[jira] [Created] (OAK-9463) AutomembershipProvider to allow for conditional auto-membership
Angela Schreiber created OAK-9463:
-
Summary: AutomembershipProvider to allow for conditional
auto-membership
Key: OAK-9463
URL: https://issues.apache.org/jira/browse/OAK-9463
Project: Jackrabbit Oak
Issue Type: Improvement
Components: auth-external
Reporter: Angela Schreiber
the {{DefaultSyncConfig}} comes with an _automembership_ option for external
users and groups that allows to automatically mark them as member of existing
repository defined groups. in certain cases though it would be preferable to
conditionally apply automembership based on user/group characteristics, i.e.
allow for more fine-grained configuration. proposed improvement: an new
{{AutomembershipProvider}} interface that returns _automembership_ property for
a given {{ExternalIdentity}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Assigned] (OAK-9463) AutomembershipProvider to allow for conditional auto-membership
[
https://issues.apache.org/jira/browse/OAK-9463?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber reassigned OAK-9463:
-
Assignee: Angela Schreiber
> AutomembershipProvider to allow for conditional auto-membership
> ---
>
> Key: OAK-9463
> URL: https://issues.apache.org/jira/browse/OAK-9463
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
>
> the {{DefaultSyncConfig}} comes with an _automembership_ option for external
> users and groups that allows to automatically mark them as member of existing
> repository defined groups. in certain cases though it would be preferable to
> conditionally apply automembership based on user/group characteristics, i.e.
> allow for more fine-grained configuration. proposed improvement: an new
> {{AutomembershipProvider}} interface that returns _automembership_ property
> for a given {{ExternalIdentity}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9468) Define mechanism to prevent cross-IDP membership
Angela Schreiber created OAK-9468:
-
Summary: Define mechanism to prevent cross-IDP membership
Key: OAK-9468
URL: https://issues.apache.org/jira/browse/OAK-9468
Project: Jackrabbit Oak
Issue Type: Improvement
Components: auth-external, security
Reporter: Angela Schreiber
Assignee: Angela Schreiber
while {{DefaultSyncContext}} verifies that external identities are not added as
members of group defined by a different IDP, this can manually achieved in the
repository's user management after a full sync.
therefore _oak-auth-external_ should come with a mechanism to detect and
prevent IDP-boundary violations. This could either be an
{{AuthorizableActionProvider}} containing an implementation of {{GroupAction}}
or a dedicated {{Validator}} implementation. For backwards compatibility an
'warnonly' option would allow to only log a warning instead of failing the
operation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-9468) Define mechanism to prevent cross-IDP membership
[
https://issues.apache.org/jira/browse/OAK-9468?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9468.
---
Fix Version/s: 1.42.0
Resolution: Fixed
Rev. 1890973: initial best effort implementation that covers
{{GroupAction.onMemberAdded(Group, Authorizable, Root, NamePathMapper)}} that
doesn't require an extra lookup of the new member.
> Define mechanism to prevent cross-IDP membership
>
>
> Key: OAK-9468
> URL: https://issues.apache.org/jira/browse/OAK-9468
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external, security
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
> Fix For: 1.42.0
>
>
> while {{DefaultSyncContext}} verifies that external identities are not added
> as members of group defined by a different IDP, this can manually achieved in
> the repository's user management after a full sync.
> therefore _oak-auth-external_ should come with a mechanism to detect and
> prevent IDP-boundary violations. This could either be an
> {{AuthorizableActionProvider}} containing an implementation of
> {{GroupAction}} or a dedicated {{Validator}} implementation. For backwards
> compatibility an 'warnonly' option would allow to only log a warning instead
> of failing the operation.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9470) Move AutoMembershipPrincipals from ExternalGroupPrincipalProvider to top level
Angela Schreiber created OAK-9470: - Summary: Move AutoMembershipPrincipals from ExternalGroupPrincipalProvider to top level Key: OAK-9470 URL: https://issues.apache.org/jira/browse/OAK-9470 Project: Jackrabbit Oak Issue Type: Technical task Components: auth-external Reporter: Angela Schreiber Assignee: Angela Schreiber -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9462) Extensible DynamicMembershipProvider
[
https://issues.apache.org/jira/browse/OAK-9462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9462:
--
Component/s: auth-external
> Extensible DynamicMembershipProvider
>
>
> Key: OAK-9462
> URL: https://issues.apache.org/jira/browse/OAK-9462
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external, core, security-spi
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
>
> Today the only built-in dynamic
> {{org.apache.jackrabbit.api.security.user.Group}} is the one associated with
> the everyone principal that automatically has every other group and user as
> member.
