[
https://issues.apache.org/jira/browse/SLING-9692?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17245759#comment-17245759
]
Angela Schreiber commented on SLING-9692:
-----------------------------------------
h4. interaction with service-user-mapping
one more thing i would like to point to one additional point related to
service-user-mapping conversion: principal-based authorization can only be
safely enforced if service-user-mapping use the recommended mapping format with
[] aggregating one or multiple serviceuser principal names (see
[https://sling.apache.org/documentation/the-sling-engine/service-authentication.html#configuration).]
i don't know if the converter keeps track of the mappings but that needs be
taken into consideration when attempting to enforce it. if the mapping(s) for a
given service user include the old mapping format, the converter should either
not enforce it (and log an error) or abort the conversion. the 3rd option
'converting the mapping as well' seems too risky as the code might rely on
permissions inherited through group-membership, which no longer is resolved
with the aggregated service-principal mapping.
> Add support for principal-based access control entries
> ------------------------------------------------------
>
> Key: SLING-9692
> URL: https://issues.apache.org/jira/browse/SLING-9692
> Project: Sling
> Issue Type: Improvement
> Components: Content-Package to Feature Model Converter
> Reporter: Robert Munteanu
> Priority: Major
> Fix For: Content-Package to Feature Model Converter 1.0.26
>
> Attachments: SLING-9692.patch
>
>
> When passed a content package that contains principal-based access control
> entries, the converter ignores them. It should instead generate the proper
> repoinit statements.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
