From oak-issues-return-68072-archive-asf-public=cust-asf.ponee.io@jackrabbit.apache.org Tue Feb 5 09:55:07 2019 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id B059018067C for ; Tue, 5 Feb 2019 10:55:06 +0100 (CET) Received: (qmail 83614 invoked by uid 500); 5 Feb 2019 09:55:05 -0000 Mailing-List: contact oak-issues-help@jackrabbit.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: oak-dev@jackrabbit.apache.org Delivered-To: mailing list oak-issues@jackrabbit.apache.org Received: (qmail 83597 invoked by uid 99); 5 Feb 2019 09:55:05 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 05 Feb 2019 09:55:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 5ACA0C28AE for ; Tue, 5 Feb 2019 09:55:05 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -109.501 X-Spam-Level: X-Spam-Status: No, score=-109.501 tagged_above=-999 required=6.31 tests=[ENV_AND_HDR_SPF_MATCH=-0.5, KAM_ASCII_DIVIDERS=0.8, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id 5aO_55-G9Cc4 for ; Tue, 5 Feb 2019 09:55:03 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 2C2A55FD5D for ; Tue, 5 Feb 2019 09:55:02 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 91F71E26F1 for ; Tue, 5 Feb 2019 09:55:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id B4CA92441E for ; Tue, 5 Feb 2019 09:55:00 +0000 (UTC) Date: Tue, 5 Feb 2019 09:55:00 +0000 (UTC) From: "Thomas Mueller (JIRA)" To: oak-issues@jackrabbit.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Reopened] (OAK-7997) Adding restrictions to ACLs yields empty results for queries in Jackrabbit Oak MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/OAK-7997?page=3Dcom.atlassian.= jira.plugin.system.issuetabpanels:all-tabpanel ] Thomas Mueller reopened OAK-7997: --------------------------------- Reopening because some changes seem a bit risky to me (possibly a bug / har= d to maintain).=20 [SelectorImpl.java|http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-co= re/src/main/java/org/apache/jackrabbit/oak/query/ast/SelectorImpl.java?r1= =3D1852758&r2=3D1852757&pathrev=3D1852758] {noformat} + private LazyValue lastReadOnlyTree; ... + private LazyValue getReadOnlyTree(@NotNull String path) { + if (lastReadOnlyTree =3D=3D null) { + lastReadOnlyTree =3D new LazyValue() { + @Override + protected Tree createValue() { + return new ImmutableRoot(query.getExecutionContext().g= etBaseState()).getTree(path); + } + }; + } + return lastReadOnlyTree; + } {noformat} The lastReadOnlyTree is initialized lazily (which is fine), but how do we e= nsure that the path used to initialize it is the same if the method is call= ed twice? I mean, if the method is called twice as follows, then the same L= azyValue is returned: {noformat} LazyValue t1 =3D getReadOnlyTree(p1); LazyValue t2 =3D getReadOnlyTree(p2); ... now t1 =3D=3D t2, even if p1 !=3D p2 ... {noformat} But maybe I just don't understand the logic... I didn't debug / test it. > Adding restrictions to ACLs yields empty results for queries in Jackrabbi= t Oak > -------------------------------------------------------------------------= ----- > > Key: OAK-7997 > URL: https://issues.apache.org/jira/browse/OAK-7997 > Project: Jackrabbit Oak > Issue Type: Bug > Components: query, security > Affects Versions: 1.10.0, 1.8.10 > Reporter: S=C3=B8ren Jensen > Assignee: angela > Priority: Major > Fix For: 1.12, 1.11.0 > > Attachments: OAK-7997.patch, OAK-7997_2.patch, OAK-7997_3.patch > > > Using Jackrabbit Oak, I've been attempting to configure security through= =C2=A0{{SecurityProvider}}=C2=A0and=C2=A0{{SecurityConfiguration's. In part= icular, I've been using the restrictions which generally works as expected.