[jira] [Reopened] (OAK-210) granularity of persisted data
[ https://issues.apache.org/jira/browse/OAK-210?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stefan Guggisberg reopened OAK-210: --- i don't agree with the resolution 'Incomplete'. the description is IMO pretty clear. granularity of persisted data - Key: OAK-210 URL: https://issues.apache.org/jira/browse/OAK-210 Project: Jackrabbit Oak Issue Type: Improvement Components: mk Reporter: Stefan Guggisberg Assignee: Stefan Guggisberg the current persistence granularity is _single nodes_ (a node consists of properties and child node information). instead of storing/retrieving single nodes it would IMO make sense to store subtree aggregates of specific nodes. the choice of granularity could be based on simple filter criteria (e.g. property value). dynamic persistence granularity would help reducing the number of records and r/w operations on the underlying store, thus improving performance. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1133) Observation listener PLUS
[
https://issues.apache.org/jira/browse/OAK-1133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813767#comment-13813767
]
Michael Dürig commented on OAK-1133:
I think once the suggested refactorings from OAK-1143 are done, it should be
quite easy to extend the current observation mechanism to cater of most/all of
the requirements listed here and also include things from the patch on OAK-1120
as well as including the {{ExcludeExternal}} semantics from OAK-1121
Observation listener PLUS
-
Key: OAK-1133
URL: https://issues.apache.org/jira/browse/OAK-1133
Project: Jackrabbit Oak
Issue Type: New Feature
Components: commons, jcr
Reporter: Alexander Klimetschek
Labels: performance
Oak should provide an *extended and efficient JCR observation listener*
mechanism to support common use cases not handled well by the restricted
options of the JCR observation (only base path, node types and raw events).
Those cases require listeners to register much more broadly and then filter
out their specific cases themselves, thus putting too many events into the
observation system and creating a huge overhead due to asynchronous access to
the modified JCR data to do the filtering. This easily is a big performance
bottleneck with many writes and thus many events.
Previous discussions [on the
list|http://markmail.org/message/oyq7fnfrveceemoh] and in OAK-1120.
The goals should be:
* performance: handle filtering as early as possible, during the commit,
where access to the modified data is already present
* provide robust implementation for typical filtering cases
* provide an asynchronous listener mechanism as in JCR
* minimize effect on the lower levels on Oak (a visible addition in
oak-commons or oak-jcr should be enough)
* for delete events, allow filtering on the to-be-deleted data (currently not
possible in jcr listeners that run after the fact)
* ignore external cluster events by default; have an extra option if you
really want to register for external events
* if possible: design as an extension of the jcr observation to simplify
migration for existing code
* if possible: provide an intelligent listener that can work with pure JCR
(aka Jackrabbit 2) as well, by falling back to in-listener-filtering
* maybe: synchronous option using the same simple interface (instead of raw
Oak plugins itself); however, not sure if there is a benefit if they can only
read data and not change or block the session commit
Typical filtering cases:
- paths with globbing support (for example /content/foo/*/something)
- check for property values (equal, not equal, contains etc.), most
importantly
sling:resourceType in Sling apps
- allow to check properties on child nodes as well, typically jcr:content
- check for any parent/ancestor as well (e.g. change deep inside a node type
= foo structure should be triggered, even if the node with the type wasn't
modified; very important to support efficiently)
- node types (already in jcr observation)
- created/modified/deleted events, separate from move/copy
- and more... a custom filter should be possible to pass through (with
similar access as the {{Observer}})
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813766#comment-13813766 ] Stefan Guggisberg commented on OAK-1126: bq. AFAICT the only change to the JSOP format would be to adjust the addNode syntax to use the :children mechanism for child nodes. that's what i meant by json_diff format changes. it's IMO a drastic change since it makes importing arbitrary JSON impossible (or at least very awkward). Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813781#comment-13813781 ] Thomas Mueller commented on OAK-1126: - it makes importing arbitrary JSON impossible Hm, we already have quite a few limitations, for example array may only contain values of the same type, (and not objects). Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813785#comment-13813785 ] Michael Dürig commented on OAK-1126: bq. since it makes importing arbitrary JSON impossible (or at least very awkward). This was never a use case. From the beginning on oak-core was deemed to be the only client to the MicroKernel ever. Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1131) Provide a way to inject Observer instances into NodeStore implementations
[
https://issues.apache.org/jira/browse/OAK-1131?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813790#comment-13813790
]
Marcel Reutegger commented on OAK-1131:
---
Done in revision: http://svn.apache.org/r1538908
Provide a way to inject Observer instances into NodeStore implementations
--
Key: OAK-1131
URL: https://issues.apache.org/jira/browse/OAK-1131
Project: Jackrabbit Oak
Issue Type: Improvement
Components: core
Reporter: Michael Dürig
Currently {{KernelNodeStore}} has a public {{setObserver()}} method,
{{SegmentNodeStore}} has its {{Observer}} hard coded to the empty observer
and no way to set it and {{MongoNodeStore}} has no {{Observer}} at all.
To make the observer mechanism useful for clients we should come up with a
way to inject {{Observer}} instances into a {{NodeStore}}.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813798#comment-13813798 ] Stefan Guggisberg commented on OAK-1126: bq. This was never a use case. From the beginning on oak-core was deemed to be the only client to the MicroKernel ever. i beg to differ. the MicroKernel API was designed to be portable from scratch. therefore it's obvious that it's possible to implement and use it in different languages/stacks (e.g. c, nodejs, etc). Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1133) Observation listener PLUS
[
https://issues.apache.org/jira/browse/OAK-1133?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813804#comment-13813804
]
Thomas Mueller commented on OAK-1133:
-
listener registrations would include whether they care about local or
external events
very dedicated extra step in the registration API to do so
Yes, that makes sense. It should be relatively hard to register listeners for
external events.
This is not convenience, this is reducing unnecessary work.
It's probably both convenience and reducing work. Convenience is good, if it
results in less and/or clearer code :-)
Observation listener PLUS
-
Key: OAK-1133
URL: https://issues.apache.org/jira/browse/OAK-1133
Project: Jackrabbit Oak
Issue Type: New Feature
Components: commons, jcr
Reporter: Alexander Klimetschek
Labels: performance
Oak should provide an *extended and efficient JCR observation listener*
mechanism to support common use cases not handled well by the restricted
options of the JCR observation (only base path, node types and raw events).
Those cases require listeners to register much more broadly and then filter
out their specific cases themselves, thus putting too many events into the
observation system and creating a huge overhead due to asynchronous access to
the modified JCR data to do the filtering. This easily is a big performance
bottleneck with many writes and thus many events.
Previous discussions [on the
list|http://markmail.org/message/oyq7fnfrveceemoh] and in OAK-1120.
