[jira] [Commented] (SLING-12107) JCR Repoinit executes operations out of order

2023-11-02 Thread Julian Sedding (Jira) 


[ 
https://issues.apache.org/jira/browse/SLING-12107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17782080#comment-17782080
 ] 

Julian Sedding commented on SLING-12107:


[~kwin] I added a paragraph about ordering in [sling-site PR 
#143|https://github.com/apache/sling-site/pull/143].

[~cziegeler] here's what I intend to add to the docs:

{quote}
When a repoinit script is applied with the `org.apache.sling.jcr.repoinit` 
module, the execution order of the individual
statements is slightly different from their order within the script. Namely, 
all statements creating namespaces are
executed before any other statements. Next, all statements registering 
nodetypes or privileges are executed. And finally,
all other statements are executed in the order they are defined. This 
reordering is intended to avoid issues due to
missing namespaces, nodetypes or privileges when content is created.
{quote}

> JCR Repoinit executes operations out of order
> -
>
> Key: SLING-12107
> URL: https://issues.apache.org/jira/browse/SLING-12107
> Project: Sling
>  Issue Type: Bug
>  Components: Repoinit
>Affects Versions: Repoinit JCR 1.1.44
>Reporter: Julian Sedding
>Assignee: Julian Sedding
>Priority: Major
> Fix For: Repoinit JCR 1.1.46
>
>
> When applying ACLs, repoinit checks if the referenced authorizable exists, 
> and it fails if it doesn't.
> However, my goal was to set up ACLs with my deployment for a group that was 
> to be sync'ed from an {{ExternalIdentityProvider}} once the first member of 
> that group logs in.
> To work around this limitation, I tried running the following repoinit script:
> {noformat}
> create group testGroup
> set ACL for testGroup
>   allow jcr:read on /content/foo
>   deny jcr:write on /content/foo
> end
> delete group testGroup
> {noformat}
> It turned out that the statements were executed in the following order:
> {noformat}
> create group testGroup
> delete group testGroup
> set ACL for testGroup
>   allow jcr:read on /content/foo
>   deny jcr:write on /content/foo
> end
> {noformat}
> Of course that caused the script to fail just as if no group was created.
> The incorrect ordering may also cause other scenarios to fail.
> The {{ExecutionOrderTest}} suggests that some re-ordering is done on purpose. 
> E.g. namespaces and nodetypes should be created before e.g. paths are created.
> I would expect that registration of custom privileges should also be executed 
> before other operations. I don't see how that could be harmful.
> But for all other statements, I would expect the execution order to match the 
> order of the statements within the repoinit script.
> cc [~bdelacretaz], [~cziegeler], [~angela]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (SLING-12107) JCR Repoinit executes operations out of order

2023-10-30 Thread Carsten Ziegeler (Jira) 


[ 
https://issues.apache.org/jira/browse/SLING-12107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17780984#comment-17780984
 ] 

Carsten Ziegeler commented on SLING-12107:
--

Do we have a summary of what actually gets reordered and why? I find it rather 
surprising that statements are reordered.

> JCR Repoinit executes operations out of order
> -
>
> Key: SLING-12107
> URL: https://issues.apache.org/jira/browse/SLING-12107
> Project: Sling
>  Issue Type: Bug
>  Components: Repoinit
>Affects Versions: Repoinit JCR 1.1.44
>Reporter: Julian Sedding
>Assignee: Julian Sedding
>Priority: Major
> Fix For: Repoinit JCR 1.1.46
>
>
> When applying ACLs, repoinit checks if the referenced authorizable exists, 
> and it fails if it doesn't.
> However, my goal was to set up ACLs with my deployment for a group that was 
> to be sync'ed from an {{ExternalIdentityProvider}} once the first member of 
> that group logs in.
> To work around this limitation, I tried running the following repoinit script:
> {noformat}
> create group testGroup
> set ACL for testGroup
>   allow jcr:read on /content/foo
>   deny jcr:write on /content/foo
> end
> delete group testGroup
> {noformat}
> It turned out that the statements were executed in the following order:
> {noformat}
> create group testGroup
> delete group testGroup
> set ACL for testGroup
>   allow jcr:read on /content/foo
>   deny jcr:write on /content/foo
> end
> {noformat}
> Of course that caused the script to fail just as if no group was created.
> The incorrect ordering may also cause other scenarios to fail.
> The {{ExecutionOrderTest}} suggests that some re-ordering is done on purpose. 
> E.g. namespaces and nodetypes should be created before e.g. paths are created.
> I would expect that registration of custom privileges should also be executed 
> before other operations. I don't see how that could be harmful.
> But for all other statements, I would expect the execution order to match the 
> order of the statements within the repoinit script.
> cc [~bdelacretaz], [~cziegeler], [~angela]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (SLING-12107) JCR Repoinit executes operations out of order

2023-10-20 Thread Konrad Windszus (Jira) 


[ 
https://issues.apache.org/jira/browse/SLING-12107?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1785#comment-1785
 ] 

Konrad Windszus commented on SLING-12107:
-

[~jsedding] Can you add a paragraph on statement ordering in 
https://sling.apache.org/documentation/bundles/repository-initialization.html?

> JCR Repoinit executes operations out of order
> -
>
> Key: SLING-12107
> URL: https://issues.apache.org/jira/browse/SLING-12107
> Project: Sling
>  Issue Type: Bug
>  Components: Repoinit
>Affects Versions: Repoinit JCR 1.1.44
>Reporter: Julian Sedding
>Assignee: Julian Sedding
>Priority: Major
> Fix For: Repoinit JCR 1.1.46
>
>
> When applying ACLs, repoinit checks if the referenced authorizable exists, 
> and it fails if it doesn't.
> However, my goal was to set up ACLs with my deployment for a group that was 
> to be sync'ed from an {{ExternalIdentityProvider}} once the first member of 
> that group logs in.
> To work around this limitation, I tried running the following repoinit script:
> {noformat}
> create group testGroup
> set ACL for testGroup
>   allow jcr:read on /content/foo
>   deny jcr:write on /content/foo
> end
> delete group testGroup
> {noformat}
> It turned out that the statements were executed in the following order:
> {noformat}
> create group testGroup
> delete group testGroup
> set ACL for testGroup
>   allow jcr:read on /content/foo
>   deny jcr:write on /content/foo
> end
> {noformat}
> Of course that caused the script to fail just as if no group was created.
> The incorrect ordering may also cause other scenarios to fail.
> The {{ExecutionOrderTest}} suggests that some re-ordering is done on purpose. 
> E.g. namespaces and nodetypes should be created before e.g. paths are created.
> I would expect that registration of custom privileges should also be executed 
> before other operations. I don't see how that could be harmful.
> But for all other statements, I would expect the execution order to match the 
> order of the statements within the repoinit script.
> cc [~bdelacretaz], [~cziegeler], [~angela]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)