[ https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17777275#comment-17777275 ]
Patrique Legault commented on JCRVLT-721: ----------------------------------------- Why can't we simply expose the *usersPath* and *groupsPath* in [1] and then by having a reference to [2] we can get the path without having to create a user and group saving resources when installing a package? Seems to be an expensive way to simply expose a piece of data we already have. [1] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java#L213] [2] [https://github.com/apache/jackrabbit-oak/blob/e3c2dd6303abae0056fe8def0f59d9d9ebcdf7d2/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/ConfigurationBase.java#L63] > Importing content packages with minimum permissions fails > ---------------------------------------------------------- > > Key: JCRVLT-721 > URL: https://issues.apache.org/jira/browse/JCRVLT-721 > Project: Jackrabbit FileVault > Issue Type: Bug > Components: Packaging > Affects Versions: 3.7.0 > Reporter: Ankita Agarwal > Assignee: Konrad Windszus > Priority: Major > Fix For: 3.7.2 > > > Importing Content Packages using a dedicated user (with minimum permissions) > has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release. > This is a regression of issue JCRVLT-683 specifically to logic that has been > added to determine the root paths of groups and users in > JackrabbitACLManagement#determineAuthorizableRootPaths > ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]). > The new logic creates a group and a user in order to determine the root paths > of groups and users and immediately deletes them afterward. > This is a bad solution as it breaks the Principle of Least Permission (PoLP): > The user that is being used to import content should not have permission to > create and delete users and groups. > The root paths of users and groups are always initialized as /home/users and > /home/groups, so there is little need to determine root paths by creating and > deleting groups and users. > ---- > *Steps to reproduce:* > * You create a user that you use to import content. You give it all > permissions on /content > * When you import a content package that replaces existing content (= when > you import the same content package twice, and it has "replace" in its filter > definition), you will see that it fails with the error that it cannot access > the /home/groups or /home/users repository path > ---- > *Expected Behavior:* Successful content package imports > ---- > *Experienced Behavior:* Content package imports that succeeded before now > fail with AccessDeniedExceptions -- This message was sent by Atlassian Jira (v8.20.10#820010)