The goals should be:
* performance: handle filtering as early as possible, during the commit,
where access to the modified data is already present
* provide robust implementation for typical filtering cases
* provide an asynchronous listener mechanism as in JCR
* minimize effect on the lower levels on Oak (a visible addition in
oak-commons or oak-jcr should be enough)
* for delete events, allow filtering on the to-be-deleted data (currently not
possible in jcr listeners that run after the fact)
* ignore external cluster events by default; have an extra option if you
really want to register for external events
* if possible: design as an extension of the jcr observation to simplify
migration for existing code
* if possible: provide an intelligent listener that can work with pure JCR
(aka Jackrabbit 2) as well, by falling back to in-listener-filtering
* maybe: synchronous option using the same simple interface (instead of raw
Oak plugins itself); however, not sure if there is a benefit if they can only
read data and not change or block the session commit
Typical filtering cases:
- paths with globbing support (for example /content/foo/*/something)
- check for property values (equal, not equal, contains etc.), most
importantly
sling:resourceType in Sling apps
- allow to check properties on child nodes as well, typically jcr:content
- check for any parent/ancestor as well (e.g. change deep inside a node type
= foo structure should be triggered, even if the node with the type wasn't
modified; very important to support efficiently)
- node types (already in jcr observation)
- created/modified/deleted events, separate from move/copy
- and more... a custom filter should be possible to pass through (with
similar access as the {{Observer}})
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[
https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813810#comment-13813810
]
angela commented on OAK-1126:
-
{quote}
This was never a use case. From the beginning on oak-core was deemed to be the
only client to the MicroKernel ever.
{quote}
i can confirm this; it was one of the fundamental design decisions and i was
always and officially promised that oak-core was the only way to access the
microkernel when i expressed concerns wrt security of the MK. if this has
changed in the mean time we should also reconsider on how to secure the MK.
Same node and property name support
---
Key: OAK-1126
URL: https://issues.apache.org/jira/browse/OAK-1126
Project: Jackrabbit Oak
Issue Type: Sub-task
Components: core, doc, jcr
Reporter: Tobias Bocanegra
Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch,
0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch
The initial MK abstraction mandated that the nodes and properties share the
same namespace
(http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This
is a regression from Jackrabbit 2.x, which supports same name nodes and
properties (SNNP).
OTOH, the NodeStores can easily support SNNP and with proper escaping, the
MKs can also support it.
We should try to keep the support for SNNP in order to keep backward
compatibility for existing content, and also keep the support for importing
XML documents with same attribute and element names.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-1135) NPE in CompiledPermissionImpl.getTreePermission()
[ https://issues.apache.org/jira/browse/OAK-1135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813812#comment-13813812 ] Chetan Mehrotra commented on OAK-1135: -- bq. if it's not a simple setup i would suggst to use the jcr-logger present with jackrabbit-commons to determine the set of JCR calls that lead to the problem [~anchela] Can you provide any link to this feature. Looks useful for such debugging but not able to find any reference for that NPE in CompiledPermissionImpl.getTreePermission() - Key: OAK-1135 URL: https://issues.apache.org/jira/browse/OAK-1135 Project: Jackrabbit Oak Issue Type: Improvement Reporter: Tobias Bocanegra Fix For: 0.11 I don't know exactly why and when, but accessing an property in the version store can yield to an NPE in CompiledPermissionImpl.getTreePermission() if the TreeLocation is a PropertyLocation. then TreeLocation.getTree() returbs NULL and subsequently causes a NPE. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1135) NPE in CompiledPermissionImpl.getTreePermission()
[ https://issues.apache.org/jira/browse/OAK-1135?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813821#comment-13813821 ] angela commented on OAK-1135: - actually it's in the sandbox not in the commons project :-) i got the link from thomas who originally created the feature: http://svn.apache.org/viewvc/jackrabbit/trunk/contrib/jcrlog/?pathrev=540521 NPE in CompiledPermissionImpl.getTreePermission() - Key: OAK-1135 URL: https://issues.apache.org/jira/browse/OAK-1135 Project: Jackrabbit Oak Issue Type: Improvement Reporter: Tobias Bocanegra Fix For: 0.11 I don't know exactly why and when, but accessing an property in the version store can yield to an NPE in CompiledPermissionImpl.getTreePermission() if the TreeLocation is a PropertyLocation. then TreeLocation.getTree() returbs NULL and subsequently causes a NPE. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Created] (OAK-1145) [Observation] Support for EventJournal in Oak
Daniel Platon created OAK-1145: -- Summary: [Observation] Support for EventJournal in Oak Key: OAK-1145 URL: https://issues.apache.org/jira/browse/OAK-1145 Project: Jackrabbit Oak Issue Type: New Feature Affects Versions: 0.10 Reporter: Daniel Platon Please add support for EventJournal in Oak, as it was present in Jackrabbit 2. Thank you. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Resolved] (OAK-1131) Provide a way to inject Observer instances into NodeStore implementations
[
https://issues.apache.org/jira/browse/OAK-1131?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Dürig resolved OAK-1131.
Resolution: Fixed
Fix Version/s: 0.11
Assignee: Michael Dürig
Thanks Marcel. Thus resolving as fixed.
Provide a way to inject Observer instances into NodeStore implementations
--
Key: OAK-1131
URL: https://issues.apache.org/jira/browse/OAK-1131
Project: Jackrabbit Oak
Issue Type: Improvement
Components: core
Reporter: Michael Dürig
Assignee: Michael Dürig
Fix For: 0.11
Currently {{KernelNodeStore}} has a public {{setObserver()}} method,
{{SegmentNodeStore}} has its {{Observer}} hard coded to the empty observer
and no way to set it and {{MongoNodeStore}} has no {{Observer}} at all.
To make the observer mechanism useful for clients we should come up with a
way to inject {{Observer}} instances into a {{NodeStore}}.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Resolved] (OAK-1098) AuthorizableImpl methods should convert path to Oak path
[
https://issues.apache.org/jira/browse/OAK-1098?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela resolved OAK-1098.
-
Resolution: Fixed
AuthorizableImpl methods should convert path to Oak path
Key: OAK-1098
URL: https://issues.apache.org/jira/browse/OAK-1098
Project: Jackrabbit Oak
Issue Type: Bug
Components: core
Reporter: Michael Dürig
Assignee: angela
The methods on {{AuthorizableImpl}} that take a path as an argument all pass
that on without converting it to an oak path. I think this is wrong. If not
on this layer probably further below.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Comment Edited] (OAK-910) Privilege Management: Document changes wrt Jackrabbit
[
https://issues.apache.org/jira/browse/OAK-910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13720871#comment-13720871
]
angela edited comment on OAK-910 at 11/5/13 1:09 PM:
-
h4. 1. Characteristics of the Privilege Management Implementation
h5. General Notes
As of OAK the built-in and custom privileges are stored in the repository
underneath {{/jcr:system/rep:privileges}}. Similar to other repository level
date (node types, namespaces and versions) this location is shared by all
workspaces present in the repository. The nodes and properties storing the
privilege definitions are protected by their node type definition. In addition
a specific privilege {{Validator}} and {{CommitHook}} implementations assert
the consistency of the privilege store. The built-in privileges are installed
using a dedicated implementation of the {{RepositoryInitializer}} [0].
h5. Registration of Custom Privileges
As far as registration of custom privileges the OAK implementation behaves
different to Jackrabbit 2.x in the following aspects:
* Registration of new privileges fails with {{IllegalStateException}} if the
editing session has pending changes.
