent listener that can work with pure JCR (aka Jackrabbit 2) as well, by falling back to in-listener-filtering * maybe: synchronous option using the same simple interface (instead of raw Oak plugins itself); however, not sure if there is a benefit if they can only read data and not change or block the session commit Typical filtering cases: - paths with globbing support (for example /content/foo/*/something) - check for property values (equal, not equal, contains etc.), most importantly sling:resourceType in Sling apps - allow to check properties on child nodes as well, typically jcr:content - check for any parent/ancestor as well (e.g. change deep inside a node type = foo structure should be triggered, even if the node with the type wasn't modified; very important to support efficiently) - node types (already in jcr observation) - created/modified/deleted events, separate from move/copy - and more... a custom filter should be possible to pass through (with similar access as the {{Observer}}) -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813766#comment-13813766 ] Stefan Guggisberg commented on OAK-1126: bq. AFAICT the only change to the JSOP format would be to adjust the addNode syntax to use the :children mechanism for child nodes. that's what i meant by json_diff format changes. it's IMO a drastic change since it makes importing arbitrary JSON impossible (or at least very awkward). Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813781#comment-13813781 ] Thomas Mueller commented on OAK-1126: - it makes importing arbitrary JSON impossible Hm, we already have quite a few limitations, for example array may only contain values of the same type, (and not objects). Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813785#comment-13813785 ] Michael Dürig commented on OAK-1126: bq. since it makes importing arbitrary JSON impossible (or at least very awkward). This was never a use case. From the beginning on oak-core was deemed to be the only client to the MicroKernel ever. Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1131) Provide a way to inject Observer instances into NodeStore implementations
[ https://issues.apache.org/jira/browse/OAK-1131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813790#comment-13813790 ] Marcel Reutegger commented on OAK-1131: --- Done in revision: http://svn.apache.org/r1538908 Provide a way to inject Observer instances into NodeStore implementations -- Key: OAK-1131 URL: https://issues.apache.org/jira/browse/OAK-1131 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: Michael Dürig Currently {{KernelNodeStore}} has a public {{setObserver()}} method, {{SegmentNodeStore}} has its {{Observer}} hard coded to the empty observer and no way to set it and {{MongoNodeStore}} has no {{Observer}} at all. To make the observer mechanism useful for clients we should come up with a way to inject {{Observer}} instances into a {{NodeStore}}. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813798#comment-13813798 ] Stefan Guggisberg commented on OAK-1126: bq. This was never a use case. From the beginning on oak-core was deemed to be the only client to the MicroKernel ever. i beg to differ. the MicroKernel API was designed to be portable from scratch. therefore it's obvious that it's possible to implement and use it in different languages/stacks (e.g. c, nodejs, etc). Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1133) Observation listener PLUS
[ https://issues.apache.org/jira/browse/OAK-1133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813804#comment-13813804 ] Thomas Mueller commented on OAK-1133: - listener registrations would include whether they care about local or external events very dedicated extra step in the registration API to do so Yes, that makes sense. It should be relatively hard to register listeners for external events. This is not convenience, this is reducing unnecessary work. It's probably both convenience and reducing work. Convenience is good, if it results in less and/or clearer code :-) Observation listener PLUS - Key: OAK-1133 URL: https://issues.apache.org/jira/browse/OAK-1133 Project: Jackrabbit Oak Issue Type: New Feature Components: commons, jcr Reporter: Alexander Klimetschek Labels: performance Oak should provide an *extended and efficient JCR observation listener* mechanism to support common use cases not handled well by the restricted options of the JCR observation (only base path, node types and raw events). Those cases require listeners to register much more broadly and then filter out their specific cases themselves, thus putting too many events into the observation system and creating a huge overhead due to asynchronous access to the modified JCR data to do the filtering. This easily is a big performance bottleneck with many writes and thus many events. Previous discussions [on the list|http://markmail.org/message/oyq7fnfrveceemoh] and in OAK-1120. The goals should be: * performance: handle filtering as early as possible, during the commit, where access to the modified data is already present * provide robust implementation for typical filtering cases * provide an asynchronous listener mechanism as in JCR * minimize effect on the lower levels on Oak (a visible addition in oak-commons or oak-jcr should be enough) * for delete events, allow filtering on the to-be-deleted data (currently not possible in jcr listeners that run after the fact) * ignore external cluster events by default; have an extra option if you really want to register for external events * if possible: design as an extension of the jcr observation to simplify migration for existing code * if possible: provide an intelligent listener that can work with pure JCR (aka Jackrabbit 2) as well, by falling back to in-listener-filtering * maybe: synchronous option using the same simple interface (instead of raw Oak plugins itself); however, not sure if there is a benefit if they can only read data and not change or block the session commit Typical filtering cases: - paths with globbing support (for example /content/foo/*/something) - check for property values (equal, not equal, contains etc.), most importantly sling:resourceType in Sling apps - allow to check properties on child nodes as well, typically jcr:content - check for any parent/ancestor as well (e.g. change deep inside a node type = foo structure should be triggered, even if the node with the type wasn't modified; very important to support efficiently) - node types (already in jcr observation) - created/modified/deleted events, separate from move/copy - and more... a custom filter should be possible to pass through (with similar access as the {{Observer}}) -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813810#comment-13813810 ] angela commented on OAK-1126: - {quote} This was never a use case. From the beginning on oak-core was deemed to be the only client to the MicroKernel ever. {quote} i can confirm this; it was one of the fundamental design decisions and i was always and officially promised that oak-core was the only way to access the microkernel when i expressed concerns wrt security of the MK. if this has changed in the mean time we should also reconsider on how to secure the MK. Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1135) NPE in CompiledPermissionImpl.getTreePermission()
