[jira] [Commented] (JCRVLT-721) Importing content packages with minimum permissions fails
[ https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=1275#comment-1275 ] Patrique Legault commented on JCRVLT-721: - Why can't we simply expose the *usersPath* and *groupsPath* in [1] and then by having a reference to [2] we can get the path without having to create a user and group saving resources when installing a package? Seems to be an expensive way to simply expose a piece of data we already have. [1] [https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/user/UserConfigurationImpl.java#L213] [2] [https://github.com/apache/jackrabbit-oak/blob/e3c2dd6303abae0056fe8def0f59d9d9ebcdf7d2/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/ConfigurationBase.java#L63] > Importing content packages with minimum permissions fails > -- > > Key: JCRVLT-721 > URL: https://issues.apache.org/jira/browse/JCRVLT-721 > Project: Jackrabbit FileVault > Issue Type: Bug > Components: Packaging >Affects Versions: 3.7.0 >Reporter: Ankita Agarwal >Assignee: Konrad Windszus >Priority: Major > Fix For: 3.7.2 > > > Importing Content Packages using a dedicated user (with minimum permissions) > has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release. > This is a regression of issue JCRVLT-683 specifically to logic that has been > added to determine the root paths of groups and users in > JackrabbitACLManagement#determineAuthorizableRootPaths > ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]). > The new logic creates a group and a user in order to determine the root paths > of groups and users and immediately deletes them afterward. > This is a bad solution as it breaks the Principle of Least Permission (PoLP): > The user that is being used to import content should not have permission to > create and delete users and groups. > The root paths of users and groups are always initialized as /home/users and > /home/groups, so there is little need to determine root paths by creating and > deleting groups and users. > > *Steps to reproduce:* > * You create a user that you use to import content. You give it all > permissions on /content > * When you import a content package that replaces existing content (= when > you import the same content package twice, and it has "replace" in its filter > definition), you will see that it fails with the error that it cannot access > the /home/groups or /home/users repository path > > *Expected Behavior:* Successful content package imports > > *Experienced Behavior:* Content package imports that succeeded before now > fail with AccessDeniedExceptions -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (JCRVLT-721) Importing content packages with minimum permissions fails
[ https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17772034#comment-17772034 ] Mark Adamcin commented on JCRVLT-721: - [~kwin] Can you cut a 3.7.2 release for this change? > Importing content packages with minimum permissions fails > -- > > Key: JCRVLT-721 > URL: https://issues.apache.org/jira/browse/JCRVLT-721 > Project: Jackrabbit FileVault > Issue Type: Bug > Components: Packaging >Affects Versions: 3.7.0 >Reporter: Ankita Agarwal >Assignee: Konrad Windszus >Priority: Major > Fix For: 3.7.2 > > > Importing Content Packages using a dedicated user (with minimum permissions) > has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release. > This is a regression of issue JCRVLT-683 specifically to logic that has been > added to determine the root paths of groups and users in > JackrabbitACLManagement#determineAuthorizableRootPaths > ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]). > The new logic creates a group and a user in order to determine the root paths > of groups and users and immediately deletes them afterward. > This is a bad solution as it breaks the Principle of Least Permission (PoLP): > The user that is being used to import content should not have permission to > create and delete users and groups. > The root paths of users and groups are always initialized as /home/users and > /home/groups, so there is little need to determine root paths by creating and > deleting groups and users. > > *Steps to reproduce:* > * You create a user that you use to import content. You give it all > permissions on /content > * When you import a content package that replaces existing content (= when > you import the same content package twice, and it has "replace" in its filter > definition), you will see that it fails with the error that it cannot access > the /home/groups or /home/users repository path > > *Expected Behavior:* Successful content package imports > > *Experienced Behavior:* Content package imports that succeeded before now > fail with AccessDeniedExceptions -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (JCRVLT-721) Importing content packages with minimum permissions fails
