[ https://issues.apache.org/jira/browse/SLING-6422?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15767221#comment-15767221 ]
Bertrand Delacretaz edited comment on SLING-6422 at 12/21/16 2:47 PM: ---------------------------------------------------------------------- The first step is to define a suitable syntax in the repoinit language for those restrictions. So far the language only supports an optional "nodetypes" clause (see test [1]) which is not implemented by the JCR repoinit module, so has no effect. I have little experience with those restrictions but as per [2] it looks like each restriction is expressed with a name and 1..N values. And custom restrictions can be created, so the syntax must be flexible. Here's a first set of examples of what those restriction definitions could look like in repoinit, comments are welcome. I think it makes sense to define keywords for the common restriction types (nodetypes, glob, namespaces) as well as a generic syntax for other built-in and custom restrictions. In these examples, {{allow ...}} represents repoinit ACL definitions with the existing syntax {code} # explicit form for common restriction types allow ... nodetypes sling:Folder, my:Type allow ... nodetypes nt:file glob *.jsp allow ... glob *.jsp allow ... namespaces http://sling.apache.org/nt glob *.html # generic form for any restriction type allow ... restriction(rep:glob, *.jsp, *.txt) restriction(rep:ntNames, sling:Folder) restriction(rep:prefixes, sling) allow ... restriction(my:custom, "13:00UTC, 23:59UTC") allow ... restriction(my:string, "It's \"quoted\"", "second string") {code} Note that supporting just the generic {{restriction(name, values)}} form would be simpler at the cost of breaking parser compatibility with the existing {{nodetypes}} option. However, as that option has currently no effect in the only implementation that we have (our repoinit JCR module), we might keep that {{nodetypes}} option in the language, have it do nothing as it currently does and log a deprecation warning when it's used. [1] https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/repoinit/parser/src/test/resources/testcases/test-30.txt [2] http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html was (Author: bdelacretaz): The first step is to define a suitable syntax in the repoinit language for those restrictions. So far the language only supports an optional "nodetypes" clause (see test [1]) which is not implemented by the JCR repoinit module, so has no effect. I have little experience with those restrictions but as per [2] it looks like each restriction is expressed with a name and 1..N values. And custom restrictions can be created, so the syntax must be flexible. Here's a first set of examples of what those restriction definitions could look like in repoinit, comments are welcome. I think it makes sense to define keywords for the common restriction types (nodetypes, glob, namespaces) as well as a generic syntax for other built-in and custom restrictions. In these examples, {{allow ...}} represents repoinit ACL definitions with the existing syntax {code} # explicit form for common restriction types allow ... nodetypes sling:Folder, my:Type allow ... nodetypes nt:file glob *.jsp allow ... glob *.jsp allow ... namespaces http://sling.apache.org/nt glob *.html # generic form for any restriction type allow ... restriction(rep:glob, *.jsp, *.txt) restriction(rep:ntNames, sling:Folder) restriction(rep:prefixes, sling) allow ... restriction(my:custom, "13:00UTC, 23:59UTC") allow ... restriction(my:string, "It's \"quoted\"", "second string") {code} [1] https://svn.apache.org/repos/asf/sling/trunk/bundles/extensions/repoinit/parser/src/test/resources/testcases/test-30.txt [2] http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html > Allow for specifying oak restrictions with repoinit > --------------------------------------------------- > > Key: SLING-6422 > URL: https://issues.apache.org/jira/browse/SLING-6422 > Project: Sling > Issue Type: New Feature > Components: Repoinit > Reporter: Nitin Nizhawan > > Allow for specifying oak restrictions with repoinit. Currently repoinit > allows one to ADD remove ACLs but there is no way to specify oak restrictions. > http://jackrabbit.apache.org/oak/docs/security/authorization/restriction.html -- This message was sent by Atlassian JIRA (v6.3.4#6332)