Re: change node ownership

[Angela Schreiber]

Hi Marco

Yeah... no, that's not how the default authorisation model works :-)

But obviously you would be able to write and deploy your own authorisation
model that just behaves as you expected it to work.
Some hints can be found at
http://jackrabbit.apache.org/oak/docs/security/introduction.html

I still didn't have time to write a dedicated training session for the
customize-authorization topic but it's on my TODOs.

Kind regards
Angela


On 14/02/18 10:37, "Marco Piovesana"  wrote:

>Hi Angela,
>thanks for the answer. I thought (and I was wrong) that the user that
>created a node would have had complete control on it (and not just the
>permissions explicitly granted to him). That's why my question... thanks
>again for the clarification.
>
>Marco.
>
>
>On Wed, Feb 14, 2018 at 9:47 AM Angela Schreiber
>
>wrote:
>
>> Hi Marco
>>
>> It depends a bit on how you originally setup the 'ownership' in the
>>first
>> place.
>> - if you have granted permissions to userA _on_ that very node, you can
>> simply remove the entries and create new ones for the new owner.
>> - if you have granted permissions to userA on a _parent_ node you can
>> either fix the entries at the parent or add a denying entry at the
>>target.
>> - if permissions are inherited from other principals (e.g. through group
>> membership) you can either 'fix' the set of principals that is add to
>>the
>> Subject upon login (e.g. through changes of group membership) or again
>> through an explicit deny.
>> Which variant (and there might be some more) is the best one, depends on
>> your requirements.
>> Also note that for modification of the permission setup your session not
>> only requires regular write privileges but read/modify access control
>> privileges.
>>
>> See the Oak documentation for additional details in particular
>> 
>>http://jackrabbit.apache.org/oak/docs/security/permission/evaluation.html
>> You may also want to take a look at the oak-exercise module which comes
>> with quite some training material for the default authorisation model.
>>
>> Hope that helps
>> Angela
>>
>>
>> On 13/02/18 18:36, "Marco Piovesana"  wrote:
>>
>> >Hi all,
>> >is it possible to change the owner of a node? What I'm trying to do is
>> >move
>> >a node created by userA from its original folder to another place.
>>After
>> >the node is moved I want to revoke all permission to userA on that
>>node.
>> >
>> >Marco.
>>
>>

Re: change node ownership

[Marco Piovesana]

Hi Angela,
thanks for the answer. I thought (and I was wrong) that the user that
created a node would have had complete control on it (and not just the
permissions explicitly granted to him). That's why my question... thanks
again for the clarification.

Marco.


On Wed, Feb 14, 2018 at 9:47 AM Angela Schreiber 
wrote:

> Hi Marco
>
> It depends a bit on how you originally setup the 'ownership' in the first
> place.
> - if you have granted permissions to userA _on_ that very node, you can
> simply remove the entries and create new ones for the new owner.
> - if you have granted permissions to userA on a _parent_ node you can
> either fix the entries at the parent or add a denying entry at the target.
> - if permissions are inherited from other principals (e.g. through group
> membership) you can either 'fix' the set of principals that is add to the
> Subject upon login (e.g. through changes of group membership) or again
> through an explicit deny.
> Which variant (and there might be some more) is the best one, depends on
> your requirements.
> Also note that for modification of the permission setup your session not
> only requires regular write privileges but read/modify access control
> privileges.
>
> See the Oak documentation for additional details in particular
> http://jackrabbit.apache.org/oak/docs/security/permission/evaluation.html
> You may also want to take a look at the oak-exercise module which comes
> with quite some training material for the default authorisation model.
>
> Hope that helps
> Angela
>
>
> On 13/02/18 18:36, "Marco Piovesana"  wrote:
>
> >Hi all,
> >is it possible to change the owner of a node? What I'm trying to do is
> >move
> >a node created by userA from its original folder to another place. After
> >the node is moved I want to revoke all permission to userA on that node.
> >
> >Marco.
>
>

Re: change node ownership

[Angela Schreiber]

Hi Marco

It depends a bit on how you originally setup the 'ownership' in the first
place.
- if you have granted permissions to userA _on_ that very node, you can
simply remove the entries and create new ones for the new owner.
- if you have granted permissions to userA on a _parent_ node you can
either fix the entries at the parent or add a denying entry at the target.
- if permissions are inherited from other principals (e.g. through group
membership) you can either 'fix' the set of principals that is add to the
Subject upon login (e.g. through changes of group membership) or again
through an explicit deny.
Which variant (and there might be some more) is the best one, depends on
your requirements.
Also note that for modification of the permission setup your session not
only requires regular write privileges but read/modify access control
privileges.

See the Oak documentation for additional details in particular
http://jackrabbit.apache.org/oak/docs/security/permission/evaluation.html
You may also want to take a look at the oak-exercise module which comes
with quite some training material for the default authorisation model.

Hope that helps
Angela
 

On 13/02/18 18:36, "Marco Piovesana"  wrote:

>Hi all,
>is it possible to change the owner of a node? What I'm trying to do is
>move
>a node created by userA from its original folder to another place. After
>the node is moved I want to revoke all permission to userA on that node.
>
>Marco.