[ https://issues.apache.org/jira/browse/SLING-9871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306306#comment-17306306 ]
Bertrand Delacretaz commented on SLING-9871: -------------------------------------------- Thank you for the example and yes I think it helps. I have modified your example using the above "fragment names and dependencies" suggestion, slightly simplified, which would allow us (in a repoinit preprocessor probably) to reorder those fragments correctly, whatever the features aggregation order is. * feature-model-1: {noformat} FRAGMENT asset-users DEPENDS ON conf-general create group assets-users add assets-users to group everyone set ACL for assets-users allow jcr:read on /conf with restrictions(*/settings/*/assets) end END FRAGMENT {noformat} * feature-model-2 {noformat} FRAGMENT sites-users DEPENDS ON conf-general create group sites-users add sites-users to group everyone set ACL for sites-users allow jcr:read on /conf with restrictions(*/settings/*/sites) end END FRAGMENT {noformat} * feature-model-3 {noformat} FRAGMENT conf-general set ACL on /conf deny jcr:read for everyone end END FRAGMENT {noformat} As the first two fragments are declared to depend on the third one, the "deny jcr:read for everyone" ACL entry is created first and the final order should be like you expect. Assuming that works at the JCR level, which Angela's "not guaranteed to result in a new ACE being added at the end of the list" comment might challenge, depending on the details of that Oak behavior. > Specifying order of ACEs through repoinit directives > ---------------------------------------------------- > > Key: SLING-9871 > URL: https://issues.apache.org/jira/browse/SLING-9871 > Project: Sling > Issue Type: Improvement > Components: Repoinit > Reporter: Ashish Chopra > Priority: Major > > As of writing this, repoinit processor (among other things not relevant to > this JIRA) collects {{create path}} statements and {{set ACL}} statements > declared in all the feature-models applicable to feature-aggregate under > consideration. > Upon repository initialization, it applies all the {{create path}} > statements, followed by all the {{set ACL}} statements. However, the order in > which {{set ACL}} statements declared across feature models are applied isn't > defined (currently, it seems to be based on feature-model-name, > alphabetically ascending). > This causes issues at times because we want the order of the ACEs to be > maintained (e.g., "deny"s for everyone at a given path must be the first ACE, > followed by "allow"s for specific, non-system-user principals) > Repoinit should be able to support this requirement. -- This message was sent by Atlassian Jira (v8.3.4#803005)