* Any validation is performed by CommitHooks in order to make sure that
modifications made on the OAK API directly is equally verified. Subsequently
any violation (permission, privilege consistency) is only detected at the end
of the registration process. The privilege manager itself does not perform any
validation.
h4. 2. Built-in Privilege Definitions
* All Privileges as defined by JSR 283
** jcr:read
** jcr:modifyProperties
** jcr:addChildNodes
** jcr:removeNode
** jcr:removeChildNodes
** jcr:readAccessControl
** jcr:modifyAccessControl
** jcr:lockManagement
** jcr:versionManagement
** jcr:nodeTypeManagement
** jcr:retentionManagement (NOTE: retention management not yet implemented)
** jcr:lifecycleManagement (NOTE: lifecycle management not yet implemented)
** jcr:write
** jcr:all
* All Privileges defined by JSR 333
** jcr:workspaceManagement (NOTE: wsp management not yet implemented)
** jcr:nodeTypeDefinitionManagement
** jcr:namespaceManagement
* All Privileges defined by Jackrabbit 2.x
** rep:write
** rep:privilegeManagement
* New Privileges defined by OAK 1.0:
** rep:userManagement
** rep:readNodes
** rep:readProperties
** rep:addProperties
** rep:alterProperties
** rep:removeProperties
Note the following differences with respect to Jackrabbit 2.x definitions:
* jcr:read is now an aggregation of rep:readNodes and rep:readProperties
* jcr:modifyProperties is now an aggregation of rep:addProperties,
rep:alterProperties and rep:removeProperties
h4. 3. Node Type Definitions
The following privilege related built-in node types have been added in OAK 1.0.
They are used to represent built-in and custom privilege definitions in the
repository.
{code}
[rep:Privileges]
+ * (rep:Privilege) = rep:Privilege protected ABORT
- rep:next (LONG) protected multiple mandatory
[rep:Privilege]
- rep:isAbstract (BOOLEAN) protected
- rep:aggregates (NAME) protected multiple
- rep:bits (LONG) protected multiple mandatory
{code}
h4. 4. API Extensions
org.apache.jackrabbit.oak.spi.security.privilege
- {{PrivilegeBitsProvider}} : Provider implementation to read {{PrivilegeBits}}
from the repository content and map names to internal representation (and vice
versa).
- {{PrivilegeBits}}: Internal representation of JCR privileges.
h4. 5. Configuration
* {{PrivilegeConfiguration}} [1]:
** {{getPrivilegeManager}} - returns a new instance of the
{{PrivilegeManager}} interface such as exposed by
{{JackrabbitWorkspace#getPrivilegeManager}}. Note that the default
implementation is based on OAK API and can equally be used for privilege
related tasks in the OAK layer.
h4. 6. References
[0]
http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java
[1]
http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConfiguration.java
was (Author: anchela):
h4. 1. Characteristics of the Privilege Management Implementation
h5. General Notes
As of OAK the built-in and custom privileges are stored in the repository
underneath {{/jcr:system/rep:privileges}}. Similar to other repository level
date (node types, namespaces and versions) this location is shared by all
workspaces present in the repository. The nodes and properties storing the
privilege definitions are protected by their node type definition. In addition
a specific privilege {{Validator}} and {{CommitHook}} implementations assert
the consistency of the privilege store. The built-in privileges are installed
using a dedicated implementation of the {{RepositoryInitializer}} [0].
h5. Registration of Custom Privileges
As far as registration of
[jira] [Resolved] (OAK-910) Privilege Management: Document changes wrt Jackrabbit
[ https://issues.apache.org/jira/browse/OAK-910?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela resolved OAK-910. Resolution: Fixed Privilege Management: Document changes wrt Jackrabbit - Key: OAK-910 URL: https://issues.apache.org/jira/browse/OAK-910 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, jcr Reporter: angela Assignee: angela -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Comment Edited] (OAK-910) Privilege Management: Document changes wrt Jackrabbit
[
https://issues.apache.org/jira/browse/OAK-910?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13720871#comment-13720871
]
angela edited comment on OAK-910 at 11/5/13 1:11 PM:
-
h4. 1. Characteristics of the Privilege Management Implementation
h5. General Notes
As of OAK the built-in and custom privileges are stored in the repository
underneath {{/jcr:system/rep:privileges}}. Similar to other repository level
date (node types, namespaces and versions) this location is shared by all
workspaces present in the repository. The nodes and properties storing the
privilege definitions are protected by their node type definition. In addition
a specific privilege {{Validator}} and {{CommitHook}} implementations assert
the consistency of the privilege store. The built-in privileges are installed
using a dedicated implementation of the {{RepositoryInitializer}} [0].
h5. Registration of Custom Privileges
As far as registration of custom privileges the OAK implementation behaves
different to Jackrabbit 2.x in the following aspects:
* Registration of new privileges fails with {{IllegalStateException}} if the
editing session has pending changes.
* Any validation is performed by CommitHooks in order to make sure that
modifications made on the OAK API directly is equally verified. Subsequently
any violation (permission, privilege consistency) is only detected at the end
of the registration process. The privilege manager itself does not perform any
validation.
h4. 2. Built-in Privilege Definitions
* All Privileges as defined by JSR 283
** jcr:read
** jcr:modifyProperties
** jcr:addChildNodes
** jcr:removeNode
** jcr:removeChildNodes
** jcr:readAccessControl
** jcr:modifyAccessControl
** jcr:lockManagement
** jcr:versionManagement
** jcr:nodeTypeManagement
** jcr:retentionManagement (NOTE: retention management not yet implemented)
** jcr:lifecycleManagement (NOTE: lifecycle management not yet implemented)
** jcr:write
** jcr:all
* All Privileges defined by JSR 333
** jcr:workspaceManagement (NOTE: wsp management not yet implemented)
** jcr:nodeTypeDefinitionManagement
** jcr:namespaceManagement
* All Privileges defined by Jackrabbit 2.x
** rep:write
** rep:privilegeManagement
* New Privileges defined by OAK 1.0:
** rep:userManagement
** rep:readNodes
** rep:readProperties
** rep:addProperties
** rep:alterProperties
** rep:removeProperties
Note the following differences with respect to Jackrabbit 2.x definitions:
* jcr:read is now an aggregation of rep:readNodes and rep:readProperties
* jcr:modifyProperties is now an aggregation of rep:addProperties,
rep:alterProperties and rep:removeProperties
h4. 3. Node Type Definitions
The following privilege related built-in node types have been added in OAK 1.0.
