jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1593304 - in /jackrabbit/oak/trunk/oak-doc/src/site/markdown/security: accesscontrol.md accesscontrol/differences.md accesscontrol/restriction.md user.md user/authorizableaction.md
Date Thu, 08 May 2014 15:04:57 GMT
Author: angela
Date: Thu May  8 15:04:57 2014
New Revision: 1593304

URL: http://svn.apache.org/r1593304
Log:
OAK-301 : oak docu

Modified:
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/differences.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/restriction.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
    jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/authorizableaction.md

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md?rev=1593304&r1=1593303&r2=1593304&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol.md Thu May  8 15:04:57
2014
@@ -18,8 +18,157 @@
 Access Control
 --------------------------------------------------------------------------------
 
-_TODO_
+### JCR API
 
-### Differences wrt Jackrabbit 2.x
+_todo_
 
-see the corresponding [documentation](../differences_accesscontrol.html).
+
+### Jackrabbit API
+
+_todo_
+
+### Oak API
+
+_todo_
+
+
+### Characteristics of the Default Implementation
+
+#### General
+
+In general the authorization related code in Oak clearly separates between access
+control management (such as defined by the JCR and Jackrabbit API) and the internal
+permission evaluation (see also [Permission Evaluation](differences_permissions.html)).
+
+The default implementation of the access control management corresponds to the
+resource-based implementation present with Jackrabbit 2.x. The former principal-base
+access control management is no longer available but it's functionality has been
+incorporated both in the default ac management implementation and the permission evaluation.
+
+#### Differences wrt Jackrabbit 2.x
+
+see the corresponding [documentation](accesscontrol/differences.html).
+
+#### Resource Based Access Control
+
+_todo_
+
+#### Principal Base Access Control
+
+_todo_
+
+#### Access Control Policies
+
+_todo_
+
+#### Access Control Entries
+
+_todo_
+
+#### Restrictions
+
+see section [Restriction Management](accesscontrol/restriction.html) for details.
+
+
+### Representation in the Repository
+
+The node type definition used to represent access control content:
+
+    [rep:AccessControllable]
+      mixin
+      + rep:policy (rep:Policy) protected IGNORE
+
+    [rep:RepoAccessControllable]
+      mixin
+      + rep:repoPolicy (rep:Policy) protected IGNORE
+
+    [rep:Policy]
+      abstract
+
+    [rep:ACL] > rep:Policy
+      orderable
+      + * (rep:ACE) = rep:GrantACE protected IGNORE
+
+    [rep:ACE]
+      - rep:principalName (STRING) protected mandatory
+      - rep:privileges (NAME) protected mandatory multiple
+      - rep:nodePath (PATH) protected /* deprecated in favor of restrictions */
+      - rep:glob (STRING) protected   /* deprecated in favor of restrictions */
+      - * (UNDEFINED) protected       /* deprecated in favor of restrictions */
+      + rep:restrictions (rep:Restrictions) = rep:Restrictions protected /* since oak 1.0
*/
+
+    [rep:GrantACE] > rep:ACE
+
+    [rep:DenyACE] > rep:ACE
+
+    /**
+     * @since oak 1.0
+     */
+    [rep:Restrictions]
+      - * (UNDEFINED) protected
+      - * (UNDEFINED) protected multiple
+
+
+### XML Import
+
+As of OAK 1.0 access control content can be imported both with Session and
+Workspace import.
+
+In addition the JCR XML import behavior has been extended to respect the
+`o.a.j.oak.spi.xml.ImportBehavior` flags instead of just performing a best effort import.
+
+Currently the `ImportBehavior` is only used to switch between different ways of
+handling principals unknown to the repository. For consistency and in order to
+match the validation requirements as specified by `AccessControlList#addAccessControlEntry`
+the default behavior is ABORT (while in Jackrabbit 2.x the behavior always was BESTEFFORT).
+
+The different `ImportBehavior` flags are implemented as follows:
+- `ABORT`: throws an `AccessControlException` if the principal is unknown
+- `IGNORE`: ignore the entry defining the unknown principal
+- `BESTEFFORT`: import the access control entry with an unknown principal.
+
+In order to get the same best effort behavior as present with Jackrabbit 2.x
+the configuration parameters of the `AuthorizationConfiguration` must contain
+the following entry:
+
+    importBehavior = "besteffort"
+
+See also ([OAK-1350](https://issues.apache.org/jira/browse/OAK-1350)))
+
+
+### API Extensions
+
+_todo_
+
+org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol [1]
+
+- `AbstractAccessControlList`
+- `ImmutableACL`
+- `ACE`
+
+#### Restriction Management
+
+- `RestrictionProvider`:
+- `RestrictionDefinition`
+- `RestrictionPattern`
+- `Restriction`
+
+See [Restriction Management](accesscontrol/restriction.html) for details.
+
+
+### Configuration
+
+The following access control related configuration options are present with the [AuthorizationConfiguration]
as of Oak 1.0:
+
+- `getAccessControlManager`
+- `getRestrictionProvider`
+
+Differences to Jackrabbit 2.x:
+
+- The "omit-default-permission" configuration option present with the Jackrabbit's AccessControlProvider
implementations is no longer supported with Oak.
+- As of OAK no extra access control content is installed by default which renders that flag
superfluous.
+
+
+<!-- hidden references -->
+[1]: http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/
+[AuthorizationConfiguration]: /oak/docs/apidocs/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.html
\ No newline at end of file

