[
https://issues.apache.org/jira/browse/SLING-5355?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15075924#comment-15075924
]
Bertrand Delacretaz edited comment on SLING-5355 at 1/5/16 9:58 AM:
--------------------------------------------------------------------
This is now implemented under
https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/acldef
The {{it}} module demonstrates this using the below definitions in its
provisioning model. Those are simply configurations for the {{AclSetup}}
component. Note that as Oak requires paths to exist to set ACLs on them, that
component needs to retry executing those ACL definitions snippets if the
affected paths don't exist yet.
To use this, install the {{org.apache.sling.acldef.oak-jcr}} and
{{org.apache.sling.acldef.parser}} bundles, and create configs as shown below,
as many as needed. Watch the logs for messages under the
{{org.apache.sling.acldef}} category to see what's happening.
{code}
org.apache.sling.acldef.jcr.AclSetup-one
#
acldef.text.1="create service user fredWilma"
#
# multiline acldef statement
acldef.text.2="
set ACL for fredWilma
allow jcr:all on /acltest
deny jcr:write on /acltest/A
end"
#
# single line with backslash n works as well
acldef.text.backs="set ACL for fredWilma \n allow jcr:write on /acltest/A/B
\n end"
# try some acldef in a separate config
org.apache.sling.acldef.jcr.AclSetup-two
# this user will be created from code, to validate the async ACL setting
# and using the path-oriented notation, to test that
acldef.text.another="
set ACL on /acltest
allow jcr:all for anotherUser
end
set ACL on /acltest/A/B
deny jcr:write for anotherUser
end
"
{code}
was (Author: bdelacretaz):
This is now implemented under
https://svn.apache.org/repos/asf/sling/trunk/contrib/extensions/acldef
The {{it}} module demonstrates this using the below definitions in its
provisioning model. Those are simply configurations for the {{AclSetup}}
component. Note that as Oak requires paths to exist to set ACLs on them, that
component needs to retry executing those ACL definitions snippets if the
affected paths don't exist yet.
To use this, install the {{org.apache.sling.acldef.oak-jcr}} and
{{org.apache.sling.acldef.parser}} modules, and create configs as shown below,
as many as needed. Watch the logs for messages under the
{{org.apache.sling.acldef}} category to see what's happening.
{code}
org.apache.sling.acldef.jcr.AclSetup-one
#
acldef.text.1="create service user fredWilma"
#
# multiline acldef statement
acldef.text.2="
set ACL for fredWilma
allow jcr:all on /acltest
deny jcr:write on /acltest/A
end"
#
# single line with backslash n works as well
acldef.text.backs="set ACL for fredWilma \n allow jcr:write on /acltest/A/B
\n end"
# try some acldef in a separate config
org.apache.sling.acldef.jcr.AclSetup-two
# this user will be created from code, to validate the async ACL setting
# and using the path-oriented notation, to test that
acldef.text.another="
set ACL on /acltest
allow jcr:all for anotherUser
end
set ACL on /acltest/A/B
deny jcr:write for anotherUser
end
"
{code}
> Create service users and ACLs from the provisioning model
> ---------------------------------------------------------
>
> Key: SLING-5355
> URL: https://issues.apache.org/jira/browse/SLING-5355
> Project: Sling
> Issue Type: New Feature
> Components: Service User Mapper
> Reporter: Bertrand Delacretaz
> Assignee: Bertrand Delacretaz
>
> As discussed in the "Removing loginAdministrative, how to test that, and
> service username conventions" thread on our dev list [1] we need to be able
> to create service users and set the corresponding ACLs from our provisioning
> model.
> This should be implemented using distinct utility classes, one for the users
> and one for the ACLs, that take simple mini-languages as input. This will
> allow for reusing these utilities in test code for example.
> I have made a suggestion for those mini languages in that thread, will copy
> them here once we agree.
> [1] http://markmail.org/message/kcvuhwfdald2dyuz
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
