[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15551556#comment-15551556
]
Radu Cotescu commented on SLING-5848:
-
I've restricted the access for {{sling-scripting}} like discussed here in
https://svn.apache.org/r1763548.
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Launchpad, Scripting
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
> Fix For: Launchpad Builder 9
>
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * -{{/etc}}- (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15551443#comment-15551443
]
Radu Cotescu commented on SLING-5848:
-
Ok. But as far as this issue is concerned restricting the access for
{{sling-scripting}} with {{deny jcr:all on /}} should be enough, right? The
access control for {{everyone}} is not in scope here.
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Launchpad, Scripting
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
> Fix For: Launchpad Builder 9
>
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * -{{/etc}}- (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15551291#comment-15551291
]
Bertrand Delacretaz commented on SLING-5848:
bq. I would really like to cut read access down for everyone...
I think this deserves to be discussed on our dev list.
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Launchpad, Scripting
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
> Fix For: Launchpad Builder 9
>
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * -{{/etc}}- (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15549498#comment-15549498
]
Oliver Lietz commented on SLING-5848:
-
[~radu.cotescu], see
{{org.apache.sling.jcr.oak.server.internal.OakSlingRepositoryManager}} and its
configuration:
{noformat}
private void setup(final SlingRepository repository) {
final boolean anonymous_read_all = configuration.anonymous_read_all();
if (anonymous_read_all) {
log.warn("anonymous.read.all is true, granting anonymous user read
access on /");
Session session = null;
try {
// TODO do we need to go via PrivilegeManager for the names?
See OAK-1016 example.
session = repository.loginAdministrative(getDefaultWorkspace());
final String[] privileges = new String[]{Privilege.JCR_READ};
AccessControlUtils.addAccessControlEntry(
session,
"/",
EveryonePrincipal.getInstance(),
privileges,
true);
session.save();
} catch (RepositoryException re) {
log.error("TODO: Failed setting up anonymous access", re);
} finally {
if (session != null) {
session.logout();
}
}
} else {
log.warn("TODO: should disable anonymous access when
anonymous.read.all becomes false");
}
}
{noformat}
{noformat}
@AttributeDefinition(
name = "Allow anonymous reads",
description = "If true, the anonymous user has read access to the whole
repository (for backwards compatibility)"
)
boolean anonymous_read_all() default true;
{noformat}
I would really like to cut {{read}} access down for {{everyone}}, either
completely or granting on {{/content}} only. But I'm not sure which users will
be affected and why we have this backwards compatibility. [~cziegeler],
[~bdelacretaz] any ideas?
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Launchpad, Scripting
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
> Fix For: Launchpad Builder 9
>
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * -{{/etc}}- (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15549022#comment-15549022
]
Radu Cotescu commented on SLING-5848:
-
You're right, this principal's ACLs should be more restrictive, so I guess
{{deny jcr:all on /}} makes sense. What do you mean though by:
bq. We are granting read on / to everyone in Oak Server (configurable)
Shouldn't we aim for having all the ACLs defined in one place?
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Launchpad, Scripting
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
> Fix For: Launchpad Builder 9
>
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * -{{/etc}}- (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15545279#comment-15545279
]
Oliver Lietz commented on SLING-5848:
-
[~bdelacretaz], [~chetanm] Do we need this section at all? We are granting
{{read}} on {{/}} to {{everyone}} in Oak Server (configurable):
{noformat}
set ACL for sling-scripting
denyjcr:all on /libs,/apps
allow jcr:readon /libs,/apps
end
{noformat}
And if we keep it, shouldn't we {{deny}} on {{/}} instead?
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Launchpad, Scripting
>Reporter: Oliver Lietz
>Assignee: Oliver Lietz
> Fix For: Launchpad Builder 9
>
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * -{{/etc}}- (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399150#comment-15399150
]
Oliver Lietz commented on SLING-5848:
-
We should not enforce something which is not absolutely required but we can
support users to not make stupid things or fail unnecessarily. Not revealing
the IDs of authorizables sounds sensible (SLING-5921) and has the benefit of
allowing user names in any form without bringing any hassle.
With Sling on Jackrabbit users lived in a different (restricted) workspace
({{security}}) not accessible over HTTP by default.
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399106#comment-15399106
]
Oliver Lietz commented on SLING-5848:
-
Let me rephrase: The dots *may* lead to problems (\[1]) when someone queries
users by HTTP and wants to use selectors. The URL
http://localhost:8181/home/users/system/sling.scripting.json for service user
{{sling.scripting}} works and will give you the user node as JSON.
If we configure {{RandomAuthorizableNodeName}} in Sling Launchpad and use dots
for service user names in Sling Launchpad we are save. If anyone alters that
configuration it's up to him.
