Added: jackrabbit/site/live/oak/docs/differences_principal.html URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/differences_principal.html?rev=1541089&view=auto ============================================================================== --- jackrabbit/site/live/oak/docs/differences_principal.html (added) +++ jackrabbit/site/live/oak/docs/differences_principal.html Tue Nov 12 14:38:57 2013 @@ -0,0 +1,419 @@ + + + + + + + + + Jackrabbit Oak - + + + + + + + + + + + + + + + + + + Fork me on GitHub + + + + + + + + + +
+ + + + + +
+
+ +
+ + +
+ +
+
+

Principal Management : Differences wrt Jackrabbit 2.x

+
+

1. Characteristics of the Principal Management Implementation

+

The default implementation of the principal management API basically corresponds to the default in Jackrabbit 2.x and is based on the user management implementation. Note however, that as of OAK only a single principal provider is exposed on the SPI level (used to be multiple principal providers with the LoginModule configuration in Jackrabbit 2.x). See the configuration section below for details.

+
+

2. API Extensions

+ +
    + +
  • PrincipalProvider [0]: SPI level access to principals known to the repository which is also used by the default implementation of the PrincipalManager interface. This interface replaces the internal PrincipalProvider interface present in Jackrabbit 2.x. Note, that principals from different sources can be supported by using CompositePrincipalProvider [1] or a similar implementation that proxies different sources.
  • +
+
+
Special Principals
+ +
    + +
  • AdminPrincipal: Marker interface to identify the principal associated with administrative user(s) [2].
  • + +
  • EveryonePrincipal: built-in group principal implementation that has every other valid principal as member [3].
  • + +
  • SystemPrincipal: built-in principal implementation to mark system internal subjects [4].
  • +
+
+

3. Configuration

+
+
PrincipalConfiguration [5]:
+ +
    + +
  • getPrincipalManager -> returns a new instance of o.a.j.api.security.principal.PrincipalManager [6] (see also JackrabbitSession#getPrincipalManager()
  • + +
  • getPrincipalProvider -> returns a new instance of principal provider. Note, that in contrast to Jackrabbit 2.x the system may only have one single principal provider implementation configured. In order to combine principals from different sources a implementation that properly handles the different sources is required; the CompositePrincipalProvider [1] is an example that combines multiple implementations.
  • +
+
+
+
+
+ +
+ + + + \ No newline at end of file Propchange: jackrabbit/site/live/oak/docs/differences_principal.html ------------------------------------------------------------------------------ svn:eol-style = native Added: jackrabbit/site/live/oak/docs/differences_privileges.html URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/differences_privileges.html?rev=1541089&view=auto ============================================================================== --- jackrabbit/site/live/oak/docs/differences_privileges.html (added) +++ jackrabbit/site/live/oak/docs/differences_privileges.html Tue Nov 12 14:38:57 2013 @@ -0,0 +1,510 @@ + + + + + + + + + Jackrabbit Oak - + + + + + + + + + + + + + + + + + + Fork me on GitHub + + + + + + + + + +
+ + + + + +
+
+ +
+ + +
+ +
+
+

Privilege Management : Differences wrt Jackrabbit 2.x

+
+

1. Characteristics of the Privilege Management Implementation

+
+
General Notes
+

As of OAK the built-in and custom privileges are stored in the repository underneath /jcr:system/rep:privileges. Similar to other repository level date (node types, namespaces and versions) this location is shared by all workspaces present in the repository. The nodes and properties storing the privilege definitions are protected by their node type definition. In addition a specific privilege Validator and CommitHook implementations assert the consistency of the privilege store. The built-in privileges are installed using a dedicated implementation of the RepositoryInitializer [0].

+
+
Registration of Custom Privileges
+

As far as registration of custom privileges the OAK implementation behaves different to Jackrabbit 2.x in the following aspects: - Registration of new privileges fails with IllegalStateException if the editing session has pending changes. - Any validation is performed by CommitHooks in order to make sure that modifications made on the OAK API directly is equally verified. Subsequently any violation (permission, privilege consistency) is only detected at the end of the registration process. The privilege manager itself does not perform any validation.