> In order to allow for additional flexibility we should consider introducing a
> {{DynamicMembershipProvider}} interface. while by default a single
> implementation for the everyone group would be present as today, it would
> allow to provide additional implementations. e.g. for those groups configured
> with the _automembership_ option defined with {{DefaultSyncConfig}}, when
> additionally _dynamicmembership_ is enabled.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-9470) Move AutoMembershipPrincipals from ExternalGroupPrincipalProvider to top level
[ https://issues.apache.org/jira/browse/OAK-9470?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber resolved OAK-9470. --- Fix Version/s: 1.42.0 Resolution: Fixed fixed rev. aeca67eb95..b1acba6292 > Move AutoMembershipPrincipals from ExternalGroupPrincipalProvider to top level > -- > > Key: OAK-9470 > URL: https://issues.apache.org/jira/browse/OAK-9470 > Project: Jackrabbit Oak > Issue Type: Technical task > Components: auth-external >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Major > Fix For: 1.42.0 > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Reopened] (OAK-9440) Migrate Oak from SVN to Git
[ https://issues.apache.org/jira/browse/OAK-9440?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber reopened OAK-9440: --- hi [~kwin], after you posted that issues with writing to github had been fixed, i gave it a try and it worked. today, i wanted to push again (both a new branch and to trunk for testing purpose) and it no longer worked for me any idea if there were some additional changes by infra? > Migrate Oak from SVN to Git > --- > > Key: OAK-9440 > URL: https://issues.apache.org/jira/browse/OAK-9440 > Project: Jackrabbit Oak > Issue Type: Improvement >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Attachments: jackrabbit-check-release-for-gitv1.patch, > jackrabbit-live-site-migrate-to-gitv1.patch, > jackrabbit-site-release-for-gitv1.patch > > > # migrate the SVN repository at > [https://svn.apache.org/repos/asf/jackrabbit/oak/] to a Git repository named > "jackrabbit-oak" - tracked in INFRA-22016 (/) > # migrate GitHub SVN mirror at [https://github.com/apache/jackrabbit-oak] to > mirror the new native Git repo (at Gitbox) - tracked in INFRA-22016 (/) > # -change the main branch name from "trunk" to "main"- > # make the SVN repository read only - tracked in INFRA-22016 (/) > # adjust Jenkins jobs > ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-matrix/] > (/) > ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-trunk/] > (/) > # adjust release check scripts, fixed in r48468 (/) > ## [https://dist.apache.org/repos/dist/dev/jackrabbit/check-release.sh] > attached to [^jackrabbit-check-release-for-gitv1.patch] > # adjust documentation, this includes > ## [http://jackrabbit.apache.org/jcr/creating-releases.html] attached to > [^jackrabbit-site-release-for-gitv1.patch], applied in r1890993 (/) > ## [https://jackrabbit.apache.org/oak/] (only manually maintained in > [https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/)|https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/] > proposed to remove and redirect to /oak/docs instead in > [^jackrabbit-live-site-migrate-to-gitv1.patch], done in r1890995, (/) > ## [https://jackrabbit.apache.org/oak/docs/dev_getting_started.html], > contained in GH PR, (/) > ## [https://jackrabbit.apache.org/oak/docs/developing-with-git.html], > contained in GH PR, (/) > ## > # adjust scm references in pom.xml (/) > ## primary source should be Gitbox URL (not Github), contained in GH PR -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (OAK-9440) Migrate Oak from SVN to Git
[ https://issues.apache.org/jira/browse/OAK-9440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17368799#comment-17368799 ] Angela Schreiber edited comment on OAK-9440 at 6/24/21, 1:01 PM: - hi [~kwin], after you posted that issues with writing to github had been fixed, i gave it a try and it worked. today, i wanted to push again (both a new branch and to trunk for testing purpose) and it no longer worked for me any idea if there were some additional changes by infra? i am using the same https-clone that i used yesterday. btw: https://gitbox.apache.org seems to works (did a test commit). was (Author: anchela): hi [~kwin], after you posted that issues with writing to github had been fixed, i gave it a try and it worked. today, i wanted to push again (both a new branch and to trunk for testing purpose) and it no longer worked for me any idea if there were some additional changes by infra? > Migrate Oak from SVN to Git > --- > > Key: OAK-9440 > URL: https://issues.apache.org/jira/browse/OAK-9440 > Project: Jackrabbit Oak > Issue Type: Improvement >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Attachments: