jackrabbit-oak-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Dürig <mdue...@apache.org>
Subject Re: oak-api and move operations
Date Tue, 03 Apr 2012 10:16:29 GMT


On 3.4.12 11:08, Angela Schreiber wrote:
> hi jukka
>
>> On Tue, Apr 3, 2012 at 11:23 AM, Angela Schreiber<anchela@adobe.com>
>> wrote:
>>> but please be aware that we need to make sure that we need
>>> to have a separate layer in place that enforces authorization
>>> and prevents direct write operations on the MK from higher
>>> levels... or the other way round: if we expose the MK to
>>> higher levels we have to move both the complete authentication and
>>> authorization process on the MK layer, which would look quite
>>> wrong to me.
>>
>> The "private branch" concept is just that, "private". Anything written
>> to such a branch is not made visible to any other clients, so there
>> should be no need to enforce access controls on it.
>
> well... looking at the current oak-jcr i still see
> revision = microkernel.commit("", changeLog.toJsop(), revision, "");
>
> this means to me that we still don't have a clear separation
> of the different layer as we discussed it multiple times in the
> past.

We are just not there yet. I'm pretty confident we can replace all 
places which directly access the Microkernel with the new API soon.

Michael

>
> if anyone else that the SPI layer has access to the MK this is just
> a completely different setup that requires fundamental changes in
> the way we envision the jr3 security concept.
>
> but maybe i just got sidetracked by the current code in relation
> to that discussion ... i don't mind having extra stuff on the mk-api
> if it fits our needs
>
> kind regards
> angela

Mime
View raw message