[ https://issues.apache.org/jira/browse/OAK-1135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813812#comment-13813812 ] Chetan Mehrotra commented on OAK-1135: -- bq. if it's not a simple setup i would suggst to use the jcr-logger present with jackrabbit-commons to determine the set of JCR calls that lead to the problem [~anchela] Can you provide any link to this feature. Looks useful for such debugging but not able to find any reference for that NPE in CompiledPermissionImpl.getTreePermission() - Key: OAK-1135 URL: https://issues.apache.org/jira/browse/OAK-1135 Project: Jackrabbit Oak Issue Type: Improvement Reporter: Tobias Bocanegra Fix For: 0.11 I don't know exactly why and when, but accessing an property in the version store can yield to an NPE in CompiledPermissionImpl.getTreePermission() if the TreeLocation is a PropertyLocation. then TreeLocation.getTree() returbs NULL and subsequently causes a NPE. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1135) NPE in CompiledPermissionImpl.getTreePermission()
[ https://issues.apache.org/jira/browse/OAK-1135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813821#comment-13813821 ] angela commented on OAK-1135: - actually it's in the sandbox not in the commons project :-) i got the link from thomas who originally created the feature: http://svn.apache.org/viewvc/jackrabbit/trunk/contrib/jcrlog/?pathrev=540521 NPE in CompiledPermissionImpl.getTreePermission() - Key: OAK-1135 URL: https://issues.apache.org/jira/browse/OAK-1135 Project: Jackrabbit Oak Issue Type: Improvement Reporter: Tobias Bocanegra Fix For: 0.11 I don't know exactly why and when, but accessing an property in the version store can yield to an NPE in CompiledPermissionImpl.getTreePermission() if the TreeLocation is a PropertyLocation. then TreeLocation.getTree() returbs NULL and subsequently causes a NPE. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Created] (OAK-1145) [Observation] Support for EventJournal in Oak
Daniel Platon created OAK-1145: -- Summary: [Observation] Support for EventJournal in Oak Key: OAK-1145 URL: https://issues.apache.org/jira/browse/OAK-1145 Project: Jackrabbit Oak Issue Type: New Feature Affects Versions: 0.10 Reporter: Daniel Platon Please add support for EventJournal in Oak, as it was present in Jackrabbit 2. Thank you. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Resolved] (OAK-1131) Provide a way to inject Observer instances into NodeStore implementations
[ https://issues.apache.org/jira/browse/OAK-1131?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Dürig resolved OAK-1131. Resolution: Fixed Fix Version/s: 0.11 Assignee: Michael Dürig Thanks Marcel. Thus resolving as fixed. Provide a way to inject Observer instances into NodeStore implementations -- Key: OAK-1131 URL: https://issues.apache.org/jira/browse/OAK-1131 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: Michael Dürig Assignee: Michael Dürig Fix For: 0.11 Currently {{KernelNodeStore}} has a public {{setObserver()}} method, {{SegmentNodeStore}} has its {{Observer}} hard coded to the empty observer and no way to set it and {{MongoNodeStore}} has no {{Observer}} at all. To make the observer mechanism useful for clients we should come up with a way to inject {{Observer}} instances into a {{NodeStore}}. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Resolved] (OAK-1098) AuthorizableImpl methods should convert path to Oak path
[ https://issues.apache.org/jira/browse/OAK-1098?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela resolved OAK-1098. - Resolution: Fixed AuthorizableImpl methods should convert path to Oak path Key: OAK-1098 URL: https://issues.apache.org/jira/browse/OAK-1098 Project: Jackrabbit Oak Issue Type: Bug Components: core Reporter: Michael Dürig Assignee: angela The methods on {{AuthorizableImpl}} that take a path as an argument all pass that on without converting it to an oak path. I think this is wrong. If not on this layer probably further below. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Comment Edited] (OAK-910) Privilege Management: Document changes wrt Jackrabbit
[ https://issues.apache.org/jira/browse/OAK-910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13720871#comment-13720871 ] angela edited comment on OAK-910 at 11/5/13 1:09 PM: - h4. 1. Characteristics of the Privilege Management Implementation h5. General Notes As of OAK the built-in and custom privileges are stored in the repository underneath {{/jcr:system/rep:privileges}}. Similar to other repository level date (node types, namespaces and versions) this location is shared by all workspaces present in the repository. The nodes and properties storing the privilege definitions are protected by their node type definition. In addition a specific privilege {{Validator}} and {{CommitHook}} implementations assert the consistency of the privilege store. The built-in privileges are installed using a dedicated implementation of the {{RepositoryInitializer}} [0]. h5. Registration of Custom Privileges As far as registration of custom privileges the OAK implementation behaves different to Jackrabbit 2.x in the following aspects: * Registration of new privileges fails with {{IllegalStateException}} if the editing session has pending changes. * Any validation is performed by CommitHooks in order to make sure that modifications made on the OAK API directly is equally verified. Subsequently any violation (permission, privilege consistency) is only detected at the end of the registration process. The privilege manager itself does not perform any validation. h4. 2. Built-in Privilege Definitions * All Privileges as defined by JSR 283 ** jcr:read ** jcr:modifyProperties ** jcr:addChildNodes ** jcr:removeNode ** jcr:removeChildNodes ** jcr:readAccessControl ** jcr:modifyAccessControl ** jcr:lockManagement ** jcr:versionManagement ** jcr:nodeTypeManagement ** jcr:retentionManagement (NOTE: retention management not yet implemented) ** jcr:lifecycleManagement (NOTE: lifecycle management not yet implemented) ** jcr:write ** jcr:all * All Privileges defined by JSR 333 ** jcr:workspaceManagement (NOTE: wsp management not yet implemented) ** jcr:nodeTypeDefinitionManagement ** jcr:namespaceManagement * All Privileges defined by Jackrabbit 2.x ** rep:write ** rep:privilegeManagement * New Privileges defined by OAK 1.0: ** rep:userManagement ** rep:readNodes ** rep:readProperties ** rep:addProperties ** rep:alterProperties ** rep:removeProperties Note the following differences with respect to Jackrabbit 2.x definitions: * jcr:read is now an aggregation of rep:readNodes and rep:readProperties * jcr:modifyProperties is now an aggregation of rep:addProperties, rep:alterProperties and rep:removeProperties h4. 