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/differences.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/differences.md?rev=1593304&r1=1593303&r2=1593304&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/differences.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/differences.md Thu
May  8 15:04:57 2014
@@ -16,17 +16,7 @@
   -->
 ### AccessControl Management : Differences wrt Jackrabbit 2.x
 
-#### 1. Characteristics of the Default Implementation
-
-##### General
-In general the authorization related code in OAK clearly separates between access
-control management (such as defined by the JCR and Jackrabbit API) and the internal
-permission evaluation (see also [Permission Evaluation](differences_permissions.html)).
-
-The default implementation of the access control management corresponds to the
-resource-based implementation present with Jackrabbit 2.x. The former principal-base
-access control management is no longer available but it's functionality has been
-incorporated both in the default ac management implementation and the permission evaluation.
+#### Characteristics of the Default Implementation
 
 ##### JCR API
 ###### AccessControlManager#hasPrivilege and #getPrivileges
@@ -42,7 +32,7 @@ in Jackrabbit 2.x use to throw an  excep
 
 ###### AccessControlPolicy
 OAK introduces a new type of policy that enforces regular read-access for everyone
-on the trees that hold this new `ReadPolicy` [0]. The main usage of this new policy
+on the trees that hold this new `ReadPolicy` (see [OAK-951]). The main usage of this new
policy
 is to ensure backwards compatible behavior of repository level information (node
 types, namespace, privileges) that are now kept within the content repository.
 In Jackrabbit 2.x this information was stored in the file system without the
@@ -96,78 +86,15 @@ The implementation of the additional res
 
 ##### Import
 
-The import of access control content via JCR XML import has been extended to
-respect the `o.a.j.oak.spi.xml.ImportBehavior` flags instead of just performing
-a best effort import.
-
-Currently the `ImportBehavior` is only used to switch between different ways of
-handling principals unknown to the repository. For consistency and in order to
-match the validation requirements as specified by `AccessControlList#addAccessControlEntry`
-the default behavior is ABORT (while in Jackrabbit 2.x the behavior always was BESTEFFORT).
-
-The different `ImportBehavior` flags are implemented as follows:
-- `ABORT`: throws an `AccessControlException` if the principal is unknown
-- `IGNORE`: ignore the entry defining the unknown principal
-- `BESTEFFORT`: import the access control entry with an unknown principal.
-
-In order to get the same best effort behavior as present with Jackrabbit 2.x
-the configuration parameters of the `AuthorizationConfiguration` must contain
-the following entry:
-
-    importBehavior = "besteffort"
-
-See also ([OAK-1350](https://issues.apache.org/jira/browse/OAK-1350)))
-
-#### 2. Node Types
-
-As mentioned above the node type definitions have been extended to match the new functionality
related to restrictions.
-The node type definition for access control entries:
-
-    [rep:ACE]
-      - rep:principalName (STRING) protected mandatory
-      - rep:privileges (NAME) protected mandatory multiple
-      - rep:nodePath (PATH) protected /* deprecated in favor of restrictions */
-      - rep:glob (STRING) protected   /* deprecated in favor of restrictions */
-      - * (UNDEFINED) protected       /* deprecated in favor of restrictions */
-      + rep:restrictions (rep:Restrictions) = rep:Restrictions protected
-
-The new node type definition for restrictions:
-
-    /**
-     * @since oak 1.0
-     */
-    [rep:Restrictions]
-      - * (UNDEFINED) protected
-      - * (UNDEFINED) protected multiple
-
-#### 3. API Extensions and Public Classes
+* respects `ImportBehavior` for handling of principals instead of just performing best effort
import
+* supports both workspace and import
 
