[jira] [Commented] (SLING-9871) Specifying order of ACEs through repoinit directives

Thu, 11 Mar 2021 02:13:06 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-9871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17299465#comment-17299465
 ] 

Bertrand Delacretaz commented on SLING-9871:
--------------------------------------------

bq. ...maybe the best we can do is document the order in which they get 
processed...

Agreed - I think that order is as specified in the description of this ticket, 
but I haven't checked if we have readable tests that demonstrate that:

bq. ...Upon repository initialization, it applies all the create path 
statements, followed by all the set ACL statements...

And I also think the ACL statements are applied in the order in which they are 
encountered by the parser. but again we might want to write readable tests to 
demonstrate that if they are missing.

bq. Are you also against adding the proposed "order ACL" statement ...

I have this vague feeling that that might be troublesome in combination with 
existing ACLs in the repository.

If we can stick to the simple "create paths first, then apply ACLs in the order 
they are written" rule I think that's much simpler.

And if repoinit fragments are aggregated by another tool, that tool should take 
care of ordering the fragments as needed.

> Specifying order of ACEs through repoinit directives
> ----------------------------------------------------
>
>                 Key: SLING-9871
>                 URL: https://issues.apache.org/jira/browse/SLING-9871
>             Project: Sling
>          Issue Type: Improvement
>          Components: Repoinit
>            Reporter: Ashish Chopra
>            Priority: Major
>
> As of writing this, repoinit processor (among other things not relevant to 
> this JIRA) collects {{create path}} statements and {{set ACL}} statements 
> declared in all the feature-models applicable to feature-aggregate under 
> consideration.
> Upon repository initialization, it applies all the {{create path}} 
> statements, followed by all the {{set ACL}} statements. However, the order in 
> which {{set ACL}} statements declared across feature models are applied isn't 
> defined (currently, it seems to be based on feature-model-name, 
> alphabetically ascending).
> This causes issues at times because we want the order of the ACEs to be 
> maintained (e.g., "deny"s for everyone at a given path must be the first ACE, 
> followed by "allow"s for specific, non-system-user principals)
> Repoinit should be able to support this requirement.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to