[ https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17771258#comment-17771258 ] Mark Adamcin commented on JCRVLT-721: - [~kwin] I created a PR for this change. > Importing content packages with minimum permissions fails > -- > > Key: JCRVLT-721 > URL: https://issues.apache.org/jira/browse/JCRVLT-721 > Project: Jackrabbit FileVault > Issue Type: Bug > Components: Packaging >Affects Versions: 3.7.0 >Reporter: Ankita Agarwal >Priority: Major > > Importing Content Packages using a dedicated user (with minimum permissions) > has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release. > This is a regression of issue JCRVLT-683 specifically to logic that has been > added to determine the root paths of groups and users in > JackrabbitACLManagement#determineAuthorizableRootPaths > ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]). > The new logic creates a group and a user in order to determine the root paths > of groups and users and immediately deletes them afterward. > This is a bad solution as it breaks the Principle of Least Permission (PoLP): > The user that is being used to import content should not have permission to > create and delete users and groups. > The root paths of users and groups are always initialized as /home/users and > /home/groups, so there is little need to determine root paths by creating and > deleting groups and users. > > *Steps to reproduce:* > * You create a user that you use to import content. You give it all > permissions on /content > * When you import a content package that replaces existing content (= when > you import the same content package twice, and it has "replace" in its filter > definition), you will see that it fails with the error that it cannot access > the /home/groups or /home/users repository path > > *Expected Behavior:* Successful content package imports > > *Experienced Behavior:* Content package imports that succeeded before now > fail with AccessDeniedExceptions -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (JCRVLT-721) Importing content packages with minimum permissions fails
[
https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17771234#comment-17771234
]
Mark Adamcin commented on JCRVLT-721:
-
[~kwin] Instead of relying on the usersPath and groupsPath and the associated
ambiguity to decide whether to short-circuit, I think we can probably just
check the node type here:
[https://github.com/apache/jackrabbit-filevault/blob/f8f86c7fbd392deddf561f64c2e93126d50aa5dd/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L215]
This condition should be sufficient to determine whether Authorizables are
allowed at or below the path of the provided node:
{code:java}
node.isNodeType("rep:AuthorizableFolder") ||
isAuthorizableNodeType(node.getPrimaryNodeType().getName()) {code}
> Importing content packages with minimum permissions fails
> --
>
> Key: JCRVLT-721
> URL: https://issues.apache.org/jira/browse/JCRVLT-721
> Project: Jackrabbit FileVault
> Issue Type: Bug
> Components: Packaging
>Affects Versions: 3.7.0
>Reporter: Ankita Agarwal
>Priority: Major
>
> Importing Content Packages using a dedicated user (with minimum permissions)
> has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release.
> This is a regression of issue JCRVLT-683 specifically to logic that has been
> added to determine the root paths of groups and users in
> JackrabbitACLManagement#determineAuthorizableRootPaths
> ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]).
> The new logic creates a group and a user in order to determine the root paths
> of groups and users and immediately deletes them afterward.
> This is a bad solution as it breaks the Principle of Least Permission (PoLP):
> The user that is being used to import content should not have permission to
> create and delete users and groups.
> The root paths of users and groups are always initialized as /home/users and
> /home/groups, so there is little need to determine root paths by creating and
> deleting groups and users.
