Return-Path: X-Original-To: apmail-jackrabbit-oak-dev-archive@minotaur.apache.org Delivered-To: apmail-jackrabbit-oak-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 30320FBF8 for ; Wed, 20 Mar 2013 12:53:43 +0000 (UTC) Received: (qmail 7865 invoked by uid 500); 20 Mar 2013 12:53:42 -0000 Delivered-To: apmail-jackrabbit-oak-dev-archive@jackrabbit.apache.org Received: (qmail 7748 invoked by uid 500); 20 Mar 2013 12:53:42 -0000 Mailing-List: contact oak-dev-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-dev@jackrabbit.apache.org Received: (qmail 7711 invoked by uid 99); 20 Mar 2013 12:53:41 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 20 Mar 2013 12:53:41 +0000 X-ASF-Spam-Status: No, hits=-2.3 required=5.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of b.vanderschans@1hippo.com designates 64.18.2.18 as permitted sender) Received: from [64.18.2.18] (HELO exprod7og120.obsmtp.com) (64.18.2.18) by apache.org (qpsmtpd/0.29) with SMTP; Wed, 20 Mar 2013 12:53:36 +0000 Received: from mail-ee0-f71.google.com ([74.125.83.71]) (using TLSv1) by exprod7ob120.postini.com ([64.18.6.12]) with SMTP ID DSNKUUmxOmQilEbW0P6tbjkwVJMRCTCWjXJG@postini.com; Wed, 20 Mar 2013 05:53:15 PDT Received: by mail-ee0-f71.google.com with SMTP id t10so2641149eei.6 for ; Wed, 20 Mar 2013 05:53:13 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:x-received:mime-version:in-reply-to:references:from:date :message-id:subject:to:content-type:x-gm-message-state; bh=W2BSjbeur2XwRZ0JqINGFzZIQo0cHgzqqW7h2BH2s2w=; b=NQ9FmgXZGHW2NcEpI3FumgutUU4bexoB+sS3WN+6YdLpz5HtVH4fWIjHuNKrgqh4vX CK8oAY4bmykAO01l1QyhPWIMUpbgTpdSSnqdeljIuzOOfS7XApsuOe09Yti6RlFqiy1B HrmicyiXp39hwlth2VvPC9kpCgneO+iLpvFPZxwQJll7Z4klWhfO6MOb9gn9nUeSqNfL ZxbdMcpEOLV8Lo91ZnpRbq0VmCwhZPV2cBsQ6TAy28gV+tJ2xeK3CE+beesEMelguzyC qtbQzoGVxIPH2UminYrkZFKgQysNJ3sFXN2MkgRMSAtffsj64u4LzKYuqv7Q4MIjLTiX FfUA== X-Received: by 10.152.48.113 with SMTP id k17mr5303308lan.29.1363783993020; Wed, 20 Mar 2013 05:53:13 -0700 (PDT) X-Received: by 10.152.48.113 with SMTP id k17mr5303292lan.29.1363783992763; Wed, 20 Mar 2013 05:53:12 -0700 (PDT) MIME-Version: 1.0 Received: by 10.220.157.67 with HTTP; Wed, 20 Mar 2013 05:52:52 -0700 (PDT) In-Reply-To: References: From: Bart van der Schans Date: Wed, 20 Mar 2013 13:52:52 +0100 Message-ID: Subject: Re: NodeStates and security (Re: svn commit: r1458234 - in /jackrabbit/oak/trunk: oak-core/src/main/java/org/apache/jackrabbit/oak/core/ oak-core/src/main/java/org/apache/jackrabbit/oak/kernel/ oak-core/src/main/java/org/apache/jackrabbit/oak/plugins/version/ oak-core/src/main/java/o) To: oak-dev@jackrabbit.apache.org Content-Type: text/plain; charset=UTF-8 X-Gm-Message-State: ALoCoQlpDb/XjNjUaWyBeLb5iuLdQeAaJrrRKfoE8w7L51bJ+Kgp4nUeBnzUqn5cipA+dZ4LCBfDTOeCCCCOcAerrp+x11BTwiVjSnJvkuS915BFrHi3+txfViHy4FyU8MRffCWbob/WKOhOFYJHit2CM7u3K3F8eOHClkdh6dwC+gOVLt1jtcg= X-Virus-Checked: Checked by ClamAV on apache.org On Wed, Mar 20, 2013 at 1:11 PM, Jukka Zitting wrote: > Hi, > > On Wed, Mar 20, 2013 at 1:34 PM, Bart van der Schans > wrote: >> This is a quite problematic use-case. > > Depends on your point of view. The way I see it, the scenario is > equivalent to a Unix directory with the execute bit set but the read > bit cleared. I don't think there is currently an equivalent of that permission set for JCR. Of course we can introduce it and if we want to go the "unix way" of permissions we might also want to consider (some of) the extended attributes features. >> Consider the a structure like: >> /A/B/C/D >> >> And a user that is not allowed to read node C and has read/write >> permissions on all other nodes. The view of that user would be two >> "subtrees": >> /A/B >> /D > > The Unix scenario, and the way it's currently implemented in > Jackrabbit and planned for Oak, is different. The user would be able > to access the following nodes: > > /A > /A/B > /A/B/C/D > > The user can of course deduce the presence of node /A/B/C from the > above, but any attempt to directly read the node would result in an > error. Isn't the idea in jcr that if you are not allowed to read a node that you shouldn't be able to to deduce it's existence? For example you get an itemnotfoundexception if you try to access a node to which you don't have read permissions. If you allow the user to see the full path you implicitly grant read permissions to the node (but maybe not it's children or properties) >> Now the user tries to move node B below D, aka: > > With the above approach this would in any case fail, regardless of > access controls. Yes of course. But if you can't read/see the intermediary node it's hard to detect this case in the session itself. The save will still fail of course although the user might not have a clue why. So basically we have a few implementation choices here for this case: 1. introduce permissions to mimic the unix behavior of "+x -rw" (which would also could allow for -xrw and would disallow reads on child nodes as well) 2. require read access to all parent nodes to allow read access to a node 3. allow implicit read access to all parent nodes (for example by path discovery), but not allow read permissions to its' properties 4. don't allow path discovery or "deducing" that the non readable node exist. Regards, Bart