anchela commented on a change in pull request #61:
URL:
https://github.com/apache/sling-org-apache-sling-feature-cpconverter/pull/61#discussion_r594931133
##########
File path:
src/main/java/org/apache/sling/feature/cpconverter/cli/ContentPackage2FeatureModelConverterLauncher.java
##########
@@ -101,6 +101,9 @@
@Option(names = { "--enforce-principal-based-supported-path" },
description = "Converts service user access control entries to principal-based
setup using the given supported path.", required = false)
private String enforcePrincipalBasedSupportedPath = null;
+ @Option(names = { "--enforce-servicemapping-by-principal" }, description =
"Converts service user mappings with the form 'service:sub=userID' to
'service:sub=[principalname]'.", required = false)
Review comment:
good point. i will expand the comment explaining that group membership
will potentially no longer be resolved. the reason why i say "potentially": it
depends on the implementation. i am not too familiar with the default in sling
but with AEM group membership is not resolved as this was the primary reason
for introducing the mapping by principal-names. group membership with service
users should be considered a potential security risk because permission setup
with service users is part of the application/service, while permissions for
groups in particular everyone is not part of the application/service any may
vary from installation to installation.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