I'm in favor of a consistent pattern for user names – whether we use {{sling.}}
or {{sling-}} as prefix (see my comment above why {{sling.}} came to mind).
\[1] Assets in AEM DAM
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399082#comment-15399082
]
angela commented on SLING-5848:
---
[~bdelacretaz], i am sorry... but that doesn't make any sense to me. the
Jackrabbit UserManagement API doesn't not specify _any_ limitations when it
comes to user Ids and a system/service user is just a variant of a regular user.
as stated above it seems that Sling has an issue with dots in node names but
that's definitely not an issue that the repo init or JCR or Oak should care
about; also you cannot prevent someone from creating a user using the regular
Jackrabbit API calls or XML import and as such not using the repo-init provided
by Sling.
So, -1 for that proposal.
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399077#comment-15399077
]
angela commented on SLING-5848:
---
sorry, oliver, but you must not rely on any implementation of the authorizable
node name; it's an implementation detail and it may change any time in a
running instance.
if Sling has a problem with dots, i would strongly recommend not to use it
within the user id.
from a JCR/Oak point of view any illegal characters will be escaped in case the
id is used as hint for the node name but '.' is not an illegal JCR character
afaik.
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399059#comment-15399059
]
Oliver Lietz commented on SLING-5848:
-
We should enable
{{org.apache.jackrabbit.oak.security.user.RandomAuthorizableNodeName}} in Sling
whatever pattern we choose for service users. This would also allow regular
users with a name in form {{firstname.lastname}}. If the pattern for service
users is configurable I'm fine with that too.
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399035#comment-15399035
]
Bertrand Delacretaz commented on SLING-5848:
We might just define a configurable validation regexp for service user names in
in the JCR {{RepositoryInitializer}} that applies repoinit statements, WDYT?
It's good to have some consistency in these names anyway, and it makes it easy
to avoid the dots.
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399019#comment-15399019
]
Oliver Lietz commented on SLING-5848:
-
[~anchela], thanks for your answer. Much appreciated!
We *have* to care about the format of the node name to not interfere with
Sling's resource resolution. If the name contains dots ({{sling.scripting}}) it
could clash with selectors and extensions. If the name gets randomized we are
save.
* http://localhost:8181/home/users/system/sling-scripting.json (/)
* http://localhost:8181/home/users/system/sling.scripting.json (!)
* http://localhost:8181/home/users/system/sB-CSiB-KD0S0ROF6hLtICN30xQvU5rq.json
(/)
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15398913#comment-15398913
]
angela commented on SLING-5848:
---
what looks like a hash to you is a random node name being generated by
{{RandomAuthorizableNodeName}}, which is just one possible implementation of
the {{AuthorizableNodeName}} interface.
to answer your question: what ever {{AuthorizableNodeName}} implementation is
configured with the default user management implementation in Oak will be used
to create the user/group node. you should not rely on a given implementation as
this may change at runtime.
so, whenever you create a user/group by calling {{UserManager.create*}} the
implementation will pick the configure {{AuthorizableNodeName}} to create the
corresponding tree structure in the system.
one final note: if a given user/group account is created through XML import
(see {{UserImporter}} it will import the trees as defined in the XML. that's
what Jackrabbit fVault is using for importing user/group accounts defined in
content packages, which explains the difference between package import and
user/group creation through Jackrabbit API calls.
Nevertheless: You should not worry about the format of the node name as this is
really an implementation detail and there is no guarantee whatsoever, that a
given user/group is being located at a predictable path (except for the
intermediate path that can be specified when creating user/group).
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
> *repoinit:*
> {noformat}
> create path /apps
> create path /libs
> create service user sling-scripting
> set ACL for sling-scripting
> allow jcr:read on /apps
> allow jcr:read on /libs
> end
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15398837#comment-15398837
]
Oliver Lietz commented on SLING-5848:
-
[~anchela], [~asanso]: AEM hashes (?) the name part of user paths
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15379109#comment-15379109
]
Bertrand Delacretaz commented on SLING-5848:
Good idea but let's discuss on dl-dev, I'll start this thread right now.
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} or
> {{sling.scripting}} (?)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15379106#comment-15379106
]
Oliver Lietz commented on SLING-5848:
-
Can we use a {{.}} to separate the {{sling}} prefix? AEM is already using {{-}}
in names for better readability, e.g. ({{authentication-handler}}).
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} (?)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Commented] (SLING-5848) Define service user and ACLs for Scripting
[
https://issues.apache.org/jira/browse/SLING-5848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15379094#comment-15379094
]
Bertrand Delacretaz commented on SLING-5848:
If we start creating service users that Sling needs I'm in favor of using a
{{sling-}} prefix for them.
> Define service user and ACLs for Scripting
> --
>
> Key: SLING-5848
> URL: https://issues.apache.org/jira/browse/SLING-5848
> Project: Sling
> Issue Type: Task
> Components: Scripting
>Reporter: Oliver Lietz
>
> Scripting implementations require a (service) ResourceResolver with very
> limited read rights to read scripts.
> Reading can be limited to these paths:
> * {{/apps}}
> * {{/libs}}
> * {{/etc}} (?)
> Name for service user: {{scripting}} or {{sling-scripting}} (?)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
