[jira] [Commented] (SLING-9871) Specifying order of ACEs through repoinit directives

Tue, 23 Mar 2021 02:56:09 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-9871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17306941#comment-17306941
 ] 

Robert Munteanu commented on SLING-9871:
----------------------------------------

_If_ we can assume that only want dependencies at the ACL level, perhaps we can 
make the language more compact. We can add the naming/requiring parts to the 
{{set ACL}} instruction, e.g.

{noformat}set ACL for assets-users DEPENDS ON conf-general
    allow jcr:read on /conf with restrictions(*/settings/*/assets)
end
{noformat}

{noformat}
set ACL for sites-users DEPENDS ON conf-general
    allow jcr:read on /conf with restrictions(*/settings/*/sites)
end
{noformat}

{noformat}
set ACL on /conf NAMED AS conf-general
    deny jcr:read for everyone
end
{noformat}

This assumes that either repoinit is smart enough to know that principal 
operations need to go before various ACL operations when reordering, or that it 
does a very careful reordering where the {{set ACL}} instructions are pushed 
immediately after the ones they require.

This also has a small advantage of not requiring us to name fragments for 
reordering purposes.

> Specifying order of ACEs through repoinit directives
> ----------------------------------------------------
>
>                 Key: SLING-9871
>                 URL: https://issues.apache.org/jira/browse/SLING-9871
>             Project: Sling
>          Issue Type: Improvement
>          Components: Repoinit
>            Reporter: Ashish Chopra
>            Priority: Major
>
> As of writing this, repoinit processor (among other things not relevant to 
> this JIRA) collects {{create path}} statements and {{set ACL}} statements 
> declared in all the feature-models applicable to feature-aggregate under 
> consideration.
> Upon repository initialization, it applies all the {{create path}} 
> statements, followed by all the {{set ACL}} statements. However, the order in 
> which {{set ACL}} statements declared across feature models are applied isn't 
> defined (currently, it seems to be based on feature-model-name, 
> alphabetically ascending).
> This causes issues at times because we want the order of the ACEs to be 
> maintained (e.g., "deny"s for everyone at a given path must be the first ACE, 
> followed by "allow"s for specific, non-system-user principals)
> Repoinit should be able to support this requirement.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to