jackrabbit-check-release-for-gitv1.patch, > jackrabbit-live-site-migrate-to-gitv1.patch, > jackrabbit-site-release-for-gitv1.patch > > > # migrate the SVN repository at > [https://svn.apache.org/repos/asf/jackrabbit/oak/] to a Git repository named > "jackrabbit-oak" - tracked in INFRA-22016 (/) > # migrate GitHub SVN mirror at [https://github.com/apache/jackrabbit-oak] to > mirror the new native Git repo (at Gitbox) - tracked in INFRA-22016 (/) > # -change the main branch name from "trunk" to "main"- > # make the SVN repository read only - tracked in INFRA-22016 (/) > # adjust Jenkins jobs > ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-matrix/] > (/) > ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-trunk/] > (/) > # adjust release check scripts, fixed in r48468 (/) > ## [https://dist.apache.org/repos/dist/dev/jackrabbit/check-release.sh] > attached to [^jackrabbit-check-release-for-gitv1.patch] > # adjust documentation, this includes > ## [http://jackrabbit.apache.org/jcr/creating-releases.html] attached to > [^jackrabbit-site-release-for-gitv1.patch], applied in r1890993 (/) > ## [https://jackrabbit.apache.org/oak/] (only manually maintained in > [https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/)|https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/] > proposed to remove and redirect to /oak/docs instead in > [^jackrabbit-live-site-migrate-to-gitv1.patch], done in r1890995, (/) > ## [https://jackrabbit.apache.org/oak/docs/dev_getting_started.html], > contained in GH PR, (/) > ## [https://jackrabbit.apache.org/oak/docs/developing-with-git.html], > contained in GH PR, (/) > ## > # adjust scm references in pom.xml (/) > ## primary source should be Gitbox URL (not Github), contained in GH PR -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OAK-9440) Migrate Oak from SVN to Git
[ https://issues.apache.org/jira/browse/OAK-9440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17368859#comment-17368859 ] Angela Schreiber commented on OAK-9440: --- [~kwin], but why did it work yesterday and doesn't work today with the exact same clone? i don't have time to fiddle around and fix infra issues. i am expecting it to work as it did yesterday > Migrate Oak from SVN to Git > --- > > Key: OAK-9440 > URL: https://issues.apache.org/jira/browse/OAK-9440 > Project: Jackrabbit Oak > Issue Type: Improvement >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Attachments: jackrabbit-check-release-for-gitv1.patch, > jackrabbit-live-site-migrate-to-gitv1.patch, > jackrabbit-site-release-for-gitv1.patch > > > # migrate the SVN repository at > [https://svn.apache.org/repos/asf/jackrabbit/oak/] to a Git repository named > "jackrabbit-oak" - tracked in INFRA-22016 (/) > # migrate GitHub SVN mirror at [https://github.com/apache/jackrabbit-oak] to > mirror the new native Git repo (at Gitbox) - tracked in INFRA-22016 (/) > # -change the main branch name from "trunk" to "main"- > # make the SVN repository read only - tracked in INFRA-22016 (/) > # adjust Jenkins jobs > ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-matrix/] > (/) > ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-trunk/] > (/) > # adjust release check scripts, fixed in r48468 (/) > ## [https://dist.apache.org/repos/dist/dev/jackrabbit/check-release.sh] > attached to [^jackrabbit-check-release-for-gitv1.patch] > # adjust documentation, this includes > ## [http://jackrabbit.apache.org/jcr/creating-releases.html] attached to > [^jackrabbit-site-release-for-gitv1.patch], applied in r1890993 (/) > ## [https://jackrabbit.apache.org/oak/] (only manually maintained in > [https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/)|https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/] > proposed to remove and redirect to /oak/docs instead in > [^jackrabbit-live-site-migrate-to-gitv1.patch], done in r1890995, (/) > ## [https://jackrabbit.apache.org/oak/docs/dev_getting_started.html], > contained in GH PR, (/) > ## [https://jackrabbit.apache.org/oak/docs/developing-with-git.html], > contained in GH PR, (/) > ## > # adjust scm references in pom.xml (/) > ## primary source should be Gitbox URL (not Github), contained in GH PR -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OAK-9440) Migrate Oak from SVN to Git
[
https://issues.apache.org/jira/browse/OAK-9440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17368899#comment-17368899
]
Angela Schreiber commented on OAK-9440:
---
[~kwin], the error i get is:
{code}
fatal: Authentication failed for 'https://github.com/apache/jackrabbit-oak.git/'
{code}
After it prompted me to provider uid/pw. However, yesterday I was able to push
changes without being prompted.
regarding
{quote}
Also please remember: I am not working for Adobe and doing this in my free
time. So at least a thanks from any committer regarding this undertaking would
have been nice, but all I hear is complaints...
