jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Munteanu <romb...@apache.org>
Subject Re: Access control
Date Tue, 25 Aug 2015 14:51:45 GMT
Hi,

On Tue, 2015-08-25 at 09:44 -0500, Clay Ferguson wrote:
> Atif, just beware that the "addChildren" privilege doesn't work as
> one
> would expect. If you want a principle to be able to add children to a
> node
> you must add ALL of the following privileges:
> 
> "read", "write", "addChildren", "nodeTypeManagement"

I think you can simply use rep:write ( not jcr:write ) as a shorthand.

> 
> That costed me many hours of headache, and at least one other person
> also.
> My personal belief this functionality requirement was an accident
> rather
> than by design and no one who is an Adobe customer has complained so
> they
> are leaving it as is.

As far as I can tell the behaviour is according to the Access Control
Management chapter of the JCR 2.0 specification [1]. If there's a gap
between the spec and the implementation it's definitely worth a bug
report.

Cheers,

Robert

[1]: http://www.day.com/specs/jcr/2.0/16_Access_Control_Management.html
#16.2.3%20Standard%20Privileges

> 
> 
> Best regards,
> Clay Ferguson
> wclayf@gmail.com
> 
> 
> On Tue, Aug 25, 2015 at 5:05 AM, Atif Manzoor <atif.manzoor@gmail.com
> >
> wrote:
> 
> > Hi Karsten
> > 
> > No actually I was just trying out the simplest case to control
> > access to a
> > particular code. At later stage I will allow or restrict read /
> > write
> > access to a node for different users.
> > 
> > Kind regards,
> > Atif
> > 
> > On Tue, Aug 25, 2015 at 10:53 AM, Karsten Priegnitz <
> > koem@petoria.de>
> > wrote:
> > 
> > > Hi Atif
> > > 
> > > reading your code it seems to me you just want to add JCR_ALL
> > > privileges
> > > to some user. This is what allow() does. No need to do something
> > > else.
> > And:
> > > "admin" normally already has these privileges.
> > > 
> > > I'd try this (not tested)
> > > 
> > > AccessControlUtils.allow(session.getRootNode(),
> > > EveryonePrincipal.getInstance()
> > > .getName(), Privilege.JCR_ALL);
> > > 
> > > 
> > > What do you want to accomplish? Make everyone admin?
> > > 
> > > 
> > > Karsten R. Priegnitz
> > > 
> > > programmierer | web-entwickler | linux administrator | digitaler
> > > nomade
> > > business: kontakt <http://petoria.de/portfolio/contact-about/> |
> > > portfolio <http://petoria.de/portfolio/>
> > > -----------------------------------------------------------------
> > > -------
> > > 
> > > Am 25.08.2015 um 10:54 schrieb Atif Manzoor:
> > > 
> > > > Hi Karsten
> > > > 
> > > > Thanks a lot for your help. I tried AccessControlUtils.allow(),
> > > > however
> > > > AccessControlUtils.getACL() is still returning NULL. I think I
> > > > may have
> > > > also have to do something else to enable access control that
> > > > particular
> > > > node. Following is my code complete code that tried
> > > > AccessControlUtils.
> > I
> > > > am still getting Null for acl.
> > > > 
> > > > Repository repository = new  TransientRepository();
> > > > Session session = repository.login(new
> > > > SimpleCredentials("admin",
> > > > "password".toCharArray()));
> > > > Node root = session.getRootNode();
> > > > root.addNode("leftChild");
> > > > root.addNode("rightChild");
> > > > 
> > > > session.save();
> > > > String path = session.getRootNode().getPath();
> > > > System.out.println(path);
> > > > AccessControlManager acm = session.getAccessControlManager();
> > > > AccessControlUtils.allow(session.getRootNode(), "admin",
> > > > Privilege.JCR_ALL);
> > > > AccessControlList acl =
> > > > AccessControlUtils.getAccessControlList(session,
