sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "angela (Jira)" <j...@apache.org>
Subject [jira] [Commented] (SLING-9090) AclLine.Action.REMOVE and AclLine.Action.REMOVE_ALL not handled in jcr implementation
Date Mon, 02 Mar 2020 13:39:00 GMT

    [ https://issues.apache.org/jira/browse/SLING-9090?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17049212#comment-17049212
] 

angela commented on SLING-9090:
-------------------------------

Hi Mohit

I don't think you have to worry about the extra with-path statement for the service user.
The reason why I came across this is in the first place, that I am working on defining principal-based
permission setup for service users (see announcement on dl-dev)... so, for new AEM installations
that would mean that service-users get installed below a new subtree (i.e. /home/users/system/cq:services/internal/*),
which allows for principal-based permission setup.

So, for new installations your service user will once this completed anyway have an intermediate
path specified....
Unless we see that it's mandatory we won't move around service users in existing installations
and as you noticed, repo-init is a bit limited and doesn't touch existing service users even
if the rel-path specified does not match.

The effective permissions must stay the same for built-in service users but obviously the
remove-ace will really be needed and will be needed in a non-breaking way... also the prinipal-based
permission setup doesn't allow for deny-entries, since we always claimed that service users
never should have denies. So, either way.... I will keep an eye on the Sling issue.

Thanks and kind regards
Angela


> AclLine.Action.REMOVE and AclLine.Action.REMOVE_ALL not handled in jcr implementation
> -------------------------------------------------------------------------------------
>
>                 Key: SLING-9090
>                 URL: https://issues.apache.org/jira/browse/SLING-9090
>             Project: Sling
>          Issue Type: Bug
>          Components: Repoinit
>            Reporter: Angela Schreiber
>            Priority: Major
>
> [~bdelacretaz], while the documentation and the parser code provides the ability to remove
an individual or all access control entries, it seems the JCR implementation doesn't actually
support it.
> using it may lead to odd side effects or failures.... so, i think either the parser should
remove the support for Action.REMOVE and Action.REMOVE_ALL or the jcr implementation part
should respect it... at the very minimum it should spot any usage of it and fail the repo-init
if there is no way to implement it properly. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message