They are used to represent built-in and custom privilege definitions in the
repository.
{code}
[rep:Privileges]
+ * (rep:Privilege) = rep:Privilege protected ABORT
- rep:next (LONG) protected multiple mandatory
[rep:Privilege]
- rep:isAbstract (BOOLEAN) protected
- rep:aggregates (NAME) protected multiple
- rep:bits (LONG) protected multiple mandatory
{code}
h4. 4. API Extensions
org.apache.jackrabbit.oak.spi.security.privilege
- {{PrivilegeBitsProvider}} : Provider implementation to read {{PrivilegeBits}}
from the repository content and map names to internal representation (and vice
versa) [2].
- {{PrivilegeBits}}: Internal representation of JCR privileges [3].
h4. 5. Configuration
* {{PrivilegeConfiguration}} [1]:
** {{getPrivilegeManager}} - returns a new instance of the
{{PrivilegeManager}} interface such as exposed by
{{JackrabbitWorkspace#getPrivilegeManager}}. Note that the default
implementation is based on OAK API and can equally be used for privilege
related tasks in the OAK layer.
h4. 6. References
[0]
http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/privilege/PrivilegeInitializer.java
[1]
http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeConfiguration.java
[2]
http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBitsProvider.java
[3]
http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/privilege/PrivilegeBits.java
was (Author: anchela):
h4. 1. Characteristics of the Privilege Management Implementation
h5. General Notes
As of OAK the built-in and custom privileges are stored in the repository
underneath {{/jcr:system/rep:privileges}}. Similar to other repository level
date (node types, namespaces and versions) this location is shared by all
workspaces present in the repository. The nodes and properties storing the
privilege definitions are protected by their node type
[jira] [Resolved] (OAK-1046) Faster anonymous read operations
[
https://issues.apache.org/jira/browse/OAK-1046?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela resolved OAK-1046.
-
Resolution: Duplicate
is part of OAK-908
Faster anonymous read operations
Key: OAK-1046
URL: https://issues.apache.org/jira/browse/OAK-1046
Project: Jackrabbit Oak
Issue Type: Sub-task
Reporter: Thomas Mueller
Attachments: OAK-1046-test-1.patch
The oak-run test GetNodeWithAnonymous is currently quite a bit slower than
GetNodeWithAdmin. According to my profiling data, the main bottleneck is
SecurityContext.getReadStatus, which calls PermissionProvider.getReadStatus
which calls CompiledPermissionImpl.getReadStatus.
To improve performance, I tried caching the result of this call, using a
simple hash map, with a string key (tree.getPath() + property.getName()).
This improved performance to now:
{code}
java -Dwarmup=5 -Druntime=30 -jar target/oak-run-*.jar benchmark
GetNodeWithAnonymous Oak-Tar
packages:
39%: org.apache.jackrabbit.oak.plugins.segment
23%: org.apache.jackrabbit.oak.core
14%: org.apache.jackrabbit.oak.plugins.memory
6%: org.apache.jackrabbit.oak.namepath
4%: com.google.common.collect
4%: org.apache.jackrabbit.oak.jcr.session
3%: org.apache.jackrabbit.oak.util
.
Oak-Tar 142 144 146 148 218 203
java -Dwarmup=5 -Druntime=30 -jar target/oak-run-*.jar benchmark
GetNodeWithAdmin Oak-Tar
packages:
29%: org.apache.jackrabbit.oak.plugins.segment
17%: org.apache.jackrabbit.oak.plugins.memory
17%: org.apache.jackrabbit.oak.namepath
12%: org.apache.jackrabbit.oak.jcr.session
8%: org.apache.jackrabbit.oak.util
5%: org.apache.jackrabbit.oak.core
4%: org.apache.jackrabbit.oak.plugins.segment.file
.
Oak-Tar 35 35 36 37 73 818
{code}
So it is still about 4 times slower, but it's an improvement (currently it is
10 times slower).
I wonder if there is a better way. I'm don't think caching the ReadStatus on
a property or node level is very memory efficient, but maybe other solutions
would be very hard to implement.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-210) granularity of persisted data
[ https://issues.apache.org/jira/browse/OAK-210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813962#comment-13813962 ] Jukka Zitting commented on OAK-210: --- Fair enough. Do you still intend to work on this (it's been open for over a year)? If not, I suggest to resolve as Won't Fix. granularity of persisted data - Key: OAK-210 URL: https://issues.apache.org/jira/browse/OAK-210 Project: Jackrabbit Oak Issue Type: Improvement Components: mk Reporter: Stefan Guggisberg Assignee: Stefan Guggisberg the current persistence granularity is _single nodes_ (a node consists of properties and child node information). instead of storing/retrieving single nodes it would IMO make sense to store subtree aggregates of specific nodes. the choice of granularity could be based on simple filter criteria (e.g. property value). dynamic persistence granularity would help reducing the number of records and r/w operations on the underlying store, thus improving performance. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-210) granularity of persisted data
[ https://issues.apache.org/jira/browse/OAK-210?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813972#comment-13813972 ] Stefan Guggisberg commented on OAK-210: --- bq. Fair enough. Do you still intend to work on this (it's been open for over a year)? If not, I suggest to resolve as Won't Fix. yes, i intend to work on this. however, i cannot commit a specific timeline. i prefer to keep this issue open. granularity of persisted data - Key: OAK-210 URL: https://issues.apache.org/jira/browse/OAK-210 Project: Jackrabbit Oak Issue Type: Improvement Components: mk Reporter: Stefan Guggisberg Assignee: Stefan Guggisberg the current persistence granularity is _single nodes_ (a node consists of properties and child node information). instead of storing/retrieving single nodes it would IMO make sense to store subtree aggregates of specific nodes. the choice of granularity could be based on simple filter criteria (e.g. property value). dynamic persistence granularity would help reducing the number of records and r/w operations on the underlying store, thus improving performance. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813970#comment-13813970 ] Geoffroy Schneck commented on OAK-1126: --- Example of one recent customer reaction : *We import packages from various instances. These packages might contain nodes, where both properties and subnodes use the same name.* I would also be worried about the effect on not supporting this anymore.. We have hundreds of customers imagining a ton of different content structure.. I wouldn't be surprised that adding this limitation will add problems to upgrade projects.. Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1144) Avoid wrapping TreePermission into SecurityContext
[
https://issues.apache.org/jira/browse/OAK-1144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813983#comment-13813983
]
Jukka Zitting commented on OAK-1144:
With the added {{getChildPermission}} method {{TreePermission}} becomes
essentially equivalent to {{SecurityContext}}, so there shouldn't be a need for
the separate context object anymore. Thus +1.