3. Node Type Definitions The following privilege related built-in node types have been added in OAK 1.0. They are used to represent built-in and custom privilege definitions in the repository. {code} [rep:Privileges] + * (rep:Privilege) = rep:Privilege protected ABORT - rep:next (LONG) protected multiple mandatory [rep:Privilege] - rep:isAbstract (BOOLEAN) protected - rep:aggregates (NAME) protected multiple - rep:bits (LONG) protected multiple mandatory {code} h4. 4. API Extensions org.apache.jackrabbit.oak.spi.security.privilege - {{PrivilegeBitsProvider}} : Provider implementation to read {{PrivilegeBits}} from the repository content and map names to internal representation (and vice versa). - {{PrivilegeBits}}: Internal representation of JCR privileges. h4. 5. Configuration * {{PrivilegeConfiguration}} [1]: ** {{getPrivilegeManager}} - returns a new instance of the {{PrivilegeManager}} interface such as exposed by {{JackrabbitWorkspace#getPrivilegeManager}}. Note that the default implementation is based on OAK API and can equally be used for privilege related tasks in the OAK layer. h4. 6. References [0] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java [1] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConfiguration.java was (Author: anchela): h4. 1. Characteristics of the Privilege Management Implementation h5. General Notes As of OAK the built-in and custom privileges are stored in the repository underneath {{/jcr:system/rep:privileges}}. Similar to other repository level date (node types, namespaces and versions) this location is shared by all workspaces present in the repository. The nodes and properties storing the privilege definitions are protected by their node type definition. In addition a specific privilege {{Validator}} and {{CommitHook}} implementations assert the consistency of the privilege store. The built-in privileges are installed using a dedicated implementation of the {{RepositoryInitializer}} [0]. h5. Registration of Custom Privileges As far as registration of
[jira] [Resolved] (OAK-910) Privilege Management: Document changes wrt Jackrabbit
[ https://issues.apache.org/jira/browse/OAK-910?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela resolved OAK-910. Resolution: Fixed Privilege Management: Document changes wrt Jackrabbit - Key: OAK-910 URL: https://issues.apache.org/jira/browse/OAK-910 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, jcr Reporter: angela Assignee: angela -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Comment Edited] (OAK-910) Privilege Management: Document changes wrt Jackrabbit
[ https://issues.apache.org/jira/browse/OAK-910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13720871#comment-13720871 ] angela edited comment on OAK-910 at 11/5/13 1:11 PM: - h4. 1. Characteristics of the Privilege Management Implementation h5. General Notes As of OAK the built-in and custom privileges are stored in the repository underneath {{/jcr:system/rep:privileges}}. Similar to other repository level date (node types, namespaces and versions) this location is shared by all workspaces present in the repository. The nodes and properties storing the privilege definitions are protected by their node type definition. In addition a specific privilege {{Validator}} and {{CommitHook}} implementations assert the consistency of the privilege store. The built-in privileges are installed using a dedicated implementation of the {{RepositoryInitializer}} [0]. h5. Registration of Custom Privileges As far as registration of custom privileges the OAK implementation behaves different to Jackrabbit 2.x in the following aspects: * Registration of new privileges fails with {{IllegalStateException}} if the editing session has pending changes. * Any validation is performed by CommitHooks in order to make sure that modifications made on the OAK API directly is equally verified. Subsequently any violation (permission, privilege consistency) is only detected at the end of the registration process. The privilege manager itself does not perform any validation. h4. 2. Built-in Privilege Definitions * All Privileges as defined by JSR 283 ** jcr:read ** jcr:modifyProperties ** jcr:addChildNodes ** jcr:removeNode ** jcr:removeChildNodes ** jcr:readAccessControl ** jcr:modifyAccessControl ** jcr:lockManagement ** jcr:versionManagement ** jcr:nodeTypeManagement ** jcr:retentionManagement (NOTE: retention management not yet implemented) ** jcr:lifecycleManagement (NOTE: lifecycle management not yet implemented) ** jcr:write ** jcr:all * All Privileges defined by JSR 333 ** jcr:workspaceManagement (NOTE: wsp management not yet implemented) ** jcr:nodeTypeDefinitionManagement ** jcr:namespaceManagement * All Privileges defined by Jackrabbit 2.x ** rep:write ** rep:privilegeManagement * New Privileges defined by OAK 1.0: ** rep:userManagement ** rep:readNodes ** rep:readProperties ** rep:addProperties ** rep:alterProperties ** rep:removeProperties Note the following differences with respect to Jackrabbit 2.x definitions: * jcr:read is now an aggregation of rep:readNodes and rep:readProperties * jcr:modifyProperties is now an aggregation of rep:addProperties, rep:alterProperties and rep:removeProperties h4. 3. Node Type Definitions The following privilege related built-in node types have been added in OAK 1.0. They are used to represent built-in and custom privilege definitions in the repository. {code} [rep:Privileges] + * (rep:Privilege) = rep:Privilege protected ABORT - rep:next (LONG) protected multiple mandatory [rep:Privilege] - rep:isAbstract (BOOLEAN) protected - rep:aggregates (NAME) protected multiple - rep:bits (LONG) protected multiple mandatory {code} h4. 4. API Extensions org.apache.jackrabbit.oak.spi.security.privilege - {{PrivilegeBitsProvider}} : Provider implementation to read {{PrivilegeBits}} from the repository content and map names to internal representation (and vice versa) [2]. - {{PrivilegeBits}}: Internal representation of JCR privileges [3]. h4. 5. Configuration * {{PrivilegeConfiguration}} [1]: ** {{getPrivilegeManager}} - returns a new instance of the {{PrivilegeManager}} interface such as exposed by {{JackrabbitWorkspace#getPrivilegeManager}}. Note that the default implementation is based on OAK API and can equally be used for privilege related tasks in the OAK layer. h4. 6. References [0] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java [1] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConfiguration.java [2] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsProvider.java [3] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java was (Author: anchela): h4. 1. Characteristics of the Privilege Management Implementation h5. General Notes As of OAK the built-in and custom privileges are stored in the repository underneath {{/jcr:system/rep:privileges}}. Similar to other repository level date (node types, namespaces and versions) this location is shared by all workspaces present in the repository. The nodes and properties storing the privilege definitions are protected by their node type
