[
https://issues.apache.org/jira/browse/OAK-2981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14583817#comment-14583817
]
angela edited comment on OAK-2981 at 6/12/15 6:14 PM:
------------------------------------------------------
well... i fail to see the benefit of this kind of logging. for development you
don't need it because you hopefully understand what you are doing and don't
need a log-trace in order to properly setup your permissions (trial and error
approach is the kind of thing i wouldn't want a developer to do in the security
area). and for debugging an application which has troubles this kind of
super-verbose log out put is not going to help in any way. what you need for
the latter is a tool that allows you shows the effective permissions on one
hand the the effective access control setup on the other hand; both for
individual principals and an (arbitrary) set of principals.
-1 for this approach.
was (Author: anchela):
well... i fail to see the benefit of this kind of logging. for development you
don't need it because you hopefully understand what you are doing and don't
need a log-trace in order to properly setup your permissions (trial and error
approach is the kind of thing i wouldn't want a developer to do in the security
area). and for debugging an application which has troubles this kind of
super-verbose log out put is not going to help in any way. what you need for
the latter is a tool that allows you should the effective permissions on one
hand the the effective permission setup on the other hand; both for individual
principals and an arbitrary set of principals.
-1 for this approach.
> Access control logging
> ----------------------
>
> Key: OAK-2981
> URL: https://issues.apache.org/jira/browse/OAK-2981
> Project: Jackrabbit Oak
> Issue Type: New Feature
> Components: core
> Reporter: Alexander Klimetschek
> Assignee: angela
> Priority: Minor
>
> For debugging application behavior and designing ACLs it is useful to have a
> logging of JCR operations and also see if access was granted or not.
> I hacked a quick solution that gives this result:
> {noformat}
> 10.06.2015 15:29:43.658 [admin] ALLOWED
> /jcr:system/rep:namespaces/rep:nsdata/http%3A%2F%2Fsling.apache.org%2Fjcr%2Fevent%2F1.0
> [read property]
> 10.06.2015 15:29:43.658 [admin] ALLOWED
> /var/eventing/jobs/assigned/862f413b-6f03-40a1-aa10-550af9970254 [read]
> 10.06.2015 15:29:43.658 [admin] ALLOWED
> /var/eventing/jobs/assigned/862f413b-6f03-40a1-aa10-550af9970254/jcr:primaryType
> [read property]
> 10.06.2015 15:30:10.484 [aklim...@adobe.com] DENIED
> /libs/wcm/core/content/contentfinder [read]
> 10.06.2015 15:25:12.421 [admin] ALLOWED
> /var/classes/862f413b-6f03-40a1-aa10-550af9970254/sightly/1.0.2/apps/ccebasic/ui/commons/breadcrumbs/SightlyJava_breadcrumbs.java/jcr:content/jcr:content
> [REMOVE_NODE,ADD_NODE]
> {noformat}
> See on my github fork:
> https://github.com/alexkli/jackrabbit-oak/commit/f4ecf7ca6b7d8c7e1d6967d409be4045a634efe2
> Change against the 1.2 branch. [As patch
> file|https://github.com/alexkli/jackrabbit-oak/commit/f4ecf7ca6b7d8c7e1d6967d409be4045a634efe2.patch].
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
