[
https://issues.apache.org/jira/browse/OAK-10424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mark Adamcin updated OAK-10424:
-------------------------------
Description:
Setting the global QueryEngineSettingsService.getFastQuerySize() value to true
is currently the only way to allow service users to leverage JCR query for
collecting accurate repository count metrics in a performant way. However,
doing so in a multiuser repository may be inadvisable because the fast result
size is returned to the caller without considering the caller's read
permissions over the paths returned in the result, which may allow less
privileged users to discover the presence of nodes that are not otherwise
visible to them.
See [https://jackrabbit.apache.org/oak/docs/query/query-engine.html#result-size]
As an alternative to the global setting, Oak should provide a query option
alongside [TRAVERSAL, OFFSET / LIMIT, and INDEX
TAG|https://jackrabbit.apache.org/oak/docs/query/query-engine.html#query-options],
such as "FASTSIZE" .
For example,
select a.[jcr:path] from [nt:base] as a where contains(a.[text], 'Hello World')
option(offset 10, fastsize)
To address the security risk, the application should also provide a
configuration of some kind to restrict the ability to effectively leverage this
option to permitted system users, which could be implemented as an allowlist
property in the QueryEngineSettingsService configuration, or as a JCR
repository privilege.
I have provided a PR that adds support for a FASTSIZE query option and a
rep:queryOptionsRelaxedSecurity repository privilege. I think the JCR
privilege-based approach for configuration of this permission is more aligned
with how system users are defined in practice, but this approach requires a
minor version increase in the following oak-security-spi packages:
* org.apache.jackrabbit.oak.spi.security.authorization.permission
* org.apache.jackrabbit.oak.spi.security.privilege
Because all registered permissions are serialized into a long bitset, there is
clearly a premium on adding another built-in privilege, so I figured that it
would be better to choose a name for the privilege that would make it useful
for future query options that may involve a tradeoff between security and
performance, like a "FACETS INSECURE" option to override the
SecureFacetConfiguration defined on an index definition.
> Allow Fast Query Size to be selectively enabled with a query option for
> permitted principals
> ---------------------------------------------------------------------------------------------
>
> Key: OAK-10424
> URL: https://issues.apache.org/jira/browse/OAK-10424
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Affects Versions: 1.56.0
> Reporter: Mark Adamcin
> Priority: Major
> Labels: query
>
> Setting the global QueryEngineSettingsService.getFastQuerySize() value to
> true is currently the only way to allow service users to leverage JCR query
> for collecting accurate repository count metrics in a performant way.
> However, doing so in a multiuser repository may be inadvisable because the
> fast result size is returned to the caller without considering the caller's
> read permissions over the paths returned in the result, which may allow less
> privileged users to discover the presence of nodes that are not otherwise
> visible to them.
> See
> [https://jackrabbit.apache.org/oak/docs/query/query-engine.html#result-size]
> As an alternative to the global setting, Oak should provide a query option
> alongside [TRAVERSAL, OFFSET / LIMIT, and INDEX
> TAG|https://jackrabbit.apache.org/oak/docs/query/query-engine.html#query-options],
> such as "FASTSIZE" .
> For example,
> select a.[jcr:path] from [nt:base] as a where contains(a.[text], 'Hello
> World') option(offset 10, fastsize)
> To address the security risk, the application should also provide a
> configuration of some kind to restrict the ability to effectively leverage
> this option to permitted system users, which could be implemented as an
> allowlist property in the QueryEngineSettingsService configuration, or as a
> JCR repository privilege.
> I have provided a PR that adds support for a FASTSIZE query option and a
> rep:queryOptionsRelaxedSecurity repository privilege. I think the JCR
> privilege-based approach for configuration of this permission is more aligned
> with how system users are defined in practice, but this approach requires a
> minor version increase in the following oak-security-spi packages:
> * org.apache.jackrabbit.oak.spi.security.authorization.permission
> * org.apache.jackrabbit.oak.spi.security.privilege
> Because all registered permissions are serialized into a long bitset, there
> is clearly a premium on adding another built-in privilege, so I figured that
> it would be better to choose a name for the privilege that would make it
> useful for future query options that may involve a tradeoff between security
> and performance, like a "FACETS INSECURE" option to override the
> SecureFacetConfiguration defined on an index definition.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