+
+

2. Built-in Privilege Definitions

+ +
    + +
  • All Privileges as defined by JSR 283 + +
      + +
    • jcr:read
    • + +
    • jcr:modifyProperties
    • + +
    • jcr:addChildNodes
    • + +
    • jcr:removeNode
    • + +
    • jcr:removeChildNodes
    • + +
    • jcr:readAccessControl
    • + +
    • jcr:modifyAccessControl
    • + +
    • jcr:lockManagement
    • + +
    • jcr:versionManagement
    • + +
    • jcr:nodeTypeManagement
    • + +
    • jcr:retentionManagement (NOTE: retention management not yet implemented)
    • + +
    • jcr:lifecycleManagement (NOTE: lifecycle management not yet implemented)
    • + +
    • jcr:write
    • + +
    • jcr:all
    • +
  • +
+ +
    + +
  • All Privileges defined by JSR 333 + +
      + +
    • jcr:workspaceManagement (NOTE: wsp management not yet implemented)
    • + +
    • jcr:nodeTypeDefinitionManagement
    • + +
    • jcr:namespaceManagement
    • +
  • +
+ +
    + +
  • All Privileges defined by Jackrabbit 2.x + +
      + +
    • rep:write
    • + +
    • rep:privilegeManagement
    • +
  • +
+ +
    + +
  • New Privileges defined by OAK 1.0: + +
      + +
    • rep:userManagement
    • + +
    • rep:readNodes
    • + +
    • rep:readProperties
    • + +
    • rep:addProperties
    • + +
    • rep:alterProperties
    • + +
    • rep:removeProperties
    • +
  • +
+

Note the following differences with respect to Jackrabbit 2.x definitions: - jcr:read is now an aggregation of rep:readNodes and rep:readProperties - jcr:modifyProperties is now an aggregation of rep:addProperties, rep:alterProperties and rep:removeProperties

+
+

3. Node Type Definitions

+

The following privilege related built-in node types have been added in OAK 1.0. They are used to represent built-in and custom privilege definitions in the repository.

+ +
+
[rep:Privileges]
+  + * (rep:Privilege) = rep:Privilege protected ABORT
+  - rep:next (LONG) protected multiple mandatory
+
+[rep:Privilege]
+  - rep:isAbstract (BOOLEAN) protected
+  - rep:aggregates (NAME) protected multiple
+  - rep:bits (LONG) protected multiple mandatory
+
+
+

4. API Extensions

+

org.apache.jackrabbit.oak.spi.security.privilege

+ +
    + +
  • PrivilegeBitsProvider : Provider implementation to read PrivilegeBits from the repository content and map names to internal representation (and vice versa) [2].
  • + +
  • PrivilegeBits: Internal representation of JCR privileges [3].
  • +
+
+

5. Configuration

+
+
PrivilegeConfiguration [1]:
+ +
    + +
  • getPrivilegeManager -> returns a new instance of the PrivilegeManager interface such as exposed by JackrabbitWorkspace#getPrivilegeManager. Note that the default implementation is based on OAK API and can equally be used for privilege related tasks in the OAK layer.
  • +
+
+
+
+
+ +
+ + + + \ No newline at end of file Propchange: jackrabbit/site/live/oak/docs/differences_privileges.html ------------------------------------------------------------------------------ svn:eol-style = native Added: jackrabbit/site/live/oak/docs/differences_user.html URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/differences_user.html?rev=1541089&view=auto ============================================================================== --- jackrabbit/site/live/oak/docs/differences_user.html (added) +++ jackrabbit/site/live/oak/docs/differences_user.html Tue Nov 12 14:38:57 2013 @@ -0,0 +1,380 @@ + + + + + + + + + Jackrabbit Oak - + + + + + + + + + + + + + + + + + + Fork me on GitHub + + + + + + + + + +
+ + + + + +
+
+ +
+ + +
+ +
+
+

User Management : Differences wrt Jackrabbit 2.x

+

NOTE: Work in Progress

+

Refer to OAK-791 for a general overview of changes with respect to Jackrabbit 2.

+
+
+
+ +
+ + + + \ No newline at end of file Propchange: jackrabbit/site/live/oak/docs/differences_user.html ------------------------------------------------------------------------------ svn:eol-style = native Modified: jackrabbit/site/live/oak/docs/dos_and_donts.html URL: http://svn.apache.org/viewvc/jackrabbit/site/live/oak/docs/dos_and_donts.html?rev=1541089&r1=1541088&r2=1541089&view=diff ============================================================================== --- jackrabbit/site/live/oak/docs/dos_and_donts.html (original) +++ jackrabbit/site/live/oak/docs/dos_and_donts.html Tue Nov 12 14:38:57 2013 @@ -1,13 +1,13 @@ - + Jackrabbit Oak - @@ -154,7 +154,7 @@