Angela Schreiber created SLING-9956:
---------------------------------------

             Summary: RepPolicyEntryHandler ignores ACEs on repository level
                 Key: SLING-9956
                 URL: https://issues.apache.org/jira/browse/SLING-9956
             Project: Sling
          Issue Type: Bug
          Components: Content-Package to Feature Model Converter
            Reporter: Angela Schreiber


based on my reading of 
https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandler.java#L56

i don't see how the converter would handle service user permissions that are 
defined for the repository level that in JCR access control management API are 
defined using a {{null}} path.

with the default authorization module in oak the corresponding ACL is stored at 
the root node with a dedicated policy node named {{rep:repoPolicy}} (see 
http://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#representation)

i guess this bug requires 2 steps:
- adjust the regexp in the handler
- adjust "Acl" class (which reprents an Ace) to make sure repo-level aces are 
properly identified (e.g. extra method isRepositoryLevel or set the correct 
path field to null)
- adjust 
https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/acl/DefaultAclManager.java#L242
 to proper create repository level entries with repo-init. according to 
https://sling.apache.org/documentation/bundles/repository-initialization.html 
this is achieved using the following special path:

{code}
set ACL for alice,bob
    allow jcr:namespaceManagement on :repository
end
{code}




--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to