[jira] [Resolved] (OAK-1046) Faster anonymous read operations
[ https://issues.apache.org/jira/browse/OAK-1046?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela resolved OAK-1046. - Resolution: Duplicate is part of OAK-908 Faster anonymous read operations Key: OAK-1046 URL: https://issues.apache.org/jira/browse/OAK-1046 Project: Jackrabbit Oak Issue Type: Sub-task Reporter: Thomas Mueller Attachments: OAK-1046-test-1.patch The oak-run test GetNodeWithAnonymous is currently quite a bit slower than GetNodeWithAdmin. According to my profiling data, the main bottleneck is SecurityContext.getReadStatus, which calls PermissionProvider.getReadStatus which calls CompiledPermissionImpl.getReadStatus. To improve performance, I tried caching the result of this call, using a simple hash map, with a string key (tree.getPath() + property.getName()). This improved performance to now: {code} java -Dwarmup=5 -Druntime=30 -jar target/oak-run-*.jar benchmark GetNodeWithAnonymous Oak-Tar packages: 39%: org.apache.jackrabbit.oak.plugins.segment 23%: org.apache.jackrabbit.oak.core 14%: org.apache.jackrabbit.oak.plugins.memory 6%: org.apache.jackrabbit.oak.namepath 4%: com.google.common.collect 4%: org.apache.jackrabbit.oak.jcr.session 3%: org.apache.jackrabbit.oak.util . Oak-Tar 142 144 146 148 218 203 java -Dwarmup=5 -Druntime=30 -jar target/oak-run-*.jar benchmark GetNodeWithAdmin Oak-Tar packages: 29%: org.apache.jackrabbit.oak.plugins.segment 17%: org.apache.jackrabbit.oak.plugins.memory 17%: org.apache.jackrabbit.oak.namepath 12%: org.apache.jackrabbit.oak.jcr.session 8%: org.apache.jackrabbit.oak.util 5%: org.apache.jackrabbit.oak.core 4%: org.apache.jackrabbit.oak.plugins.segment.file . Oak-Tar 35 35 36 37 73 818 {code} So it is still about 4 times slower, but it's an improvement (currently it is 10 times slower). I wonder if there is a better way. I'm don't think caching the ReadStatus on a property or node level is very memory efficient, but maybe other solutions would be very hard to implement. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-210) granularity of persisted data
[ https://issues.apache.org/jira/browse/OAK-210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813962#comment-13813962 ] Jukka Zitting commented on OAK-210: --- Fair enough. Do you still intend to work on this (it's been open for over a year)? If not, I suggest to resolve as Won't Fix. granularity of persisted data - Key: OAK-210 URL: https://issues.apache.org/jira/browse/OAK-210 Project: Jackrabbit Oak Issue Type: Improvement Components: mk Reporter: Stefan Guggisberg Assignee: Stefan Guggisberg the current persistence granularity is _single nodes_ (a node consists of properties and child node information). instead of storing/retrieving single nodes it would IMO make sense to store subtree aggregates of specific nodes. the choice of granularity could be based on simple filter criteria (e.g. property value). dynamic persistence granularity would help reducing the number of records and r/w operations on the underlying store, thus improving performance. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-210) granularity of persisted data
[ https://issues.apache.org/jira/browse/OAK-210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813972#comment-13813972 ] Stefan Guggisberg commented on OAK-210: --- bq. Fair enough. Do you still intend to work on this (it's been open for over a year)? If not, I suggest to resolve as Won't Fix. yes, i intend to work on this. however, i cannot commit a specific timeline. i prefer to keep this issue open. granularity of persisted data - Key: OAK-210 URL: https://issues.apache.org/jira/browse/OAK-210 Project: Jackrabbit Oak Issue Type: Improvement Components: mk Reporter: Stefan Guggisberg Assignee: Stefan Guggisberg the current persistence granularity is _single nodes_ (a node consists of properties and child node information). instead of storing/retrieving single nodes it would IMO make sense to store subtree aggregates of specific nodes. the choice of granularity could be based on simple filter criteria (e.g. property value). dynamic persistence granularity would help reducing the number of records and r/w operations on the underlying store, thus improving performance. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813970#comment-13813970 ] Geoffroy Schneck commented on OAK-1126: --- Example of one recent customer reaction : *We import packages from various instances. These packages might contain nodes, where both properties and subnodes use the same name.* I would also be worried about the effect on not supporting this anymore.. We have hundreds of customers imagining a ton of different content structure.. I wouldn't be surprised that adding this limitation will add problems to upgrade projects.. Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1144) Avoid wrapping TreePermission into SecurityContext
[ https://issues.apache.org/jira/browse/OAK-1144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813983#comment-13813983 ] Jukka Zitting commented on OAK-1144: With the added {{getChildPermission}} method {{TreePermission}} becomes essentially equivalent to {{SecurityContext}}, so there shouldn't be a need for the separate context object anymore. Thus +1. We had to include the {{equals()}} method earlier as quite a few pieces of higher-level code were still using {{NodeState.equals()}}, which would often fall back on the default and highly inefficient {{AbstractNodeState.equals()}} implementation. AFAICT we already addressed most of those cases, so it might well be possible to drop the {{equals()}} implementation on both {{TreePermission/SecurityContext}} and {{SecureNodeState}}. Avoid wrapping TreePermission into SecurityContext -- Key: OAK-1144 URL: https://issues.apache.org/jira/browse/OAK-1144 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela Priority: Minor Attachments: OAK-1144.patch as suggested on the mailing list we may want to drop the extra security context (see http://markmail.org/message/75msw25wkicy6bdu) -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1144) Avoid wrapping TreePermission into SecurityContext
