Return-Path: X-Original-To: apmail-jackrabbit-oak-dev-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-oak-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id BF5CEFB02 for ; Mon, 25 Mar 2013 16:46:45 +0000 (UTC) Received: (qmail 42184 invoked by uid 500); 25 Mar 2013 16:46:45 -0000 Delivered-To: apmail-jackrabbit-oak-dev-archive@jackrabbit.apache.org Received: (qmail 42121 invoked by uid 500); 25 Mar 2013 16:46:45 -0000 Mailing-List: contact oak-dev-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-dev@jackrabbit.apache.org Received: (qmail 42112 invoked by uid 99); 25 Mar 2013 16:46:45 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Mar 2013 16:46:45 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of anchela@adobe.com designates 64.18.1.78 as permitted sender) Received: from [64.18.1.78] (HELO exprod6og127.obsmtp.com) (64.18.1.78) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 25 Mar 2013 16:46:38 +0000 Received: from outbound-smtp-1.corp.adobe.com ([192.150.11.134]) by exprod6ob127.postini.com ([64.18.5.12]) with SMTP ID DSNKUVB/WIG/QkOx3PoH3kCqEVeWWc9sDXW/@postini.com; Mon, 25 Mar 2013 09:46:16 PDT Received: from inner-relay-1.corp.adobe.com ([153.32.1.51]) by outbound-smtp-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r2PGh61v010574 for ; Mon, 25 Mar 2013 09:43:06 -0700 (PDT) Received: from nacas02.corp.adobe.com (nacas02.corp.adobe.com [10.8.189.100]) by inner-relay-1.corp.adobe.com (8.12.10/8.12.10) with ESMTP id r2PGkAAi014452 for ; Mon, 25 Mar 2013 09:46:13 -0700 (PDT) Received: from eurhub01.eur.adobe.com (10.128.4.30) by nacas02.corp.adobe.com (10.8.189.100) with Microsoft SMTP Server (TLS) id 8.3.298.1; Mon, 25 Mar 2013 09:45:46 -0700 Received: from radius.macromedia.com (10.136.130.145) by eurhub01.eur.adobe.com (10.128.4.111) with Microsoft SMTP Server id 8.3.298.1; Mon, 25 Mar 2013 16:45:44 +0000 Message-ID: <51507F37.6010104@adobe.com> Date: Mon, 25 Mar 2013 17:45:43 +0100 From: Angela Schreiber User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11 MIME-Version: 1.0 To: Subject: Re: "Secure realm" of internal APIs to prevent costly access control lookups References: In-Reply-To: Content-Type: text/plain; charset="ISO-8859-1"; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org hi lukas in contrast to jr-core access control mgt and permission evaluation will not be built on top of the JCR stack but be located below the new "SPI" boundary inside oak-core. consequently we no longer have the need for (shared) system session. btw: in jackrabbit-core system sessions already bypasses all kind of access control evaluation. kind regards angela On 3/25/13 4:09 PM, Lukas Eder wrote: > Hello, > > I'm currently looking into extending Jackrabbit's (not OAK's) access > control management, and I found it easy to see how this area is a > significant performance bottleneck for today's Jackrabbit Content > Repository. > > The biggest design and architecture problem, in my opinion, is the > need for a session with associated, hard-coded access control > behaviour. From what I understand so far, there are (possibly > non-exhaustive): > > - System sessions > - Admin sessions > - User sessions > > In my opinion, in OAK, there should be something like a "secure > realm". Once this realm is entered, executing code should get complete > access to all of the repository through standard internal and external > API. For example, such behaviour could be achieved through setting a > ThreadLocal "monitor" in a local execution context as such: > > // Outside of the "secure realm". JCR access goes through access control > T result = secure(new Securable() { > public T run() { > // Inside of the "secure realm". JCR access > // would now bypass access control > } > }); > > And this could be the implementation of secure(): > > private static final ThreadLocal t = new ThreadLocal(); > > // OAK internals could use this to check if access control is needed > public static boolean isSecured() { > return t.get() != null; > } > > public static T secure(Securable s) { > // Already secured > if (isSecured()) { > return s.run(); > } > else { > try { > t.set(true); > return s.run(); > } > finally { > t.remove(); > } > } > } > > Such use of ThreadLocal is smelly and potentially slow, of course. > This is just to illustrate the idea. More realistic use-cases would > probably expose a shareable system session within the "secure realm". > The important thing is that this system session would also bypass > access control. > > Are there any such plans in OAK? > > Cheers > Lukas