[
https://issues.apache.org/jira/browse/SLING-9871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306055#comment-17306055
]
Bertrand Delacretaz commented on SLING-9871:
--------------------------------------------
I think this ticket's description mentions C1, not C2 ("the order in which
{{set ACL}} statements declared **across feature models** are applied isn't
defined"), could you update it to reflect the actual issue which is apparently
C2 ?
bq. one way to make that happen, as [~enorman] proposed in his first response,
is by providing a set of directives to influence the final order
Agreed, but my understanding of the problematic use case is:
* There is an existing ACL entry E in the repository for /somePath
* A repoinit script is executed with another set S of ACL entries for /somePath
* The entries of S are set in the order in which they appear in the repoinit
script, so no problem for them
* But you need some of the entries of S to come before or after E
And the problem becomes how to reliably identify E to be able to place the new
entries from S in the right order.
IIUC what Eric suggests above is to use the principal name of entry E, i.e.
"bob" if that entry sets ACLs for principal "bob".
I'm not sure if being able to refer to entries by principal name only is
sufficient, or if there are better suggestions for that.
Once we agree on how to identify existing ACL entries in order to insert new
ones in the right order, I think the rest is relatively easy.
Note that as we now support {{remove *}}, removing all existing entries and
setting a complete new set in the right order (as defined by the order of
repoinit statements) might also be an option, or at least a workaround. But
we'd need to verify that this "full replacement" is done atomically to avoid
half-applied sets of statements.
> Specifying order of ACEs through repoinit directives
> ----------------------------------------------------
>
> Key: SLING-9871
> URL: https://issues.apache.org/jira/browse/SLING-9871
> Project: Sling
> Issue Type: Improvement
> Components: Repoinit
> Reporter: Ashish Chopra
> Priority: Major
>
> As of writing this, repoinit processor (among other things not relevant to
> this JIRA) collects {{create path}} statements and {{set ACL}} statements
> declared in all the feature-models applicable to feature-aggregate under
> consideration.
> Upon repository initialization, it applies all the {{create path}}
> statements, followed by all the {{set ACL}} statements. However, the order in
> which {{set ACL}} statements declared across feature models are applied isn't
> defined (currently, it seems to be based on feature-model-name,
> alphabetically ascending).
> This causes issues at times because we want the order of the ACEs to be
> maintained (e.g., "deny"s for everyone at a given path must be the first ACE,
> followed by "allow"s for specific, non-system-user principals)
> Repoinit should be able to support this requirement.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