[ https://issues.apache.org/jira/browse/OAK-1144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813994#comment-13813994 ] angela commented on OAK-1144: - thanks... what would be the easiest way to reliably detect if we can drop these equals implementations? Avoid wrapping TreePermission into SecurityContext -- Key: OAK-1144 URL: https://issues.apache.org/jira/browse/OAK-1144 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela Priority: Minor Attachments: OAK-1144.patch as suggested on the mailing list we may want to drop the extra security context (see http://markmail.org/message/75msw25wkicy6bdu) -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1144) Avoid wrapping TreePermission into SecurityContext
[ https://issues.apache.org/jira/browse/OAK-1144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813998#comment-13813998 ] Jukka Zitting commented on OAK-1144: We could just drop the equals and see if any performance regressions show up in the microbenchmarks. If they do, we should fix the remaining issues in higher level code. Avoid wrapping TreePermission into SecurityContext -- Key: OAK-1144 URL: https://issues.apache.org/jira/browse/OAK-1144 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela Priority: Minor Attachments: OAK-1144.patch as suggested on the mailing list we may want to drop the extra security context (see http://markmail.org/message/75msw25wkicy6bdu) -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Resolved] (OAK-657) Add oak:unstructured
[ https://issues.apache.org/jira/browse/OAK-657?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela resolved OAK-657. Resolution: Fixed the node type has been added to the built-in node type cnd... so, i suggest we resolve this fixed. Add oak:unstructured Key: OAK-657 URL: https://issues.apache.org/jira/browse/OAK-657 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: Jukka Zitting Following up from OAK-656, it would be good to add a custom {{oak:unstructured}} node type that's like {{nt:unstructured}} without orderability or same-name siblings: {noformat} [oak:unstructured] - * (UNDEFINED) multiple - * (UNDEFINED) + * (nt:base) = oak:unstructured VERSION {noformat} We should also change the {{rep:root}} type to extend {{oak:unstructured}} instead of {{nt:unstructured}} to make this new non-orderable unstructured type the default for new nodes without explit or implicit (through intermediate ancestors) node type information. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1144) Avoid wrapping TreePermission into SecurityContext
[ https://issues.apache.org/jira/browse/OAK-1144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814003#comment-13814003 ] angela commented on OAK-1144: - ok... i will commit the patch *including* the equals and drop them in a separate commit. then we have a chance to see the effect of dropping the wrapper and dropping the equals implementations independently. Avoid wrapping TreePermission into SecurityContext -- Key: OAK-1144 URL: https://issues.apache.org/jira/browse/OAK-1144 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela Priority: Minor Attachments: OAK-1144.patch as suggested on the mailing list we may want to drop the extra security context (see http://markmail.org/message/75msw25wkicy6bdu) -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Created] (OAK-1146) Remove equals/hashcode on SecureNodeState and TreePermissionImpl
angela created OAK-1146: --- Summary: Remove equals/hashcode on SecureNodeState and TreePermissionImpl Key: OAK-1146 URL: https://issues.apache.org/jira/browse/OAK-1146 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela follow up issue for OAK-1144: as suggested by jukka we may want to remove the equals methods from SecureNodeState and TreePermissionImpl. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[ https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814015#comment-13814015 ] Jukka Zitting commented on OAK-1147: bq. Jukka Zitting, do you remember what was the reason for using #canReadAll here? I think I was just duplicating the pattern from child node access methods, without realizing that we also had the {{canReadAllProperties()}} check that's more appropriate for these methods. SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties' Key: OAK-1147 URL: https://issues.apache.org/jira/browse/OAK-1147 Project: Jackrabbit Oak Issue Type: Improvement Reporter: angela Assignee: angela the methods #getProperties and #getPropertyCount have a shortcut for those cases where all properties are accessible. however, the current implemention requires SecurityContext#canReadAll to return true in order to enable the shortcut. without knowing the very details of the SecureNodeState/Builder i would have expected that #canReadAllProperties would be sufficient. [~jukkaz], do you remember what was the reason for using #canReadAll here? i changed it for test purpose and didn't see any difference... but that may also imply that we don't have enough or specific tests for this. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Comment Edited] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[ https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814026#comment-13814026 ] angela edited comment on OAK-1147 at 11/5/13 4:42 PM: -- one more thing... which IMO makes it a bit inconsistent: #getPropertyCount checks for 'canReadAll(Properties)' and alternatively calculates the number of properties: {code} if (treePermission.canReadAll()) { propertyCount = state.getPropertyCount(); } else { propertyCount = count(filter( state.getProperties(), new ReadablePropertyPredicate())); } {code} on the other hand #getProperties() first tries to optimize for all properties being visible and second tests if the node state itself is readable (in which case it reads the properties)... if not it returns an empty list. {code} if (treePermission.canReadAll()) { return state.getProperties(); } else if (treePermission.canRead()) { // TODO: check DENY_PROPERTIES? return filter( state.getProperties(), new ReadablePropertyPredicate()); } else { return emptyList(); } {code} thus, one method make the accessibility of the properties depending on the read-status of the tree itself. the other doesn't. from a JCR level point of view it doesn't make a difference (as Node#getProperties can only be called if you already have the Node at hand)... but on the OAK level it might result in odd behavior as the tree can exist or not. was (Author: anchela): one more thing... which IMO makes it a bit inconsistent: #getPropertyCount checks for 'canReadAll(Properties)' and alternatively calculates the number of properties: {code} if (treePermission.canReadProperties()) { propertyCount = state.getPropertyCount(); } else { propertyCount = count(filter( state.getProperties(), new ReadablePropertyPredicate())); } {code} on the other hand #getProperties() first tries to optimize for all properties being visible and second tests if the node state itself is readable (in which case it reads the