>
> *Steps to reproduce:*
> * You create a user that you use to import content. You give it all
> permissions on /content
> * When you import a content package that replaces existing content (= when
> you import the same content package twice, and it has "replace" in its filter
> definition), you will see that it fails with the error that it cannot access
> the /home/groups or /home/users repository path
>
> *Expected Behavior:* Successful content package imports
>
> *Experienced Behavior:* Content package imports that succeeded before now
> fail with AccessDeniedExceptions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (JCRVLT-721) Importing content packages with minimum permissions fails
[ https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17771200#comment-17771200 ] Konrad Windszus commented on JCRVLT-721: Further background on why this is necessary is outlined in https://issues.apache.org/jira/browse/JCRVLT-683?focusedCommentId=17712695&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17712695. > Importing content packages with minimum permissions fails > -- > > Key: JCRVLT-721 > URL: https://issues.apache.org/jira/browse/JCRVLT-721 > Project: Jackrabbit FileVault > Issue Type: Bug > Components: Packaging >Affects Versions: 3.7.0 >Reporter: Ankita Agarwal >Priority: Major > > Importing Content Packages using a dedicated user (with minimum permissions) > has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release. > This is a regression of issue JCRVLT-683 specifically to logic that has been > added to determine the root paths of groups and users in > JackrabbitACLManagement#determineAuthorizableRootPaths > ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]). > The new logic creates a group and a user in order to determine the root paths > of groups and users and immediately deletes them afterward. > This is a bad solution as it breaks the Principle of Least Permission (PoLP): > The user that is being used to import content should not have permission to > create and delete users and groups. > The root paths of users and groups are always initialized as /home/users and > /home/groups, so there is little need to determine root paths by creating and > deleting groups and users. > > *Steps to reproduce:* > * You create a user that you use to import content. You give it all > permissions on /content > * When you import a content package that replaces existing content (= when > you import the same content package twice, and it has "replace" in its filter > definition), you will see that it fails with the error that it cannot access > the /home/groups or /home/users repository path > > *Expected Behavior:* Successful content package imports > > *Experienced Behavior:* Content package imports that succeeded before now > fail with AccessDeniedExceptions -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (JCRVLT-721) Importing content packages with minimum permissions fails
[
https://issues.apache.org/jira/browse/JCRVLT-721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17771198#comment-17771198
]
Konrad Windszus commented on JCRVLT-721:
bq. The root paths of users and groups are always initialized as /home/users
and /home/groups, so there is little need to determine root paths by creating
and deleting groups and users.
This is not true. That path is configurable in Oak (compare with
https://jackrabbit.apache.org/oak/docs/security/user/default.html#configuration
{{PARAM_USERS_PATH}} and {{PARAM_GROUP_PATH}}), particularly the default is
{{/rep:security/rep:authorizables/rep:users}} and
{{/rep:security/rep:authorizables/rep:groups}} respectively. Unfortunately
there is no API to determine the authorizable root path.
But I am open for other suggestions on how to implement this.
> Importing content packages with minimum permissions fails
> --
>
> Key: JCRVLT-721
> URL: https://issues.apache.org/jira/browse/JCRVLT-721
> Project: Jackrabbit FileVault
> Issue Type: Bug
> Components: Packaging
>Affects Versions: 3.7.0
>Reporter: Ankita Agarwal
>Priority: Major
>
> Importing Content Packages using a dedicated user (with minimum permissions)
> has failed with AccessDeniedExceptions since JCRVLT 3.7.0 release.
> This is a regression of issue JCRVLT-683 specifically to logic that has been
> added to determine the root paths of groups and users in
> JackrabbitACLManagement#determineAuthorizableRootPaths
> ([https://github.com/apache/jackrabbit-filevault/blame/jackrabbit-filevault-3.7.0/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.java#L119]).
> The new logic creates a group and a user in order to determine the root paths
> of groups and users and immediately deletes them afterward.
> This is a bad solution as it breaks the Principle of Least Permission (PoLP):
> The user that is being used to import content should not have permission to
> create and delete users and groups.
> The root paths of users and groups are always initialized as /home/users and
> /home/groups, so there is little need to determine root paths by creating and
> deleting groups and users.
>
> *Steps to reproduce:*
> * You create a user that you use to import content. You give it all
> permissions on /content
> * When you import a content package that replaces existing content (= when
> you import the same content package twice, and it has "replace" in its filter
> definition), you will see that it fails with the error that it cannot access
> the /home/groups or /home/users repository path
>
> *Expected Behavior:* Successful content package imports
>
> *Experienced Behavior:* Content package imports that succeeded before now
> fail with AccessDeniedExceptions
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
