[
https://issues.apache.org/jira/browse/SLING-10134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17282565#comment-17282565
]
Angela Schreiber edited comment on SLING-10134 at 2/10/21, 4:49 PM:
--------------------------------------------------------------------
[~Henry Kuijpers], i agree with your analysis.... when iterating over entries
of an access control list all entries that have a matching principal-name
should be removed based on the repo-init statements above. IMHO this is a
bug....
on a side note: one might argue that the removal should be better using
{code}
set ACL on /apps/website/components
remove * for su-read-apps-website-component
end
{code}
but the net-effect is the same and wouldn't be surprised if that wouldn't work
either.
after all: depending on the configuration of the underlaying repository, it
might be possible to even create access control content for a principal that
doesn't exist (yet) (see import-behavior 'besteffort' defined with oak
authorization configuration)
was (Author: anchela):
[~Henry Kuijpers], i agree with your analysis.... when iterating over entries
of an access control list all entries that have a matching principal-name
should be removed based on the repo-init statements above. IMHO this is a bug.
> Deleting ACEs for users that don't exist is impossible
> ------------------------------------------------------
>
> Key: SLING-10134
> URL: https://issues.apache.org/jira/browse/SLING-10134
> Project: Sling
> Issue Type: Bug
> Components: Repoinit
> Affects Versions: Repoinit JCR 1.1.30
> Reporter: Henry Kuijpers
> Priority: Major
>
> We're looking into using Sling Repo Init to clean up old permissions that
> have been left behind in our instances over time. We used the following
> syntax:
> delete service user sv-read-apps-website-components
> set ACL for sv-read-apps-website-components
> remove * on /apps/website/components
> end
> We get the following error: 09.02.2021 21:57:38.961 *ERROR* [CM Event
> Dispatcher (Fire ConfigurationEvent:
> pid=org.apache.sling.jcr.repoinit.RepositoryInitializer.25c1f862-75bd-4cd9-9ca1-b612f8752544)]
> com.adobe.granite.repository.impl.SlingRepositoryManager Exception in a
> SlingRepositoryInitializer: RepositoryInitializerFactory, references=[],
> scripts=2 java.lang.RuntimeException: Failed to set ACL
> (java.lang.IllegalStateException: Authorizable not
> found:sv-read-apps-website-components) AclLine REMOVE_ALL
> {paths=[/apps/website/components]} at
> org.apache.sling.jcr.repoinit.impl.AclVisitor.setAcl(AclVisitor.java:63)
> [org.apache.sling.jcr.repoinit:1.1.8] at
> org.apache.sling.jcr.repoinit.impl.AclVisitor.visitSetAclPrincipal(AclVisitor.java:84)
> [org.apache.sling.jcr.repoinit:1.1.8] at
> org.apache.sling.repoinit.parser.operations.SetAclPrincipals.accept(SetAclPrincipals.java:53)
> [org.apache.sling.repoinit.parser:1.2.2] ....
> I think it's fine that the authorizable is not found: It doesn't have to
> exist, in order to be able to remove ACEs, which is exactly what we are
> trying to achieve: remove left behind ACEs for our deleted service users.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