properties)... if not it returns an empty list. thus, one method make the accessibility of the properties depending on the read-status of the tree itself. the other doesn't. from a JCR level point of view it doesn't make a difference (as Node#getProperties can only be called if you already have the Node at hand)... but on the OAK level it might result in odd behavior as the tree can exist or not. SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties' Key: OAK-1147 URL: https://issues.apache.org/jira/browse/OAK-1147 Project: Jackrabbit Oak Issue Type: Improvement Reporter: angela Assignee: angela the methods #getProperties and #getPropertyCount have a shortcut for those cases where all properties are accessible. however, the current implemention requires SecurityContext#canReadAll to return true in order to enable the shortcut. without knowing the very details of the SecureNodeState/Builder i would have expected that #canReadAllProperties would be sufficient. [~jukkaz], do you remember what was the reason for using #canReadAll here? i changed it for test purpose and didn't see any difference... but that may also imply that we don't have enough or specific tests for this. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[ https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814019#comment-13814019 ] angela commented on OAK-1147: - ok... i will change it then and keep in mind in case we run into odd issues permission wise. SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties' Key: OAK-1147 URL: https://issues.apache.org/jira/browse/OAK-1147 Project: Jackrabbit Oak Issue Type: Improvement Reporter: angela Assignee: angela the methods #getProperties and #getPropertyCount have a shortcut for those cases where all properties are accessible. however, the current implemention requires SecurityContext#canReadAll to return true in order to enable the shortcut. without knowing the very details of the SecureNodeState/Builder i would have expected that #canReadAllProperties would be sufficient. [~jukkaz], do you remember what was the reason for using #canReadAll here? i changed it for test purpose and didn't see any difference... but that may also imply that we don't have enough or specific tests for this. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1090) Event-listener not notified on Node.orderBefore
[ https://issues.apache.org/jira/browse/OAK-1090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814018#comment-13814018 ] Michael Dürig commented on OAK-1090: At http://svn.apache.org/r1539044 I added an initial implementation and a basic test case for this: - {{Node.orderBefore()}} will result in {{NODE_MOVED}} events. - Removing a node and adding a node with the same name will also be reported as a {{NODE_MOVED}} event as if it where caused by {{Node.orderBefore()}}. - The exact sequence of {{Node.orderBefore()}} will not be reflected through the events. Given two child nodes {{a}} and {{b}}, ordering {{a}} after {{b}} may be reported as ordering {{b}} before {{a}}. Event-listener not notified on Node.orderBefore Key: OAK-1090 URL: https://issues.apache.org/jira/browse/OAK-1090 Project: Jackrabbit Oak Issue Type: Bug Components: core, jcr Affects Versions: 0.9 Reporter: Christan Keller Fix For: 0.11 Attachments: Issue.java An eventlistener that registered on modificaitons in a branch, doesn't get notified if a Noder.orderBefore happend. This is irespective of the Event types or filteres that are applied upon event-listener registration. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Resolved] (OAK-1090) Event-listener not notified on Node.orderBefore
[ https://issues.apache.org/jira/browse/OAK-1090?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Dürig resolved OAK-1090. Resolution: Fixed Fix Version/s: 0.11 Assignee: Michael Dürig Event-listener not notified on Node.orderBefore Key: OAK-1090 URL: https://issues.apache.org/jira/browse/OAK-1090 Project: Jackrabbit Oak Issue Type: Bug Components: core, jcr Affects Versions: 0.9 Reporter: Christan Keller Assignee: Michael Dürig Fix For: 0.11 Attachments: Issue.java An eventlistener that registered on modificaitons in a branch, doesn't get notified if a Noder.orderBefore happend. This is irespective of the Event types or filteres that are applied upon event-listener registration. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Resolved] (OAK-1144) Avoid wrapping TreePermission into SecurityContext
[ https://issues.apache.org/jira/browse/OAK-1144?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela resolved OAK-1144. - Resolution: Fixed created OAK-1146 to deal with the equals/hashcode on SecurityNodeState and TreePermission (former SecurityContext) Avoid wrapping TreePermission into SecurityContext -- Key: OAK-1144 URL: https://issues.apache.org/jira/browse/OAK-1144 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela Priority: Minor Attachments: OAK-1144.patch as suggested on the mailing list we may want to drop the extra security context (see http://markmail.org/message/75msw25wkicy6bdu) -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[ https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela updated OAK-1147: Attachment: OAK-1147.patch SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties' Key: OAK-1147 URL: https://issues.apache.org/jira/browse/OAK-1147 Project: Jackrabbit Oak Issue Type: Improvement Reporter: angela Assignee: angela Attachments: OAK-1147.patch the methods #getProperties and #getPropertyCount have a shortcut for those cases where all properties are accessible. however, the current implemention requires SecurityContext#canReadAll to return true in order to enable the shortcut. without knowing the very details of the SecureNodeState/Builder i would have expected that #canReadAllProperties would be sufficient. [~jukkaz], do you remember what was the reason for using #canReadAll here? i changed it for test purpose and didn't see any difference... but that may also imply that we don't have enough or specific tests for this. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[ https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814036#comment-13814036 ] angela commented on OAK-1147: - patch replacing #canReadAll by #canReadProperites and removing the extra check for accessibility of the nodestate itself (note that with #getProperty and #hasProperty this isn't enforced either). SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties' Key: OAK-1147 URL: https://issues.apache.org/jira/browse/OAK-1147 Project: Jackrabbit Oak Issue Type: Improvement Reporter: angela Assignee: angela Attachments: OAK-1147.patch the methods #getProperties and #getPropertyCount have a shortcut for those cases where all properties are accessible. however, the current implemention requires SecurityContext#canReadAll to return true in order to enable the shortcut. without knowing the very details of the SecureNodeState/Builder i would have expected that #canReadAllProperties would be sufficient. [~jukkaz], do you remember what was the reason for using #canReadAll here? i changed it for test purpose and didn't see any difference... but that may also imply that we don't have enough or specific tests for this. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[ https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814037#comment-13814037 ] Jukka Zitting commented on OAK-1147: I would expect {{canReadAllProperties()}} to check also for readability of the node, i.e. {{canRead()}}, as the all-properties check is only needed for listing (or counting) properties, which both depend on the readability of the containing node. SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties' Key: OAK-1147 URL: https://issues.apache.org/jira/browse/OAK-1147 Project: Jackrabbit Oak Issue Type: Improvement Reporter: angela Assignee: angela Attachments: OAK-1147.patch the methods #getProperties and #getPropertyCount have a shortcut for those cases where all properties are accessible. however, the current implemention requires SecurityContext#canReadAll to return true in order to enable the shortcut. without knowing the very details of the SecureNodeState/Builder i would have expected that #canReadAllProperties would be sufficient. [~jukkaz], do you remember what was the reason for using #canReadAll here? i changed it for test purpose and didn't see any difference... but that may also imply that we don't have enough or specific tests for this. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[ https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814038#comment-13814038 ] Jukka Zitting commented on OAK-1147: ... perhaps the check should be renamed to {{canListAllProperties()}} to better match the use case. SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties' Key: OAK-1147 URL: https://issues.apache.org/jira/browse/OAK-1147 Project: Jackrabbit Oak Issue Type: Improvement Reporter: angela Assignee: angela Attachments: OAK-1147.patch the methods #getProperties and #getPropertyCount have a shortcut for those cases where all properties are accessible. however, the current implemention requires SecurityContext#canReadAll to return true in order to enable the shortcut. without knowing the very details of the SecureNodeState/Builder i would have expected that #canReadAllProperties would be sufficient. [~jukkaz], do you remember what was the reason for using #canReadAll here? i changed it for test purpose and didn't see any difference... but that may also imply that we don't have enough or specific tests for this. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[ https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814044#comment-13814044 ] angela commented on OAK-1147: - ok... but the counting method didn't test for the readability of the node. and nor does getProperty/hasProperty. as far as the implementation is concerned: it's really simplistic and in fact only return true for {{#canReadProperties}} if the entry also defines the read-access for the tree itself. so far i don't have any strong feeling for either way as long as it is consistent across all property access. SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties' Key: OAK-1147 URL: https://issues.apache.org/jira/browse/OAK-1147 Project: Jackrabbit Oak Issue Type: Improvement Reporter: angela Assignee: angela Attachments: OAK-1147.patch the methods #getProperties and #getPropertyCount have a shortcut for those cases where all properties are accessible. however, the current implemention requires SecurityContext#canReadAll to return true in order to enable the shortcut. without knowing the very details of the SecureNodeState/Builder i would have expected that #canReadAllProperties would be sufficient. [~jukkaz], do you remember what was the reason for using #canReadAll here? i changed it for test purpose and didn't see any difference... but that may also imply that we don't have enough or specific tests for this. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-869) Runtime exception while adding node
[ https://issues.apache.org/jira/browse/OAK-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814051#comment-13814051 ] angela commented on OAK-869: hasn't this issue been fixed in the mean time? Runtime exception while adding node --- Key: OAK-869 URL: https://issues.apache.org/jira/browse/OAK-869 Project: Jackrabbit Oak Issue Type: Bug Components: jcr Reporter: Antonio Sanso Attachments: AddChildTest.java Trying to add a node where the user has not read permission ends up in a runtime exception java.lang.IllegalStateException: This tree does not exist at com.google.common.base.Preconditions.checkState(Preconditions.java:149) at org.apache.jackrabbit.oak.core.TreeImpl.checkExists(TreeImpl.java:453) at org.apache.jackrabbit.oak.core.TreeImpl.setProperty(TreeImpl.java:347) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.internalAddChild(NodeDelegate.java:508) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.addChild(NodeDelegate.java:462) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:256) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:1) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:97) at org.apache.jackrabbit.oak.jcr.ItemImpl.perform(ItemImpl.java:95) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:217) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:203) at org.apache.jackrabbit.oak.benchmark.AddChildTest.runTest(AddChildTest.java:71) at org.apache.jackrabbit.oak.benchmark.AbstractTest.execute(AbstractTest.java:146) at org.apache.jackrabbit.oak.benchmark.AddChildTest.execute(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.AbstractTest.runTest(AbstractTest.java:115) at org.apache.jackrabbit.oak.benchmark.AbstractTest.run(AbstractTest.java:84) at org.apache.jackrabbit.oak.benchmark.AddChildTest.run(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.BenchmarkRunner.main(BenchmarkRunner.java:114) It would be better to have a checked excpetion instead e.g. javax.jcr.AccessDeniedException I will attach test to reproduce the issue -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-869) Runtime exception while adding node
