[
https://issues.apache.org/jira/browse/SLING-6398?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15748507#comment-15748507
]
Robert Munteanu commented on SLING-6398:
----------------------------------------
{quote}That works for me but in principle I don't know if recreating an ACL
might make a difference if one already exists. {quote}
I am not sure if it it's supposed to make a difference, but in my tests it does.
{quote}I don't have deep knowledge of Oak ACLs but AFAIK the order in which
they are created is relevant. So if you have 3 ACLs (A, B,C) and you recreate A
the new order might be (B, C, A) and behave differently than if you don't
recreate it.
For now i suppose clear logs of what happens, at the INFO level, should be good
enough for now.{quote}
Good point, that is indeed the case according to
http://jackrabbit.apache.org/oak/docs/security/permission/evaluation.html:
{quote} (...) within a given type of principal (user vs. group principal) the
order of executing is (...): order of entries as specified originally (the
index of the permission entry){quote}
I will adjust my implementation to only skip exact replacements.
> Repoinit should not attempt to create access control entries when no changes
> are needed
> ---------------------------------------------------------------------------------------
>
> Key: SLING-6398
> URL: https://issues.apache.org/jira/browse/SLING-6398
> Project: Sling
> Issue Type: Improvement
> Components: Repoinit
> Reporter: Robert Munteanu
> Assignee: Robert Munteanu
> Fix For: Repoinit JCR 1.1.2
>
>
> I have a more complex Sling setup based on the recent Oak multiplexing
> additions.
> The repository is split bewteen
> - /libs and /apps, read-only
> - the rest of the repository, read-write
> When the provisioning model contains ACL definitions, they are processed
> directly without checking if they exist. In turn, Oak updates the
> definitions, even if equivalent ones exist. This causes the repoinit part to
> fail if it refers to ACLs for the read-only part of the repository.
> I would propose that the repoinit statements check if the ACL really needs to
> be replaced or if it can be skipped. This also has the advantage of making it
> symmetric with the checks for service users and paths and also should
> slightly reduce provisioning time.
> [~bdelacretaz] - would that work for you?
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