{quote}
you volunteered for this undertaking and I didn't ask for it :-)
> Migrate Oak from SVN to Git
> ---
>
> Key: OAK-9440
> URL: https://issues.apache.org/jira/browse/OAK-9440
> Project: Jackrabbit Oak
> Issue Type: Improvement
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Attachments: jackrabbit-check-release-for-gitv1.patch,
> jackrabbit-live-site-migrate-to-gitv1.patch,
> jackrabbit-site-release-for-gitv1.patch
>
>
> # migrate the SVN repository at
> [https://svn.apache.org/repos/asf/jackrabbit/oak/] to a Git repository named
> "jackrabbit-oak" - tracked in INFRA-22016 (/)
> # migrate GitHub SVN mirror at [https://github.com/apache/jackrabbit-oak] to
> mirror the new native Git repo (at Gitbox) - tracked in INFRA-22016 (/)
> # -change the main branch name from "trunk" to "main"-
> # make the SVN repository read only - tracked in INFRA-22016 (/)
> # adjust Jenkins jobs
> ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-matrix/]
> (/)
> ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-trunk/]
> (/)
> # adjust release check scripts, fixed in r48468 (/)
> ## [https://dist.apache.org/repos/dist/dev/jackrabbit/check-release.sh]
> attached to [^jackrabbit-check-release-for-gitv1.patch]
> # adjust documentation, this includes
> ## [http://jackrabbit.apache.org/jcr/creating-releases.html] attached to
> [^jackrabbit-site-release-for-gitv1.patch], applied in r1890993 (/)
> ## [https://jackrabbit.apache.org/oak/] (only manually maintained in
> [https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/)|https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/]
> proposed to remove and redirect to /oak/docs instead in
> [^jackrabbit-live-site-migrate-to-gitv1.patch], done in r1890995, (/)
> ## [https://jackrabbit.apache.org/oak/docs/dev_getting_started.html],
> contained in GH PR, (/)
> ## [https://jackrabbit.apache.org/oak/docs/developing-with-git.html],
> contained in GH PR, (/)
> ##
> # adjust scm references in pom.xml (/)
> ## primary source should be Gitbox URL (not Github), contained in GH PR
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (OAK-9440) Migrate Oak from SVN to Git
[ https://issues.apache.org/jira/browse/OAK-9440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17368918#comment-17368918 ] Angela Schreiber edited comment on OAK-9440 at 6/24/21, 3:14 PM: - [~kwin], thanks for the additional info... since you mention Apache Sling; i never had issues when committing there in the past (as it worked yesterday for the new jackrabbit-oak repo). that's what made me wonder if something is off with the oak repo. also: i am (and was) not opposed i don't have a preference. but i equally don't want to fight with any kind issues for things like that. was (Author: anchela): [~kwin], thanks for the additional info... since you mention Apache Sling; i never had issues when committing there in the past (as it worked yesterday for the new jackrabbit-oak repo). that's what made me wonder if something is off with the oak repo. also: i am (and was) not opposed i don't have a preference. but i equally don't want to fight with any kind issues for thinks like that. > Migrate Oak from SVN to Git > --- > > Key: OAK-9440 > URL: https://issues.apache.org/jira/browse/OAK-9440 > Project: Jackrabbit Oak > Issue Type: Improvement >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Attachments: jackrabbit-check-release-for-gitv1.patch, > jackrabbit-live-site-migrate-to-gitv1.patch, > jackrabbit-site-release-for-gitv1.patch > > > # migrate the SVN repository at > [https://svn.apache.org/repos/asf/jackrabbit/oak/] to a Git repository named > "jackrabbit-oak" - tracked in INFRA-22016 (/) > # migrate GitHub SVN mirror at [https://github.com/apache/jackrabbit-oak] to > mirror the new native Git repo (at Gitbox) - tracked in INFRA-22016 (/) > # -change the main branch name from "trunk" to "main"- > # make the SVN repository read only - tracked in INFRA-22016 (/) > # adjust Jenkins jobs > ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-matrix/] > (/) > ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-trunk/] > (/) > # adjust release check scripts, fixed in r48468 (/) > ## [https://dist.apache.org/repos/dist/dev/jackrabbit/check-release.sh] > attached to [^jackrabbit-check-release-for-gitv1.patch] > # adjust documentation, this includes > ## [http://jackrabbit.apache.org/jcr/creating-releases.html] attached