[ https://issues.apache.org/jira/browse/OAK-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814056#comment-13814056 ] Michael Dürig commented on OAK-869: --- It certainly seems so. At least {{org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testWriteOnParentWithNoReadePriv}} passes now for me. We should probably remove the {{@Ignore}} and resolve this issue. Runtime exception while adding node --- Key: OAK-869 URL: https://issues.apache.org/jira/browse/OAK-869 Project: Jackrabbit Oak Issue Type: Bug Components: jcr Reporter: Antonio Sanso Attachments: AddChildTest.java Trying to add a node where the user has not read permission ends up in a runtime exception java.lang.IllegalStateException: This tree does not exist at com.google.common.base.Preconditions.checkState(Preconditions.java:149) at org.apache.jackrabbit.oak.core.TreeImpl.checkExists(TreeImpl.java:453) at org.apache.jackrabbit.oak.core.TreeImpl.setProperty(TreeImpl.java:347) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.internalAddChild(NodeDelegate.java:508) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.addChild(NodeDelegate.java:462) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:256) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:1) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:97) at org.apache.jackrabbit.oak.jcr.ItemImpl.perform(ItemImpl.java:95) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:217) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:203) at org.apache.jackrabbit.oak.benchmark.AddChildTest.runTest(AddChildTest.java:71) at org.apache.jackrabbit.oak.benchmark.AbstractTest.execute(AbstractTest.java:146) at org.apache.jackrabbit.oak.benchmark.AddChildTest.execute(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.AbstractTest.runTest(AbstractTest.java:115) at org.apache.jackrabbit.oak.benchmark.AbstractTest.run(AbstractTest.java:84) at org.apache.jackrabbit.oak.benchmark.AddChildTest.run(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.BenchmarkRunner.main(BenchmarkRunner.java:114) It would be better to have a checked excpetion instead e.g. javax.jcr.AccessDeniedException I will attach test to reproduce the issue -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-869) Runtime exception while adding node
[ https://issues.apache.org/jira/browse/OAK-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814066#comment-13814066 ] angela commented on OAK-869: hm... it still fails... Runtime exception while adding node --- Key: OAK-869 URL: https://issues.apache.org/jira/browse/OAK-869 Project: Jackrabbit Oak Issue Type: Bug Components: jcr Reporter: Antonio Sanso Attachments: AddChildTest.java Trying to add a node where the user has not read permission ends up in a runtime exception java.lang.IllegalStateException: This tree does not exist at com.google.common.base.Preconditions.checkState(Preconditions.java:149) at org.apache.jackrabbit.oak.core.TreeImpl.checkExists(TreeImpl.java:453) at org.apache.jackrabbit.oak.core.TreeImpl.setProperty(TreeImpl.java:347) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.internalAddChild(NodeDelegate.java:508) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.addChild(NodeDelegate.java:462) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:256) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:1) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:97) at org.apache.jackrabbit.oak.jcr.ItemImpl.perform(ItemImpl.java:95) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:217) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:203) at org.apache.jackrabbit.oak.benchmark.AddChildTest.runTest(AddChildTest.java:71) at org.apache.jackrabbit.oak.benchmark.AbstractTest.execute(AbstractTest.java:146) at org.apache.jackrabbit.oak.benchmark.AddChildTest.execute(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.AbstractTest.runTest(AbstractTest.java:115) at org.apache.jackrabbit.oak.benchmark.AbstractTest.run(AbstractTest.java:84) at org.apache.jackrabbit.oak.benchmark.AddChildTest.run(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.BenchmarkRunner.main(BenchmarkRunner.java:114) It would be better to have a checked excpetion instead e.g. javax.jcr.AccessDeniedException I will attach test to reproduce the issue -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Comment Edited] (OAK-869) Runtime exception while adding node
[ https://issues.apache.org/jira/browse/OAK-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814066#comment-13814066 ] angela edited comment on OAK-869 at 11/5/13 5:42 PM: - hm... it still fails, when removing it from the exclusion list in oak-jcr/pom.xml was (Author: anchela): hm... it still fails... Runtime exception while adding node --- Key: OAK-869 URL: https://issues.apache.org/jira/browse/OAK-869 Project: Jackrabbit Oak Issue Type: Bug Components: jcr Reporter: Antonio Sanso Attachments: AddChildTest.java Trying to add a node where the user has not read permission ends up in a runtime exception java.lang.IllegalStateException: This tree does not exist at com.google.common.base.Preconditions.checkState(Preconditions.java:149) at org.apache.jackrabbit.oak.core.TreeImpl.checkExists(TreeImpl.java:453) at org.apache.jackrabbit.oak.core.TreeImpl.setProperty(TreeImpl.java:347) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.internalAddChild(NodeDelegate.java:508) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.addChild(NodeDelegate.java:462) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:256) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:1) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:97) at org.apache.jackrabbit.oak.jcr.ItemImpl.perform(ItemImpl.java:95) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:217) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:203) at org.apache.jackrabbit.oak.benchmark.AddChildTest.runTest(AddChildTest.java:71) at org.apache.jackrabbit.oak.benchmark.AbstractTest.execute(AbstractTest.java:146) at org.apache.jackrabbit.oak.benchmark.AddChildTest.execute(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.AbstractTest.runTest(AbstractTest.java:115) at org.apache.jackrabbit.oak.benchmark.AbstractTest.run(AbstractTest.java:84) at org.apache.jackrabbit.oak.benchmark.AddChildTest.run(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.BenchmarkRunner.main(BenchmarkRunner.java:114) It would be better to have a checked excpetion instead e.g. javax.jcr.AccessDeniedException I will attach test to reproduce the issue -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814069#comment-13814069 ] angela commented on OAK-1126: - [~gschneck] thanks for the hint. very helpful, indeed. Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Resolved] (OAK-1146) Remove equals/hashcode on SecureNodeState and TreePermissionImpl
[ https://issues.apache.org/jira/browse/OAK-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela resolved OAK-1146. - Resolution: Fixed Committed revision 1539087. see jukkas comment on OAK-1144 regarding possible performance impact and how this should be addressed. Remove equals/hashcode on SecureNodeState and TreePermissionImpl Key: OAK-1146 URL: https://issues.apache.org/jira/browse/OAK-1146 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela follow up issue for OAK-1144: as suggested by jukka we may want to remove the equals methods from SecureNodeState and TreePermissionImpl. -- This message was sent by Atlassian JIRA (v6.1#6144)