-org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol [1]
-
-- `AbstractAccessControlList`
-- `ImmutableACL`
-- `ACE`
-
-org.apache.jackrabbit.oak.spi.security.authorization.restriction [2]
-
-- `RestrictionProvider`:
-- `RestrictionDefinition`
-- `RestrictionPattern`
-- `Restriction`
-
-#### 4. Configuration
-
-The following access control related configuration options are present with the `AuthorizationConfiguration`
as of OAK 1.0 [3]
-
-- `getAccessControlManager`
-- `getRestrictionProvider`
-
-Differences to Jackrabbit 2.x:
+#### Configuration
 
 - The "omit-default-permission" configuration option present with the Jackrabbit's AccessControlProvider
implementations is no longer supported with Oak.
 - As of OAK no extra access control content is installed by default which renders that flag
superfluous.
 
-#### 5. Important Note
+#### Important Note
 
 The following modification is most likely to have an effect on existing applications:
 
@@ -177,12 +104,5 @@ The following modification is most likel
   If the new behaviour turns out to be a problem with existing applications we might consider
   adding backward compatible behaviour.
 
-#### 6. References
-
-[0] https://issues.apache.org/jira/browse/OAK-951
-
-[1] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/
-
-[2] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/
-
-[3] http://svn.apache.org/repos/asf/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AuthorizationConfiguration.java
+<!-- hidden references -->
+[OAK-951]: https://issues.apache.org/jira/browse/OAK-951

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/restriction.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/restriction.md?rev=1593304&r1=1593303&r2=1593304&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/restriction.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/accesscontrol/restriction.md Thu
May  8 15:04:57 2014
@@ -18,4 +18,32 @@
 Restriction Management
 --------------------------------------------------------------------------------
 
-_todo_
\ No newline at end of file
+### Overview
+
+_todo_
+
+
+### Default Restrictions
+
+The default implementations of the `Restriction` interface are present with
+Oak 1.0:
+
+* `rep:glob`:
+* `rep:ntNames`:
+* `rep:prefixes`:
+
+### Pluggability
+
+_todo_
+
+
+#### Examples
+
+##### Custom RestrictionProvider
+
+_todo_
+
+##### Custom Restriction
+
+_todo_
+

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md?rev=1593304&r1=1593303&r2=1593304&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user.md Thu May  8 15:04:57 2014
@@ -133,14 +133,6 @@ See also `PARAM_SUPPORT_AUTOSAVE` below;
 application code has been written against the Jackrabbit API (and thus testing if
 auto-save mode is enabled or not) this configuration option can be used as last resort.
 
-#### XML Import
-As of OAK 1.0 user and group nodes can be imported both with Session and Workspace
-import. The difference compare to Jackrabbit 2.x are listed below:
-
-* Importing an authorizable to another tree than the configured user/group node will only
failed upon save (-> see `UserValidator` during the `Root#commit`). With Jackrabbit 2.x
core it used to fail immediately.
-* NEW: The `BestEffort` behavior is now also implemented for the import of impersonators
(was missing in Jackrabbit /2.x).
-* NEW: Workspace Import
-
 
 ### User/Group Representation in the Repository
 
@@ -172,6 +164,15 @@ The following block lists the built-in n
       + * (rep:Members) = rep:Members protected multiple
       - * (WEAKREFERENCE) protected < 'rep:Authorizable'
 
+### XML Import
+As of OAK 1.0 user and group nodes can be imported both with Session and Workspace
+import. The difference compare to Jackrabbit 2.x are listed below:
+
+* Importing an authorizable to another tree than the configured user/group node will only
failed upon save (-> see `UserValidator` during the `Root#commit`). With Jackrabbit 2.x
core it used to fail immediately.
+* NEW: The `BestEffort` behavior is now also implemented for the import of impersonators
(was missing in Jackrabbit /2.x).
+* NEW: Workspace Import
+
+
 
 ### API Extensions
 The Oak project introduces the following user management related public

Modified: jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/authorizableaction.md
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/authorizableaction.md?rev=1593304&r1=1593303&r2=1593304&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/authorizableaction.md (original)
+++ jackrabbit/oak/trunk/oak-doc/src/site/markdown/security/user/authorizableaction.md Thu
May  8 15:04:57 2014
@@ -31,8 +31,8 @@ writing protected items.
 
 ### Default Actions
 
-The default implementations of the `AuthorizableAction` interface present with
-OAK match the implementations available with Jackrabbit 2.x:
+The default implementations of the `AuthorizableAction` interface are present with
+Oak 1.0:
 
 * `AccessControlAction`: set up permission for new authorizables
 * `PasswordAction`: simplistic password verification upon user creation and password modification



Mime
View raw message