We had to include the {{equals()}} method earlier as quite a few pieces of
higher-level code were still using {{NodeState.equals()}}, which would often
fall back on the default and highly inefficient {{AbstractNodeState.equals()}}
implementation. AFAICT we already addressed most of those cases, so it might
well be possible to drop the {{equals()}} implementation on both
{{TreePermission/SecurityContext}} and {{SecureNodeState}}.
Avoid wrapping TreePermission into SecurityContext
--
Key: OAK-1144
URL: https://issues.apache.org/jira/browse/OAK-1144
Project: Jackrabbit Oak
Issue Type: Improvement
Components: core
Reporter: angela
Assignee: angela
Priority: Minor
Attachments: OAK-1144.patch
as suggested on the mailing list we may want to drop the extra security
context (see http://markmail.org/message/75msw25wkicy6bdu)
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-1144) Avoid wrapping TreePermission into SecurityContext
[ https://issues.apache.org/jira/browse/OAK-1144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813994#comment-13813994 ] angela commented on OAK-1144: - thanks... what would be the easiest way to reliably detect if we can drop these equals implementations? Avoid wrapping TreePermission into SecurityContext -- Key: OAK-1144 URL: https://issues.apache.org/jira/browse/OAK-1144 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela Priority: Minor Attachments: OAK-1144.patch as suggested on the mailing list we may want to drop the extra security context (see http://markmail.org/message/75msw25wkicy6bdu) -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1144) Avoid wrapping TreePermission into SecurityContext
[ https://issues.apache.org/jira/browse/OAK-1144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13813998#comment-13813998 ] Jukka Zitting commented on OAK-1144: We could just drop the equals and see if any performance regressions show up in the microbenchmarks. If they do, we should fix the remaining issues in higher level code. Avoid wrapping TreePermission into SecurityContext -- Key: OAK-1144 URL: https://issues.apache.org/jira/browse/OAK-1144 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela Priority: Minor Attachments: OAK-1144.patch as suggested on the mailing list we may want to drop the extra security context (see http://markmail.org/message/75msw25wkicy6bdu) -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Resolved] (OAK-657) Add oak:unstructured
[
https://issues.apache.org/jira/browse/OAK-657?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
angela resolved OAK-657.
Resolution: Fixed
the node type has been added to the built-in node type cnd... so, i suggest we
resolve this fixed.
Add oak:unstructured
Key: OAK-657
URL: https://issues.apache.org/jira/browse/OAK-657
Project: Jackrabbit Oak
Issue Type: Improvement
Components: core
Reporter: Jukka Zitting
Following up from OAK-656, it would be good to add a custom
{{oak:unstructured}} node type that's like {{nt:unstructured}} without
orderability or same-name siblings:
{noformat}
[oak:unstructured]
- * (UNDEFINED) multiple
- * (UNDEFINED)
+ * (nt:base) = oak:unstructured VERSION
{noformat}
We should also change the {{rep:root}} type to extend {{oak:unstructured}}
instead of {{nt:unstructured}} to make this new non-orderable unstructured
type the default for new nodes without explit or implicit (through
intermediate ancestors) node type information.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-1144) Avoid wrapping TreePermission into SecurityContext
[ https://issues.apache.org/jira/browse/OAK-1144?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814003#comment-13814003 ] angela commented on OAK-1144: - ok... i will commit the patch *including* the equals and drop them in a separate commit. then we have a chance to see the effect of dropping the wrapper and dropping the equals implementations independently. Avoid wrapping TreePermission into SecurityContext -- Key: OAK-1144 URL: https://issues.apache.org/jira/browse/OAK-1144 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela Priority: Minor Attachments: OAK-1144.patch as suggested on the mailing list we may want to drop the extra security context (see http://markmail.org/message/75msw25wkicy6bdu) -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Created] (OAK-1146) Remove equals/hashcode on SecureNodeState and TreePermissionImpl
angela created OAK-1146: --- Summary: Remove equals/hashcode on SecureNodeState and TreePermissionImpl Key: OAK-1146 URL: https://issues.apache.org/jira/browse/OAK-1146 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela follow up issue for OAK-1144: as suggested by jukka we may want to remove the equals methods from SecureNodeState and TreePermissionImpl. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[
https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814015#comment-13814015
]
Jukka Zitting commented on OAK-1147:
bq. Jukka Zitting, do you remember what was the reason for using #canReadAll
here?
I think I was just duplicating the pattern from child node access methods,
without realizing that we also had the {{canReadAllProperties()}} check that's
more appropriate for these methods.
SecureNodeBuilder/SecureNodeState: Consider using
'TreePermission#canReadProperties'
Key: OAK-1147
URL: https://issues.apache.org/jira/browse/OAK-1147
Project: Jackrabbit Oak
Issue Type: Improvement
Reporter: angela
Assignee: angela
the methods #getProperties and #getPropertyCount have a shortcut for those
cases where all properties are accessible.
however, the current implemention requires SecurityContext#canReadAll to
return true in order to enable the shortcut. without knowing the very details
of the SecureNodeState/Builder i would have expected that
#canReadAllProperties would be sufficient.
[~jukkaz], do you remember what was the reason for using #canReadAll here? i
changed it for test purpose and didn't see any difference... but that may
also imply that we don't have enough or specific tests for this.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Comment Edited] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[
https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814026#comment-13814026
]
angela edited comment on OAK-1147 at 11/5/13 4:42 PM:
--
one more thing... which IMO makes it a bit inconsistent: #getPropertyCount
checks for 'canReadAll(Properties)' and alternatively calculates the number of
properties:
{code}
if (treePermission.canReadAll()) {
propertyCount = state.getPropertyCount();
} else {
propertyCount = count(filter(
state.getProperties(),
new ReadablePropertyPredicate()));
}
{code}
on the other hand #getProperties() first tries to optimize for all properties
being visible and second tests if the node state itself is readable (in which
case it reads the properties)... if not it returns an empty list.
