From commits-return-76883-archive-asf-public=cust-asf.ponee.io@sling.apache.org Thu Dec 20 20:45:14 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 509B2180648 for ; Thu, 20 Dec 2018 20:45:14 +0100 (CET) Received: (qmail 62772 invoked by uid 500); 20 Dec 2018 19:45:13 -0000 Mailing-List: contact commits-help@sling.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@sling.apache.org Delivered-To: mailing list commits@sling.apache.org Received: (qmail 62763 invoked by uid 99); 20 Dec 2018 19:45:13 -0000 Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Dec 2018 19:45:13 +0000 Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33) id CB80685278; Thu, 20 Dec 2018 19:45:12 +0000 (UTC) Date: Thu, 20 Dec 2018 19:45:12 +0000 To: "commits@sling.apache.org" Subject: [sling-site] branch master updated: Release JCR Jackrabbit Access Manager 3.0.4, JCR ContentLoader 2.3.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Message-ID: <154533511278.9469.14444637011938330344@gitbox.apache.org> From: enorman@apache.org X-Git-Host: gitbox.apache.org X-Git-Repo: sling-site X-Git-Refname: refs/heads/master X-Git-Reftype: branch X-Git-Oldrev: 116fe73a772a0cc1d9a8fbe7d736c6b1b83ae5d2 X-Git-Newrev: 1067658d2d879fd27dfc87e72744fe2980653b3f X-Git-Rev: 1067658d2d879fd27dfc87e72744fe2980653b3f X-Git-NotificationType: ref_changed_plus_diff X-Git-Multimail-Version: 1.5.dev Auto-Submitted: auto-generated This is an automated email from the ASF dual-hosted git repository. enorman pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/sling-site.git The following commit(s) were added to refs/heads/master by this push: new 1067658 Release JCR Jackrabbit Access Manager 3.0.4, JCR ContentLoader 2.3.0 1067658 is described below commit 1067658d2d879fd27dfc87e72744fe2980653b3f Author: Eric Norman AuthorDate: Thu Dec 20 11:13:55 2018 -0800 Release JCR Jackrabbit Access Manager 3.0.4, JCR ContentLoader 2.3.0 --- .../bundles/content-loading-jcr-contentloader.md | 30 ++++++++++ ...anaging-permissions-jackrabbit-accessmanager.md | 64 ++++++++++++---------- src/main/jbake/content/releases.md | 1 + src/main/jbake/templates/downloads.tpl | 4 +- 4 files changed, 67 insertions(+), 32 deletions(-) diff --git a/src/main/jbake/content/documentation/bundles/content-loading-jcr-contentloader.md b/src/main/jbake/content/documentation/bundles/content-loading-jcr-contentloader.md index 974c219..dc67019 100644 --- a/src/main/jbake/content/documentation/bundles/content-loading-jcr-contentloader.md +++ b/src/main/jbake/content/documentation/bundles/content-loading-jcr-contentloader.md @@ -315,5 +315,35 @@ You can also add new principals (users or groups) to the repository by adding a ] } +### ACE Restrictions (since 2.3.0) +When adding a `security:acl` object to a content node definition in JSON you can also define restrictions on the ACEs to further filter the impact. Example: + + { + "security:acl": [ + { + "principal": "TestUser1", + "granted": [ + "jcr:read", + "jcr:write" + ], + "restrictions": { + "rep:glob": "glob1" + } + }, + { + "principal": "TestGroup1", + "granted": [ + "jcr:modifyAccessControl" + ], + "restrictions": { + "rep:itemNames": [ + "name1", + "name2" + ] + } + } + ] + } + [i18n-json-file-based]: https://sling.apache.org/documentation/bundles/internationalization-support-i18n.html#json-file-based diff --git a/src/main/jbake/content/documentation/bundles/managing-permissions-jackrabbit-accessmanager.md b/src/main/jbake/content/documentation/bundles/managing-permissions-jackrabbit-accessmanager.md index 1b5c1cd..4710280 100644 --- a/src/main/jbake/content/documentation/bundles/managing-permissions-jackrabbit-accessmanager.md +++ b/src/main/jbake/content/documentation/bundles/managing-permissions-jackrabbit-accessmanager.md @@ -5,13 +5,13 @@ tags=security ~~~~~~ -The `jackrabbit-accessmanager` bundle delivers a REST interface to manipulate users permissions in the JCR. After installing the `jackrabbit-accessmanager` bundle the REST services are exposed under the path of the node where you will manipulate the permissions for a user with a specific selector like `modifyAce`, `acl` and `deleteAce`. +The `jackrabbit-accessmanager` bundle delivers a REST interface to manipulate users permissions in the JCR. After installing the `jackrabbit-accessmanager` bundle the REST services are exposed under the path of the node where you will manipulate the permissions for a user with a specific selector like `modifyAce`, `acl`, `eacl` and `deleteAce`. [TOC] ## Privileges -| privilagename | description | -|---|---| +| Name | Description | +|--|--| | jcr:read | the privilege to retrieve a node and get its properties and their values | | jcr:readAccessControl | the privilege to get the access control policy of a node | | jcr:modifyProperties | the privilege to create, modify and remove the properties of a node | @@ -30,47 +30,51 @@ The `jackrabbit-accessmanager` bundle delivers a REST interface to manipulate us ## Add or modify permissions To modify the permissions for a node POST a request to `/.modifyAce.