[
https://issues.apache.org/jira/browse/SLING-9871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306306#comment-17306306
]
Bertrand Delacretaz commented on SLING-9871:
--------------------------------------------
Thank you for the example and yes I think it helps.
I have modified your example using the above "fragment names and dependencies"
suggestion, slightly simplified, which would allow us (in a repoinit
preprocessor probably) to reorder those fragments correctly, whatever the
features aggregation order is.
* feature-model-1:
{noformat}
FRAGMENT asset-users DEPENDS ON conf-general
create group assets-users
add assets-users to group everyone
set ACL for assets-users
allow jcr:read on /conf with restrictions(*/settings/*/assets)
end
END FRAGMENT
{noformat}
* feature-model-2
{noformat}
FRAGMENT sites-users DEPENDS ON conf-general
create group sites-users
add sites-users to group everyone
set ACL for sites-users
allow jcr:read on /conf with restrictions(*/settings/*/sites)
end
END FRAGMENT
{noformat}
* feature-model-3
{noformat}
FRAGMENT conf-general
set ACL on /conf
deny jcr:read for everyone
end
END FRAGMENT
{noformat}
As the first two fragments are declared to depend on the third one, the "deny
jcr:read for everyone" ACL entry is created first and the final order should be
like you expect. Assuming that works at the JCR level, which Angela's "not
guaranteed to result in a new ACE being added at the end of the list" comment
might challenge, depending on the details of that Oak behavior.
> Specifying order of ACEs through repoinit directives
> ----------------------------------------------------
>
> Key: SLING-9871
> URL: https://issues.apache.org/jira/browse/SLING-9871
> Project: Sling
> Issue Type: Improvement
> Components: Repoinit
> Reporter: Ashish Chopra
> Priority: Major
>
> As of writing this, repoinit processor (among other things not relevant to
> this JIRA) collects {{create path}} statements and {{set ACL}} statements
> declared in all the feature-models applicable to feature-aggregate under
> consideration.
> Upon repository initialization, it applies all the {{create path}}
> statements, followed by all the {{set ACL}} statements. However, the order in
> which {{set ACL}} statements declared across feature models are applied isn't
> defined (currently, it seems to be based on feature-model-name,
> alphabetically ascending).
> This causes issues at times because we want the order of the ACEs to be
> maintained (e.g., "deny"s for everyone at a given path must be the first ACE,
> followed by "allow"s for specific, non-system-user principals)
> Repoinit should be able to support this requirement.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
