[
https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17771198#comment-17771198
]
Konrad Windszus commented on JCRVLT-721:
----------------------------------------
bq. The root paths of users and groups are always initialized as /home/users
and /home/groups, so there is little need to determine root paths by creating
and deleting groups and users.
This is not true. That path is configurable in Oak (compare with
https://jackrabbit.apache.org/oak/docs/security/user/default.html#configuration
{{PARAM_USERS_PATH}} and {{PARAM_GROUP_PATH}}), particularly the default is
{{/rep:security/rep:authorizables/rep:users}} and
{{/rep:security/rep:authorizables/rep:groups}} respectively. Unfortunately
there is no API to determine the authorizable root path.
But I am open for other suggestions on how to implement this.
> Importing content packages with minimum permissions fails
> ----------------------------------------------------------
>
> Key: JCRVLT-721
> URL: https://issues.apache.org/jira/browse/JCRVLT-721
> Project: Jackrabbit FileVault
> Issue Type: Bug
> Components: Packaging
> Affects Versions: 3.7.0
> Reporter: Ankita Agarwal
> Priority: Major
>
> Importing Content Packages using a dedicated user (with minimum permissions)
> has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release.
> This is a regression of issue JCRVLT-683 specifically to logic that has been
> added to determine the root paths of groups and users in
> JackrabbitACLManagement#determineAuthorizableRootPaths
> ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]).
> The new logic creates a group and a user in order to determine the root paths
> of groups and users and immediately deletes them afterward.
> This is a bad solution as it breaks the Principle of Least Permission (PoLP):
> The user that is being used to import content should not have permission to
> create and delete users and groups.
> The root paths of users and groups are always initialized as /home/users and
> /home/groups, so there is little need to determine root paths by creating and
> deleting groups and users.
> ----
> *Steps to reproduce:*
> * You create a user that you use to import content. You give it all
> permissions on /content
> * When you import a content package that replaces existing content (= when
> you import the same content package twice, and it has "replace" in its filter
> definition), you will see that it fails with the error that it cannot access
> the /home/groups or /home/users repository path
> ----
> *Expected Behavior:* Successful content package imports
> ----
> *Experienced Behavior:* Content package imports that succeeded before now
> fail with AccessDeniedExceptions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
