[
https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17777275#comment-17777275
]
Patrique Legault commented on JCRVLT-721:
-----------------------------------------
Why can't we simply expose the *usersPath* and *groupsPath* in [1] and then by
having a reference to [2] we can get the path without having to create a user
and group saving resources when installing a package? Seems to be an expensive
way to simply expose a piece of data we already have.
[1]
[https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java#L213]
[2]
[https://github.com/apache/jackrabbit-oak/blob/e3c2dd6303abae0056fe8def0f59d9d9ebcdf7d2/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/ConfigurationBase.java#L63]
> Importing content packages with minimum permissions fails
> ----------------------------------------------------------
>
> Key: JCRVLT-721
> URL: https://issues.apache.org/jira/browse/JCRVLT-721
> Project: Jackrabbit FileVault
> Issue Type: Bug
> Components: Packaging
> Affects Versions: 3.7.0
> Reporter: Ankita Agarwal
> Assignee: Konrad Windszus
> Priority: Major
> Fix For: 3.7.2
>
>
> Importing Content Packages using a dedicated user (with minimum permissions)
> has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release.
> This is a regression of issue JCRVLT-683 specifically to logic that has been
> added to determine the root paths of groups and users in
> JackrabbitACLManagement#determineAuthorizableRootPaths
> ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]).
> The new logic creates a group and a user in order to determine the root paths
> of groups and users and immediately deletes them afterward.
> This is a bad solution as it breaks the Principle of Least Permission (PoLP):
> The user that is being used to import content should not have permission to
> create and delete users and groups.
> The root paths of users and groups are always initialized as /home/users and
> /home/groups, so there is little need to determine root paths by creating and
> deleting groups and users.
> ----
> *Steps to reproduce:*
> * You create a user that you use to import content. You give it all
> permissions on /content
> * When you import a content package that replaces existing content (= when
> you import the same content package twice, and it has "replace" in its filter
> definition), you will see that it fails with the error that it cannot access
> the /home/groups or /home/users repository path
> ----
> *Expected Behavior:* Successful content package imports
> ----
> *Experienced Behavior:* Content package imports that succeeded before now
> fail with AccessDeniedExceptions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