= However, when dealing with JCR-SQL2}}=C2=A0queries, more gets filtered out= than expected. > *Details* > It can be reproduced with the repository below. > {code:java} > /=C2=A0 > node [nt:unstructured] > =C2=A0 subnode [nt:unstructured]=C2=A0{code} > On=C2=A0{{node}}, I add an access control entry with privilege=C2=A0{{JCR= _ALL}}=C2=A0for "{{user"}}=C2=A0together with a restriction for=C2=A0{{rep:= glob}}=C2=A0->=C2=A0{{""}}, such that=C2=A0{{user}}=C2=A0do not have access= to any children of=C2=A0{{node - in this case, only subnode}}. > It works as expected when using=C2=A0{{session.getNode}}: > * {{session.getNode("/node")}}=C2=A0returns the node > * {{session.getNode("/node/subnode")}}=C2=A0throws=C2=A0{{PathNotFoundEx= ception}}=C2=A0as expected due to the restriction. > However, when I execute the following=C2=A0{{JCR-SQL2}}=C2=A0query: > {code:java} > SELECT * FROM [nt:unstructured]{code} > I get=C2=A0*no results back*. Here I would have expected to get=C2=A0{{/n= ode}}, as it is otherwise available when using=C2=A0{{session.getNode}}.=C2= =A0Removing the restriction yields the expected result of both _/node_ and = _/node/subnode_. > As discussed with [~anchela] on the _users_ mailing list, this may either= be an actual bug, or it is a conscious decision - in which case=C2=A0it wo= uld be nice to have it=C2=A0documented for the security. > *Code for reproducing:* > The code for reproducing the error is shown below. The "_restrictions"_= =C2=A0map below seems to be the problem, as this is what results in both=C2= =A0_/node_ and _/node/subnode_ being filtered out. > =C2=A0 > {code:java} > public static void main(String[] args) throws Exception { > Repository repository =3D new Jcr().with(new MySecurityProvider()).cr= eateRepository(); > Session session =3D repository.login(new UserIdCredentials("")); /= / principal is "SystemPrincipal.INSTANCE" > // Create nodes > Node node =3D session.getRootNode().addNode("node", "nt:unstructured"= ); > node.addNode("subnode", "nt:unstructured"); > // Add access control entry + restriction > AccessControlManager acm =3D session.getAccessControlManager(); > JackrabbitAccessControlList acl =3D (JackrabbitAccessControlList) acm > .getApplicablePolicies("/node").nextAccessControlPolicy(); > Privilege[] privileges =3D new Privilege[]{acm.privilegeFromName(Priv= ilege.JCR_ALL)}; > Map restrictions =3D new HashMap() {{pu= t("rep:glob", new StringValue(""));}}; > acl.addEntry(new PrincipalImpl("user"), privileges, true, restriction= s); > acm.setPolicy("/node", acl); > session.save(); > // executes query > RowIterator rows =3D repository.login(new UserIdCredentials("user")).= getWorkspace().getQueryManager() > .createQuery("SELECT * FROM [nt:unstructured]", Query.JCR_SQL2).e= xecute().getRows(); > System.out.println("Number of rows: " + rows.getSize()); //Print= s 0 > } > {code} > *Code for security configuration:* > The above code makes use of "MySecurityProvider". I do not suspect this t= o be the root cause,=C2=A0but please let me know if it can be helpful to ha= ve. The security provider has the configuration set to "ConfigurationParame= ters.EMPTY", and it uses all the default implementations present within the= Jackrabbit Oak project. The only exception is=C2=A0the _AuthenticationConf= iguration_ which uses a custom implementation using pre-authentication: > =C2=A0 > {code:java} > class MyAuthenticationConfiguration extends AuthenticationConfigurationIm= pl { > public MyAuthenticationConfiguration(SecurityProvider securityProvide= r) { > super(securityProvider); > } > @NotNull > @Override > public LoginContextProvider getLoginContextProvider(ContentRepository= contentRepository) { > return new LoginContextProvider() { > @NotNull > public LoginContext getLoginContext(Credentials credentials, = String workspaceName) { > String userId =3D ((UserIdCredentials) credentials).getUs= erId(); > Set principalSets =3D new HashSet<>(); > if (userId.isEmpty()) { > principalSets.add(SystemPrincipal.INSTANCE); > } else { > principalSets.add(new PrincipalImpl(userId)); > } > Map publicPrivileges =3D new= HashMap<>(); > AuthInfoImpl authInfoImpl =3D new AuthInfoImpl(userId, pu= blicPrivileges, principalSets); > Subject subject =3D new Subject(true, principalSets, Coll= ections.singleton(authInfoImpl), new HashSet()); > return new PreAuthContext(subject); > } > }; > } > } > {code} > =C2=A0 -- This message was sent by Atlassian JIRA (v7.6.3#76005)