[jira] [Commented] (OAK-2981) Access control logging

Wed, 17 Jun 2015 07:07:34 -0700 

    [ 
https://issues.apache.org/jira/browse/OAK-2981?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14589799#comment-14589799
 ] 

angela commented on OAK-2981:
-----------------------------

my take is totally the opposite: you have to think about your permission setup 
upfront and design it. if you just look at a log you will end up just opening 
up permission blindly to make everything get green without designing it! this 
is asking for privilege escalations and is just the total opposite of what the 
security team tries to establish.

so, my -1 still stands. consider this a veto.

> Access control logging
> ----------------------
>
>                 Key: OAK-2981
>                 URL: https://issues.apache.org/jira/browse/OAK-2981
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: core
>            Reporter: Alexander Klimetschek
>            Assignee: angela
>            Priority: Minor
>
> For debugging application behavior and designing ACLs it is useful to have a 
> logging of JCR operations and also see if access was granted or not.
> I hacked a quick solution that gives this result:
> {noformat}
> 10.06.2015 15:29:43.658 [admin] ALLOWED 
> /jcr:system/rep:namespaces/rep:nsdata/http%3A%2F%2Fsling.apache.org%2Fjcr%2Fevent%2F1.0
>  [read property]
> 10.06.2015 15:29:43.658 [admin] ALLOWED 
> /var/eventing/jobs/assigned/862f413b-6f03-40a1-aa10-550af9970254 [read]
> 10.06.2015 15:29:43.658 [admin] ALLOWED 
> /var/eventing/jobs/assigned/862f413b-6f03-40a1-aa10-550af9970254/jcr:primaryType
>  [read property]
> 10.06.2015 15:30:10.484 [aklim...@adobe.com] DENIED  
> /libs/wcm/core/content/contentfinder [read]
> 10.06.2015 15:25:12.421 [admin] ALLOWED 
> /var/classes/862f413b-6f03-40a1-aa10-550af9970254/sightly/1.0.2/apps/ccebasic/ui/commons/breadcrumbs/SightlyJava_breadcrumbs.java/jcr:content/jcr:content
>  [REMOVE_NODE,ADD_NODE]
> {noformat}
> See on my github fork: 
> https://github.com/alexkli/jackrabbit-oak/commit/f4ecf7ca6b7d8c7e1d6967d409be4045a634efe2
> Change against the 1.2 branch. [As patch 
> file|https://github.com/alexkli/jackrabbit-oak/commit/f4ecf7ca6b7d8c7e1d6967d409be4045a634efe2.patch].



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to