> > > > path);
> > > > for (AccessControlEntry e : acl.getAccessControlEntries()) {
> > > > acl.removeAccessControlEntry(e);
> > > > }
> > > > acl.addAccessControlEntry(EveryonePrincipal.getInstance(), new
> > Privilege[]
> > > > { acm
> > > > .privilegeFromName(Privilege.JCR_ALL) });
> > > > acm.setPolicy(path, acl);
> > > > session.save();
> > > > 
> > > > Regards,
> > > > Atif
> > > > 
> > > > On Tue, Aug 25, 2015 at 7:46 AM, Karsten Priegnitz <
> > > > koem@petoria.de>
> > > > wrote:
> > > > 
> > > > Hi Atif,
> > > > > 
> > > > > I had the same problem as you and then I found
> > > > > 
> > > > > 
> > org.apache.jackrabbit.commons.jackrabbit.authorization.AccessContro
> > lUtils:
> > > > > 
> > > > > and that's all:
> > > > > AccessControlUtils.allow(session.getRootNode(),
> > username,
> > > > > Privilege.JCR_ALL);
> > > > > 
> > > > > Best
> > > > > Karsten
> > > > > 
> > > > > 
> > > > > 
> > > > > Karsten R. Priegnitz
> > > > > 
> > > > > programmierer | web-entwickler | linux administrator |
> > > > > digitaler nomade
> > > > > business: kontakt <http://petoria.de/portfolio/contact-about/
> > > > > > |
> > > > > portfolio <http://petoria.de/portfolio/>
> > > > > 
> > -------------------------------------------------------------------
> > -----
> > > > > 
> > > > > 
> > > > > Am 24.08.2015 um 22:40 schrieb Clay Ferguson:
> > > > > 
> > > > > I'm not *that* much of an expert, but it kind of works by
> > > > > bubbling up
> > > > > > towards the root I believe. So if you query for ACL on a
> > > > > > node and it
> > > > > > finds
> > > > > > none, that is fine. It just means that node is effectively
> > > > > > controlled
> > by
> > > > > > an
> > > > > > ancestor. Once you start adding AC L privs the that root
> > > > > > starts
> > applying
> > > > > > those there and all beneath it on the tree recursively. By
> > > > > > default
> > > > > > 'admin'
> > > > > > user has full privileges and everyone else has none. The
> > > > > > session that
> > > > > > creates a node i think by default has all privs on that
> > > > > > node, but i'd
> > > > > > have
> > > > > > to check my code...I might be adding privs when creating.
> > > > > > Look at my
> > > > > > "controller" class, and that is the top level, and a lot of
> > > > > > stuff like
> > > > > > creating new nodes, moving nodes, adding ACLs etc can be
> > > > > > sussed out by
> > > > > > just
> > > > > > looking at my code and not even running it. It's not too
> > > > > > complicated.
> > > > > > Does
> > > > > > that answer the question?
> > > > > > 
> > > > > > Best regards,
> > > > > > Clay Ferguson
> > > > > > wclayf@gmail.com
> > > > > > 
> > > > > > 
> > > > > > On Mon, Aug 24, 2015 at 2:53 PM, Atif Manzoor <
> > > > > > atif.manzoor@gmail.com
> > > 
> > > > > > wrote:
> > > > > > 
> > > > > > Hi Clay
> > > > > > 
> > > > > > > Thanks a lot for your response. I have been through your
> > > > > > > code and
> > have
> > > > > > > found that you have also been using
> > > > > > > getApplicablePolicies(path) and
> > > > > > > getPolicies(path) function to get AccessControlList (ACL)
> > > > > > > object,
> > > > > > > however
> > > > > > > both of these function have not been returning any ACL
> > > > > > > policies for
> > me.
> > > > > > > In
> > > > > > > words my node does not contain any modifiable ACL. Can
> > > > > > > you tell me
> > why
> > > > > > > is
> > > > > > > that. What will I have to do, so that the node should
> > > > > > > also have
> > > > > > > modifiable
> > > > > > > ACL.
> > > > > > > 
> > > > > > > Kind regards,
> > > > > > > Atif
> > > > > > > 
