[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15551556#comment-15551556 ] Radu Cotescu commented on SLING-5848: - I've restricted the access for {{sling-scripting}} like discussed here in https://svn.apache.org/r1763548. > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Launchpad, Scripting >Reporter: Oliver Lietz >Assignee: Oliver Lietz > Fix For: Launchpad Builder 9 > > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * -{{/etc}}- (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15551443#comment-15551443 ] Radu Cotescu commented on SLING-5848: - Ok. But as far as this issue is concerned restricting the access for {{sling-scripting}} with {{deny jcr:all on /}} should be enough, right? The access control for {{everyone}} is not in scope here. > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Launchpad, Scripting >Reporter: Oliver Lietz >Assignee: Oliver Lietz > Fix For: Launchpad Builder 9 > > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * -{{/etc}}- (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15551291#comment-15551291 ] Bertrand Delacretaz commented on SLING-5848: bq. I would really like to cut read access down for everyone... I think this deserves to be discussed on our dev list. > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Launchpad, Scripting >Reporter: Oliver Lietz >Assignee: Oliver Lietz > Fix For: Launchpad Builder 9 > > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * -{{/etc}}- (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15549498#comment-15549498 ] Oliver Lietz commented on SLING-5848: - [~radu.cotescu], see {{org.apache.sling.jcr.oak.server.internal.OakSlingRepositoryManager}} and its configuration: {noformat} private void setup(final SlingRepository repository) { final boolean anonymous_read_all = configuration.anonymous_read_all(); if (anonymous_read_all) { log.warn("anonymous.read.all is true, granting anonymous user read access on /"); Session session = null; try { // TODO do we need to go via PrivilegeManager for the names? See OAK-1016 example. session = repository.loginAdministrative(getDefaultWorkspace()); final String[] privileges = new String[]{Privilege.JCR_READ}; AccessControlUtils.addAccessControlEntry( session, "/", EveryonePrincipal.getInstance(), privileges, true); session.save(); } catch (RepositoryException re) { log.error("TODO: Failed setting up anonymous access", re); } finally { if (session != null) { session.logout(); } } } else { log.warn("TODO: should disable anonymous access when anonymous.read.all becomes false"); } } {noformat} {noformat} @AttributeDefinition( name = "Allow anonymous reads", description = "If true, the anonymous user has read access to the whole repository (for backwards compatibility)" ) boolean anonymous_read_all() default true; {noformat} I would really like to cut {{read}} access down for {{everyone}}, either completely or granting on {{/content}} only. But I'm not sure which users will be affected and why we have this backwards compatibility. [~cziegeler], [~bdelacretaz] any ideas? > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Launchpad, Scripting >Reporter: Oliver Lietz >Assignee: Oliver Lietz > Fix For: Launchpad Builder 9 > > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * -{{/etc}}- (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15549022#comment-15549022 ] Radu Cotescu commented on SLING-5848: - You're right, this principal's ACLs should be more restrictive, so I guess {{deny jcr:all on /}} makes sense. What do you mean though by: bq. We are granting read on / to everyone in Oak Server (configurable) Shouldn't we aim for having all the ACLs defined in one place? > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Launchpad, Scripting >Reporter: Oliver Lietz >Assignee: Oliver Lietz > Fix For: Launchpad Builder 9 > > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * -{{/etc}}- (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15545279#comment-15545279 ] Oliver Lietz commented on SLING-5848: - [~bdelacretaz], [~chetanm] Do we need this section at all? We are granting {{read}} on {{/}} to {{everyone}} in Oak Server (configurable): {noformat} set ACL for sling-scripting denyjcr:all on /libs,/apps allow jcr:readon /libs,/apps end {noformat} And if we keep it, shouldn't we {{deny}} on {{/}} instead? > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Launchpad, Scripting >Reporter: Oliver Lietz >Assignee: Oliver Lietz > Fix For: Launchpad Builder 9 > > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * -{{/etc}}- (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399150#comment-15399150 ] Oliver Lietz commented on SLING-5848: - We should not enforce something which is not absolutely required but we can support users to not make stupid things or fail unnecessarily. Not revealing the IDs of authorizables sounds sensible (SLING-5921) and has the benefit of allowing user names in any form without bringing any hassle. With Sling on Jackrabbit users lived in a different (restricted) workspace ({{security}}) not accessible over HTTP by default. > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399106#comment-15399106 ] Oliver Lietz commented on SLING-5848: - Let me rephrase: The dots *may* lead to problems (\[1]) when someone queries users by HTTP and wants to use selectors. The URL http://localhost:8181/home/users/system/sling.scripting.json for service user {{sling.scripting}} works and will give you the user node as JSON. If we configure {{RandomAuthorizableNodeName}} in Sling Launchpad and use dots for service user names in Sling Launchpad we are save. If anyone alters that configuration it's up to him. I'm in favor of a consistent pattern for user names – whether we use {{sling.}} or {{sling-}} as prefix (see my comment above why {{sling.