{code}
if (treePermission.canReadAll()) {
return state.getProperties();
} else if (treePermission.canRead()) { // TODO: check DENY_PROPERTIES?
return filter(
state.getProperties(),
new ReadablePropertyPredicate());
} else {
return emptyList();
}
{code}
thus, one method make the accessibility of the properties depending on the
read-status of the tree itself. the other doesn't. from a JCR level point of
view it doesn't make a difference (as Node#getProperties can only be called if
you already have the Node at hand)... but on the OAK level it might result in
odd behavior as the tree can exist or not.
was (Author: anchela):
one more thing... which IMO makes it a bit inconsistent: #getPropertyCount
checks for 'canReadAll(Properties)' and alternatively calculates the number of
properties:
{code}
if (treePermission.canReadProperties()) {
propertyCount = state.getPropertyCount();
} else {
propertyCount = count(filter(
state.getProperties(),
new ReadablePropertyPredicate()));
}
{code}
on the other hand #getProperties() first tries to optimize for all properties
being visible and second tests if the node state itself is readable (in which
case it reads the properties)... if not it returns an empty list.
thus, one method make the accessibility of the properties depending on the
read-status of the tree itself. the other doesn't. from a JCR level point of
view it doesn't make a difference (as Node#getProperties can only be called if
you already have the Node at hand)... but on the OAK level it might result in
odd behavior as the tree can exist or not.
SecureNodeBuilder/SecureNodeState: Consider using
'TreePermission#canReadProperties'
Key: OAK-1147
URL: https://issues.apache.org/jira/browse/OAK-1147
Project: Jackrabbit Oak
Issue Type: Improvement
Reporter: angela
Assignee: angela
the methods #getProperties and #getPropertyCount have a shortcut for those
cases where all properties are accessible.
however, the current implemention requires SecurityContext#canReadAll to
return true in order to enable the shortcut. without knowing the very details
of the SecureNodeState/Builder i would have expected that
#canReadAllProperties would be sufficient.
[~jukkaz], do you remember what was the reason for using #canReadAll here? i
changed it for test purpose and didn't see any difference... but that may
also imply that we don't have enough or specific tests for this.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[ https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814019#comment-13814019 ] angela commented on OAK-1147: - ok... i will change it then and keep in mind in case we run into odd issues permission wise. SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties' Key: OAK-1147 URL: https://issues.apache.org/jira/browse/OAK-1147 Project: Jackrabbit Oak Issue Type: Improvement Reporter: angela Assignee: angela the methods #getProperties and #getPropertyCount have a shortcut for those cases where all properties are accessible. however, the current implemention requires SecurityContext#canReadAll to return true in order to enable the shortcut. without knowing the very details of the SecureNodeState/Builder i would have expected that #canReadAllProperties would be sufficient. [~jukkaz], do you remember what was the reason for using #canReadAll here? i changed it for test purpose and didn't see any difference... but that may also imply that we don't have enough or specific tests for this. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1090) Event-listener not notified on Node.orderBefore
[
https://issues.apache.org/jira/browse/OAK-1090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814018#comment-13814018
]
Michael Dürig commented on OAK-1090:
At http://svn.apache.org/r1539044 I added an initial implementation and a basic
test case for this:
- {{Node.orderBefore()}} will result in {{NODE_MOVED}} events.
- Removing a node and adding a node with the same name will also be reported as
a {{NODE_MOVED}} event as if it where caused by {{Node.orderBefore()}}.
- The exact sequence of {{Node.orderBefore()}} will not be reflected through
the events. Given two child nodes {{a}} and {{b}}, ordering {{a}} after {{b}}
may be reported as ordering {{b}} before {{a}}.
Event-listener not notified on Node.orderBefore
Key: OAK-1090
URL: https://issues.apache.org/jira/browse/OAK-1090
Project: Jackrabbit Oak
Issue Type: Bug
Components: core, jcr
Affects Versions: 0.9
Reporter: Christan Keller
Fix For: 0.11
Attachments: Issue.java
An eventlistener that registered on modificaitons in a branch, doesn't get
notified if a Noder.orderBefore happend.
This is irespective of the Event types or filteres that are applied upon
event-listener registration.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Resolved] (OAK-1090) Event-listener not notified on Node.orderBefore
[ https://issues.apache.org/jira/browse/OAK-1090?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Michael Dürig resolved OAK-1090. Resolution: Fixed Fix Version/s: 0.11 Assignee: Michael Dürig Event-listener not notified on Node.orderBefore Key: OAK-1090 URL: https://issues.apache.org/jira/browse/OAK-1090 Project: Jackrabbit Oak Issue Type: Bug Components: core, jcr Affects Versions: 0.9 Reporter: Christan Keller Assignee: Michael Dürig Fix For: 0.11 Attachments: Issue.java An eventlistener that registered on modificaitons in a branch, doesn't get notified if a Noder.orderBefore happend. This is irespective of the Event types or filteres that are applied upon event-listener registration. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Resolved] (OAK-1144) Avoid wrapping TreePermission into SecurityContext
[ https://issues.apache.org/jira/browse/OAK-1144?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela resolved OAK-1144. - Resolution: Fixed created OAK-1146 to deal with the equals/hashcode on SecurityNodeState and TreePermission (former SecurityContext) Avoid wrapping TreePermission into SecurityContext -- Key: OAK-1144 URL: https://issues.apache.org/jira/browse/OAK-1144 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela Priority: Minor Attachments: OAK-1144.patch as suggested on the mailing list we may want to drop the extra security context (see http://markmail.org/message/75msw25wkicy6bdu) -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Updated] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[ https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela updated OAK-1147: Attachment: OAK-1147.patch SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties' Key: OAK-1147 URL: https://issues.apache.org/jira/browse/OAK-1147 Project: Jackrabbit Oak Issue Type: Improvement Reporter: angela Assignee: angela Attachments: OAK-1147.patch the methods #getProperties and #getPropertyCount have a shortcut for those cases where all properties are accessible. however, the current implemention requires SecurityContext#canReadAll to return true in order to enable the shortcut. without knowing the very details of the SecureNodeState/Builder i would have expected that #canReadAllProperties would be sufficient. [~jukkaz], do you remember what was the reason for using #canReadAll here? i changed it for test purpose and didn't see any difference... but that may also imply that we don't have enough or specific tests for this. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[ https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814036#comment-13814036 ] angela commented on OAK-1147: - patch replacing #canReadAll by #canReadProperites and removing the extra check for accessibility of the nodestate itself (note that with #getProperty and #hasProperty this isn't enforced either). SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties' Key: OAK-1147 URL: https://issues.apache.org/jira/browse/OAK-1147 Project: Jackrabbit Oak Issue Type: Improvement Reporter: angela Assignee: angela Attachments: OAK-1147.patch the methods #getProperties and #getPropertyCount have a shortcut for those cases where all properties are accessible. however, the current implemention requires SecurityContext#canReadAll to return true in order to enable the shortcut. without knowing the very details of the SecureNodeState/Builder i would have expected that #canReadAllProperties would be sufficient. [~jukkaz], do you remember what was the reason for using #canReadAll here? i changed it for test purpose and didn't see any difference... but that may also imply that we don't have enough or specific tests for this. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[
https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814037#comment-13814037
]
Jukka Zitting commented on OAK-1147:
I would expect {{canReadAllProperties()}} to check also for readability of the
node, i.e. {{canRead()}}, as the all-properties check is only needed for
listing (or counting) properties, which both depend on the readability of the
containing node.