> > > > > > > On Mon, Aug 24, 2015 at 7:01 PM, Clay Ferguson <
> > > > > > > wclayf@gmail.com>
> > > > > > > wrote:
> > > > > > > 
> > > > > > > Hello Atif,
> > > > > > > 
> > > > > > > > You should check out my open source project:
> > > > > > > > https://github.com/Clay-Ferguson/meta64
> > > > > > > > 
> > > > > > > > Download the zip and search for the words 'privilege'
> > > > > > > > and/or
> > > > > > > > 
> > > > > > > > AccessControl,
> > > > > > > 
> > > > > > > etc.
> > > > > > > > 
> > > > > > > > The AclService.java class has ability to do basic
> > > > > > > > listing of
> > > > > > > > privileges
> > > > > > > > 
> > > > > > > > for
> > > > > > > 
> > > > > > > a node, and adding or removing privileges from a node,
> > > > > > > and might help
> > > > > > > > you
> > > > > > > > some. Good luck.
> > > > > > > > 
> > > > > > > > Best regards,
> > > > > > > > Clay Ferguson
> > > > > > > > wclayf@gmail.com
> > > > > > > > 
> > > > > > > > 
> > > > > > > > On Mon, Aug 24, 2015 at 12:07 PM, Atif Manzoor <
> > > > > > > > atif.manzoor@gmail.com>
> > > > > > > > wrote:
> > > > > > > > 
> > > > > > > > I am new to Jackrabbit and after going through the
> > > > > > > > first hops and
> > > > > > > > little
> > > > > > > > bit of documentation, I was trying to configure Access
> > > > > > > > Control for
> > the
> > > > > > > > 
> > > > > > > > > repository nodes. I was extending ThirdHop tutorial
> > > > > > > > > for that
> > purpose
> > > > > > > > > 
> > > > > > > > > and
> > > > > > > > was following access control wiki
> > > > > > > > 
> > > > > > > > > http://wiki.apache.org/jackrabbit/AccessControl
and
> > > > > > > > > had the
> > > > > > > > > following
> > > > > > > > > code.
> > > > > > > > > 
> > > > > > > > > Session session = repository.login(new
> > SimpleCredentials("username",
> > > > > > > > > "password"
> > > > > > > > > .toCharArray()));
> > > > > > > > > Node node = session.getRootNode();
> > > > > > > > > String path = node.getPath();
> > > > > > > > > AccessControlManager acm =
> > > > > > > > > session.getAccessControlManager();
> > > > > > > > > 
> > > > > > > > > Privilege[] privileges = new Privilege[] { acm
> > > > > > > > > .privilegeFromName(Privilege.JCR_ALL) };
> > > > > > > > > AccessControlList acl;
> > > > > > > > > try {
> > > > > > > > > acl = (AccessControlList)
> > > > > > > > > acm.getApplicablePolicies(path)
> > > > > > > > > .nextAccessControlPolicy();
> > > > > > > > > } catch (NoSuchElementException e) {
> > > > > > > > > acl = (AccessControlList) acm.getPolicies(path)[0];
> > > > > > > > > }
> > > > > > > > > for (AccessControlEntry e :
> > > > > > > > > acl.getAccessControlEntries()) {
> > > > > > > > > acl.removeAccessControlEntry(e);
> > > > > > > > > }
> > > > > > > > > acl.addAccessControlEntry(EveryonePrincipal.getInstan
> > > > > > > > > ce(),
> > > > > > > > > privileges);
> > > > > > > > > acm.setPolicy(path, acl);
> > > > > > > > > session.save();
> > > > > > > > > 
> > > > > > > > > My problem is that I could not get AccessControlList
> > > > > > > > > with this
> > code.
> > > > > > > > > 
> > > > > > > > > Both
> > > > > > > > functions (getApplicablePolicies and getAllPolicies)
> > > > > > > > don't have any
> > > > > > > > 
> > > > > > > > > AccessControlList attached with them. Can you
tell me
> > > > > > > > > where I went
> > > > > > > > > 
> > > > > > > > > wrong. I
> > > > > > > > 
> > > > > > > > have been using the default security configuration.
> > > > > > > > > 
> > > > > > > > > Thanks
> > > > > > > > > Atif
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > 
> > > 
> > 


Mime
View raw message