`. The following parameters are available: - - - - - - - - - - - - - - - - - - - - - - -* *numeric* - Place the target ACE at the specified numeric index. | + +| Name | Description | +|--|--| +| principalId | The id of the user or group to modify the access rights for | +| order | The position of the entry within the list (see below for details) | +| privilege@[privilege_name] | One param for each privilege to modify. The value must be either 'granted', 'denied' or 'none'. | +| restriction@[restriction_name] | (since 3.0.4) One param for each restriction value. The same parameter name may be used again for multi-value restrictions. The value is the target value of the restriction. | +| restriction@[restriction_name]@Delete | (since 3.0.4) One param for each restriction to delete. The parameter value is ignored and can be anything. | + +The `order` parameter may have the following values: + +| Value | Description | +|--|--| +| `first` | Place the target entry as the first amongst its siblings | +| `last` | Place the target entry as the last amongst its siblings | +| `before *xyz*` | Place the target entry immediately before the sibling whose name is *xyz* | +| `after *xyz*` | Place the target entry immediately after the sibling whose name is *xyz* | +| numeric | Place the target entry at the indicated numeric place amongst its siblings where *0* is equivalent to `first` and *1* means the second place | Responses: | 200 | Success | | 500 | Failure, HTML (or JSON) explains failure. | + Example with curl: curl -FprincipalId=myuser -Fprivilege@jcr:read=granted http://localhost:8080/test/node.modifyAce.html +Single value restriction example with curl: + + curl -FprincipalId=myuser -Fprivilege@jcr:read=granted -Frestriction@rep:glob=child1 http://localhost:8080/test/node.modifyAce.html + +Multi value restriction example with curl: + + curl -FprincipalId=myuser -Fprivilege@jcr:read=granted -Frestriction@rep:itemNames=name1 -Frestriction@rep:itemNames=name2 http://localhost:8080/test/node.modifyAce.html + +Remove existing restriction example with curl: + + curl -FprincipalId=myuser -Frestriction@rep:glob@Delete=yes http://localhost:8080/test/node.modifyAce.html ## Delete permissions To delete permissions for a node POST a request to `/.deleteAce.`. The following parameters are available: - - - Responses: | 200 | Success | @@ -102,4 +106,4 @@ Example:
See section 16.3 of the JCR 2.0 specification for an explanation of the difference between bound and effective policies. -
\ No newline at end of file + diff --git a/src/main/jbake/content/releases.md b/src/main/jbake/content/releases.md index 3044cf8..3b2b9bc 100644 --- a/src/main/jbake/content/releases.md +++ b/src/main/jbake/content/releases.md @@ -8,6 +8,7 @@ This is a list of all our releases, available from our [downloads](/downloads.cg ## December 2018 +* JCR Jackrabbit Access Manager 3.0.4, JCR ContentLoader 2.3.0 (20th) * API 2.20.0, Servlets Resolver 2.5.2, Servlets Annotations 1.2.4 (18th) * Capabilities 0.1.2, Capabilities JCR 0.1.2 (17th) * JCR Base 3.0.6 (16th) diff --git a/src/main/jbake/templates/downloads.tpl b/src/main/jbake/templates/downloads.tpl index 654349f..6b289ba 100644 --- a/src/main/jbake/templates/downloads.tpl +++ b/src/main/jbake/templates/downloads.tpl @@ -126,10 +126,10 @@ def bundles=[ "JCR API Wrapper|org.apache.sling.jcr.jcr-wrapper|2.0.0|Y|jar", "JCR Base|org.apache.sling.jcr.base|3.0.6|Y|jar", "JCR ClassLoader|org.apache.sling.jcr.classloader|3.2.4|Y|jar", - "JCR Content Loader|org.apache.sling.jcr.contentloader|2.2.6|Y|jar", + "JCR Content Loader|org.apache.sling.jcr.contentloader|2.3.0|Y|jar", "JCR Content Parser|org.apache.sling.jcr.contentparser|1.2.6|Y|jar", "JCR DavEx|org.apache.sling.jcr.davex|1.3.10|Y|jar", - "JCR Jackrabbit AccessManager|org.apache.sling.jcr.jackrabbit.accessmanager|3.0.2|Y|jar", + "JCR Jackrabbit AccessManager|org.apache.sling.jcr.jackrabbit.accessmanager|3.0.4|Y|jar", "JCR Jackrabbit UserManager|org.apache.sling.jcr.jackrabbit.usermanager|2.2.8|Y|jar", "JCR Oak Server|org.apache.sling.jcr.oak.server|1.2.2|Y|jar", "JCR Registration|org.apache.sling.jcr.registration|1.0.6|Y|jar",