SecureNodeBuilder/SecureNodeState: Consider using
'TreePermission#canReadProperties'
Key: OAK-1147
URL: https://issues.apache.org/jira/browse/OAK-1147
Project: Jackrabbit Oak
Issue Type: Improvement
Reporter: angela
Assignee: angela
Attachments: OAK-1147.patch
the methods #getProperties and #getPropertyCount have a shortcut for those
cases where all properties are accessible.
however, the current implemention requires SecurityContext#canReadAll to
return true in order to enable the shortcut. without knowing the very details
of the SecureNodeState/Builder i would have expected that
#canReadAllProperties would be sufficient.
[~jukkaz], do you remember what was the reason for using #canReadAll here? i
changed it for test purpose and didn't see any difference... but that may
also imply that we don't have enough or specific tests for this.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[
https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814038#comment-13814038
]
Jukka Zitting commented on OAK-1147:
... perhaps the check should be renamed to {{canListAllProperties()}} to better
match the use case.
SecureNodeBuilder/SecureNodeState: Consider using
'TreePermission#canReadProperties'
Key: OAK-1147
URL: https://issues.apache.org/jira/browse/OAK-1147
Project: Jackrabbit Oak
Issue Type: Improvement
Reporter: angela
Assignee: angela
Attachments: OAK-1147.patch
the methods #getProperties and #getPropertyCount have a shortcut for those
cases where all properties are accessible.
however, the current implemention requires SecurityContext#canReadAll to
return true in order to enable the shortcut. without knowing the very details
of the SecureNodeState/Builder i would have expected that
#canReadAllProperties would be sufficient.
[~jukkaz], do you remember what was the reason for using #canReadAll here? i
changed it for test purpose and didn't see any difference... but that may
also imply that we don't have enough or specific tests for this.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-1147) SecureNodeBuilder/SecureNodeState: Consider using 'TreePermission#canReadProperties'
[
https://issues.apache.org/jira/browse/OAK-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814044#comment-13814044
]
angela commented on OAK-1147:
-
ok... but the counting method didn't test for the readability of the node. and
nor does getProperty/hasProperty.
as far as the implementation is concerned: it's really simplistic and in fact
only return true for {{#canReadProperties}} if the entry also defines the
read-access for the tree itself.
so far i don't have any strong feeling for either way as long as it is
consistent across all property access.
SecureNodeBuilder/SecureNodeState: Consider using
'TreePermission#canReadProperties'
Key: OAK-1147
URL: https://issues.apache.org/jira/browse/OAK-1147
Project: Jackrabbit Oak
Issue Type: Improvement
Reporter: angela
Assignee: angela
Attachments: OAK-1147.patch
the methods #getProperties and #getPropertyCount have a shortcut for those
cases where all properties are accessible.
however, the current implemention requires SecurityContext#canReadAll to
return true in order to enable the shortcut. without knowing the very details
of the SecureNodeState/Builder i would have expected that
#canReadAllProperties would be sufficient.
[~jukkaz], do you remember what was the reason for using #canReadAll here? i
changed it for test purpose and didn't see any difference... but that may
also imply that we don't have enough or specific tests for this.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-869) Runtime exception while adding node
[ https://issues.apache.org/jira/browse/OAK-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814051#comment-13814051 ] angela commented on OAK-869: hasn't this issue been fixed in the mean time? Runtime exception while adding node --- Key: OAK-869 URL: https://issues.apache.org/jira/browse/OAK-869 Project: Jackrabbit Oak Issue Type: Bug Components: jcr Reporter: Antonio Sanso Attachments: AddChildTest.java Trying to add a node where the user has not read permission ends up in a runtime exception java.lang.IllegalStateException: This tree does not exist at com.google.common.base.Preconditions.checkState(Preconditions.java:149) at org.apache.jackrabbit.oak.core.TreeImpl.checkExists(TreeImpl.java:453) at org.apache.jackrabbit.oak.core.TreeImpl.setProperty(TreeImpl.java:347) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.internalAddChild(NodeDelegate.java:508) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.addChild(NodeDelegate.java:462) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:256) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:1) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:97) at org.apache.jackrabbit.oak.jcr.ItemImpl.perform(ItemImpl.java:95) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:217) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:203) at org.apache.jackrabbit.oak.benchmark.AddChildTest.runTest(AddChildTest.java:71) at org.apache.jackrabbit.oak.benchmark.AbstractTest.execute(AbstractTest.java:146) at org.apache.jackrabbit.oak.benchmark.AddChildTest.execute(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.AbstractTest.runTest(AbstractTest.java:115) at org.apache.jackrabbit.oak.benchmark.AbstractTest.run(AbstractTest.java:84) at org.apache.jackrabbit.oak.benchmark.AddChildTest.run(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.BenchmarkRunner.main(BenchmarkRunner.java:114) It would be better to have a checked excpetion instead e.g. javax.jcr.AccessDeniedException I will attach test to reproduce the issue -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-869) Runtime exception while adding node
[
https://issues.apache.org/jira/browse/OAK-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814056#comment-13814056
]
Michael Dürig commented on OAK-869:
---
It certainly seems so. At least
{{org.apache.jackrabbit.oak.jcr.security.authorization.WriteTest#testWriteOnParentWithNoReadePriv}}
passes now for me. We should probably remove the {{@Ignore}} and resolve this
issue.
Runtime exception while adding node
---
Key: OAK-869
URL: https://issues.apache.org/jira/browse/OAK-869
Project: Jackrabbit Oak
Issue Type: Bug
Components: jcr
Reporter: Antonio Sanso
Attachments: AddChildTest.java
Trying to add a node where the user has not read permission ends up in a
runtime exception
java.lang.IllegalStateException: This tree does not exist
at
com.google.common.base.Preconditions.checkState(Preconditions.java:149)
at
org.apache.jackrabbit.oak.core.TreeImpl.checkExists(TreeImpl.java:453)
at
org.apache.jackrabbit.oak.core.TreeImpl.setProperty(TreeImpl.java:347)
at
org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.internalAddChild(NodeDelegate.java:508)
at
org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.addChild(NodeDelegate.java:462)
at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:256)
at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:1)
at
org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:97)
at org.apache.jackrabbit.oak.jcr.ItemImpl.perform(ItemImpl.java:95)
at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:217)
at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:203)
at
org.apache.jackrabbit.oak.benchmark.AddChildTest.runTest(AddChildTest.java:71)
at
org.apache.jackrabbit.oak.benchmark.AbstractTest.execute(AbstractTest.java:146)
at
org.apache.jackrabbit.oak.benchmark.AddChildTest.execute(AddChildTest.java:1)
at
org.apache.jackrabbit.oak.benchmark.AbstractTest.runTest(AbstractTest.java:115)
at
org.apache.jackrabbit.oak.benchmark.AbstractTest.run(AbstractTest.java:84)
at
org.apache.jackrabbit.oak.benchmark.AddChildTest.run(AddChildTest.java:1)
at
org.apache.jackrabbit.oak.benchmark.BenchmarkRunner.main(BenchmarkRunner.java:114)
It would be better to have a checked excpetion instead e.g.