}} came to mind). \[1] Assets in AEM DAM > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399082#comment-15399082 ] angela commented on SLING-5848: --- [~bdelacretaz], i am sorry... but that doesn't make any sense to me. the Jackrabbit UserManagement API doesn't not specify _any_ limitations when it comes to user Ids and a system/service user is just a variant of a regular user. as stated above it seems that Sling has an issue with dots in node names but that's definitely not an issue that the repo init or JCR or Oak should care about; also you cannot prevent someone from creating a user using the regular Jackrabbit API calls or XML import and as such not using the repo-init provided by Sling. So, -1 for that proposal. > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399077#comment-15399077 ] angela commented on SLING-5848: --- sorry, oliver, but you must not rely on any implementation of the authorizable node name; it's an implementation detail and it may change any time in a running instance. if Sling has a problem with dots, i would strongly recommend not to use it within the user id. from a JCR/Oak point of view any illegal characters will be escaped in case the id is used as hint for the node name but '.' is not an illegal JCR character afaik. > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399059#comment-15399059 ] Oliver Lietz commented on SLING-5848: - We should enable {{org.apache.jackrabbit.oak.security.user.RandomAuthorizableNodeName}} in Sling whatever pattern we choose for service users. This would also allow regular users with a name in form {{firstname.lastname}}. If the pattern for service users is configurable I'm fine with that too. > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399035#comment-15399035 ] Bertrand Delacretaz commented on SLING-5848: We might just define a configurable validation regexp for service user names in in the JCR {{RepositoryInitializer}} that applies repoinit statements, WDYT? It's good to have some consistency in these names anyway, and it makes it easy to avoid the dots. > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399019#comment-15399019 ] Oliver Lietz commented on SLING-5848: - [~anchela], thanks for your answer. Much appreciated! We *have* to care about the format of the node name to not interfere with Sling's resource resolution. If the name contains dots ({{sling.scripting}}) it could clash with selectors and extensions. If the name gets randomized we are save. * http://localhost:8181/home/users/system/sling-scripting.json (/) * http://localhost:8181/home/users/system/sling.scripting.json (!) * http://localhost:8181/home/users/system/sB-CSiB-KD0S0ROF6hLtICN30xQvU5rq.json (/) > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15398913#comment-15398913 ] angela commented on SLING-5848: --- what looks like a hash to you is a random node name being generated by {{RandomAuthorizableNodeName}}, which is just one possible implementation of the {{AuthorizableNodeName}} interface. to answer your question: what ever {{AuthorizableNodeName}} implementation is configured with the default user management implementation in Oak will be used to create the user/group node. you should not rely on a given implementation as this may change at runtime. so, whenever you create a user/group by calling {{UserManager.create*}} the implementation will pick the configure {{AuthorizableNodeName}} to create the corresponding tree structure in the system. one final note: if a given user/group account is created through XML import (see {{UserImporter}} it will import the trees as defined in the XML. that's what Jackrabbit fVault is using for importing user/group accounts defined in content packages, which explains the difference between package import and user/group creation through Jackrabbit API calls. Nevertheless: You should not worry about the format of the node name as this is really an implementation detail and there is no guarantee whatsoever, that a given user/group is being located at a predictable path (except for the intermediate path that can be specified when creating user/group). > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) > *repoinit:* > {noformat} > create path /apps > create path /libs > create service user sling-scripting > set ACL for sling-scripting > allow jcr:read on /apps > allow jcr:read on /libs > end > {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15398837#comment-15398837 ] Oliver Lietz commented on SLING-5848: - [~anchela], [~asanso]: AEM hashes (?) the name part of user paths > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15379109#comment-15379109 ] Bertrand Delacretaz commented on SLING-5848: Good idea but let's discuss on dl-dev, I'll start this thread right now. > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} or > {{sling.scripting}} (?) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15379106#comment-15379106 ] Oliver Lietz commented on SLING-5848: - Can we use a {{.}} to separate the {{sling}} prefix? AEM is already using {{-}} in names for better readability, e.g. ({{authentication-handler}}). > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} (?) -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[ https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15379094#comment-15379094 ] Bertrand Delacretaz commented on SLING-5848: If we start creating service users that Sling needs I'm in favor of using a {{sling-}} prefix for them. > Define service user and ACLs for Scripting > -- > > Key: SLING-5848 > URL: https://issues.apache.org/jira/browse/SLING-5848 > Project: Sling > Issue Type: Task > Components: Scripting >Reporter: Oliver Lietz > > Scripting implementations require a (service) ResourceResolver with very > limited read rights to read scripts. > Reading can be limited to these paths: > * {{/apps}} > * {{/libs}} > * {{/etc}} (?) > Name for service user: {{scripting}} or {{sling-scripting}} (?) -- This message was sent by Atlassian JIRA (v6.3.4#6332)