javax.jcr.AccessDeniedException
I will attach test to reproduce the issue
--
This message was sent by Atlassian JIRA
(v6.1#6144)
[jira] [Commented] (OAK-869) Runtime exception while adding node
[ https://issues.apache.org/jira/browse/OAK-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814066#comment-13814066 ] angela commented on OAK-869: hm... it still fails... Runtime exception while adding node --- Key: OAK-869 URL: https://issues.apache.org/jira/browse/OAK-869 Project: Jackrabbit Oak Issue Type: Bug Components: jcr Reporter: Antonio Sanso Attachments: AddChildTest.java Trying to add a node where the user has not read permission ends up in a runtime exception java.lang.IllegalStateException: This tree does not exist at com.google.common.base.Preconditions.checkState(Preconditions.java:149) at org.apache.jackrabbit.oak.core.TreeImpl.checkExists(TreeImpl.java:453) at org.apache.jackrabbit.oak.core.TreeImpl.setProperty(TreeImpl.java:347) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.internalAddChild(NodeDelegate.java:508) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.addChild(NodeDelegate.java:462) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:256) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:1) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:97) at org.apache.jackrabbit.oak.jcr.ItemImpl.perform(ItemImpl.java:95) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:217) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:203) at org.apache.jackrabbit.oak.benchmark.AddChildTest.runTest(AddChildTest.java:71) at org.apache.jackrabbit.oak.benchmark.AbstractTest.execute(AbstractTest.java:146) at org.apache.jackrabbit.oak.benchmark.AddChildTest.execute(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.AbstractTest.runTest(AbstractTest.java:115) at org.apache.jackrabbit.oak.benchmark.AbstractTest.run(AbstractTest.java:84) at org.apache.jackrabbit.oak.benchmark.AddChildTest.run(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.BenchmarkRunner.main(BenchmarkRunner.java:114) It would be better to have a checked excpetion instead e.g. javax.jcr.AccessDeniedException I will attach test to reproduce the issue -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Comment Edited] (OAK-869) Runtime exception while adding node
[ https://issues.apache.org/jira/browse/OAK-869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814066#comment-13814066 ] angela edited comment on OAK-869 at 11/5/13 5:42 PM: - hm... it still fails, when removing it from the exclusion list in oak-jcr/pom.xml was (Author: anchela): hm... it still fails... Runtime exception while adding node --- Key: OAK-869 URL: https://issues.apache.org/jira/browse/OAK-869 Project: Jackrabbit Oak Issue Type: Bug Components: jcr Reporter: Antonio Sanso Attachments: AddChildTest.java Trying to add a node where the user has not read permission ends up in a runtime exception java.lang.IllegalStateException: This tree does not exist at com.google.common.base.Preconditions.checkState(Preconditions.java:149) at org.apache.jackrabbit.oak.core.TreeImpl.checkExists(TreeImpl.java:453) at org.apache.jackrabbit.oak.core.TreeImpl.setProperty(TreeImpl.java:347) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.internalAddChild(NodeDelegate.java:508) at org.apache.jackrabbit.oak.jcr.delegate.NodeDelegate.addChild(NodeDelegate.java:462) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:256) at org.apache.jackrabbit.oak.jcr.NodeImpl$5.perform(NodeImpl.java:1) at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.perform(SessionDelegate.java:97) at org.apache.jackrabbit.oak.jcr.ItemImpl.perform(ItemImpl.java:95) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:217) at org.apache.jackrabbit.oak.jcr.NodeImpl.addNode(NodeImpl.java:203) at org.apache.jackrabbit.oak.benchmark.AddChildTest.runTest(AddChildTest.java:71) at org.apache.jackrabbit.oak.benchmark.AbstractTest.execute(AbstractTest.java:146) at org.apache.jackrabbit.oak.benchmark.AddChildTest.execute(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.AbstractTest.runTest(AbstractTest.java:115) at org.apache.jackrabbit.oak.benchmark.AbstractTest.run(AbstractTest.java:84) at org.apache.jackrabbit.oak.benchmark.AddChildTest.run(AddChildTest.java:1) at org.apache.jackrabbit.oak.benchmark.BenchmarkRunner.main(BenchmarkRunner.java:114) It would be better to have a checked excpetion instead e.g. javax.jcr.AccessDeniedException I will attach test to reproduce the issue -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (OAK-1126) Same node and property name support
[ https://issues.apache.org/jira/browse/OAK-1126?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=13814069#comment-13814069 ] angela commented on OAK-1126: - [~gschneck] thanks for the hint. very helpful, indeed. Same node and property name support --- Key: OAK-1126 URL: https://issues.apache.org/jira/browse/OAK-1126 Project: Jackrabbit Oak Issue Type: Sub-task Components: core, doc, jcr Reporter: Tobias Bocanegra Attachments: 0001-OAK-1126-Same-node-and-property-name-support.patch, 0002-OAK-1126-Same-node-and-property-name-support.patch, OAK-1126.patch The initial MK abstraction mandated that the nodes and properties share the same namespace (http://wiki.apache.org/jackrabbit/RepositoryMicroKernel#Data%20Model). This is a regression from Jackrabbit 2.x, which supports same name nodes and properties (SNNP). OTOH, the NodeStores can easily support SNNP and with proper escaping, the MKs can also support it. We should try to keep the support for SNNP in order to keep backward compatibility for existing content, and also keep the support for importing XML documents with same attribute and element names. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Resolved] (OAK-1146) Remove equals/hashcode on SecureNodeState and TreePermissionImpl
[ https://issues.apache.org/jira/browse/OAK-1146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] angela resolved OAK-1146. - Resolution: Fixed Committed revision 1539087. see jukkas comment on OAK-1144 regarding possible performance impact and how this should be addressed. Remove equals/hashcode on SecureNodeState and TreePermissionImpl Key: OAK-1146 URL: https://issues.apache.org/jira/browse/OAK-1146 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: angela Assignee: angela follow up issue for OAK-1144: as suggested by jukka we may want to remove the equals methods from SecureNodeState and TreePermissionImpl. -- This message was sent by Atlassian JIRA (v6.1#6144)