to > [^jackrabbit-site-release-for-gitv1.patch], applied in r1890993 (/) > ## [https://jackrabbit.apache.org/oak/] (only manually maintained in > [https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/)|https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/] > proposed to remove and redirect to /oak/docs instead in > [^jackrabbit-live-site-migrate-to-gitv1.patch], done in r1890995, (/) > ## [https://jackrabbit.apache.org/oak/docs/dev_getting_started.html], > contained in GH PR, (/) > ## [https://jackrabbit.apache.org/oak/docs/developing-with-git.html], > contained in GH PR, (/) > ## > # adjust scm references in pom.xml (/) > ## primary source should be Gitbox URL (not Github), contained in GH PR -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (OAK-9440) Migrate Oak from SVN to Git
[ https://issues.apache.org/jira/browse/OAK-9440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17368918#comment-17368918 ] Angela Schreiber commented on OAK-9440: --- [~kwin], thanks for the additional info... since you mention Apache Sling; i never had issues when committing there in the past (as it worked yesterday for the new jackrabbit-oak repo). that's what made me wonder if something is off with the oak repo. also: i am (and was) not opposed i don't have a preference. but i equally don't want to fight with any kind issues for thinks like that. > Migrate Oak from SVN to Git > --- > > Key: OAK-9440 > URL: https://issues.apache.org/jira/browse/OAK-9440 > Project: Jackrabbit Oak > Issue Type: Improvement >Reporter: Konrad Windszus >Assignee: Konrad Windszus >Priority: Major > Attachments: jackrabbit-check-release-for-gitv1.patch, > jackrabbit-live-site-migrate-to-gitv1.patch, > jackrabbit-site-release-for-gitv1.patch > > > # migrate the SVN repository at > [https://svn.apache.org/repos/asf/jackrabbit/oak/] to a Git repository named > "jackrabbit-oak" - tracked in INFRA-22016 (/) > # migrate GitHub SVN mirror at [https://github.com/apache/jackrabbit-oak] to > mirror the new native Git repo (at Gitbox) - tracked in INFRA-22016 (/) > # -change the main branch name from "trunk" to "main"- > # make the SVN repository read only - tracked in INFRA-22016 (/) > # adjust Jenkins jobs > ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-matrix/] > (/) > ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-trunk/] > (/) > # adjust release check scripts, fixed in r48468 (/) > ## [https://dist.apache.org/repos/dist/dev/jackrabbit/check-release.sh] > attached to [^jackrabbit-check-release-for-gitv1.patch] > # adjust documentation, this includes > ## [http://jackrabbit.apache.org/jcr/creating-releases.html] attached to > [^jackrabbit-site-release-for-gitv1.patch], applied in r1890993 (/) > ## [https://jackrabbit.apache.org/oak/] (only manually maintained in > [https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/)|https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/] > proposed to remove and redirect to /oak/docs instead in > [^jackrabbit-live-site-migrate-to-gitv1.patch], done in r1890995, (/) > ## [https://jackrabbit.apache.org/oak/docs/dev_getting_started.html], > contained in GH PR, (/) > ## [https://jackrabbit.apache.org/oak/docs/developing-with-git.html], > contained in GH PR, (/) > ## > # adjust scm references in pom.xml (/) > ## primary source should be Gitbox URL (not Github), contained in GH PR -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OAK-9474) User Filter for SyncConfigTracker to limit respected references
Angela Schreiber created OAK-9474:
-
Summary: User Filter for SyncConfigTracker to limit respected
references
Key: OAK-9474
URL: https://issues.apache.org/jira/browse/OAK-9474
Project: Jackrabbit Oak
Issue Type: Improvement
Components: auth-external
Reporter: Angela Schreiber
Assignee: Angela Schreiber
while reviewing the proposed changes for OAK-9462 [~kpauls] noticed that
{{SyncConfigTracker#hasDynamicMembership}} could be simplified by introducing a
filter to the service tracking. consequently only synchandler-references that
have dynamic-membership enabled would be tracked.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OAK-9440) Migrate Oak from SVN to Git
[
https://issues.apache.org/jira/browse/OAK-9440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17368972#comment-17368972
]
Angela Schreiber commented on OAK-9440:
---
[~kwin], regarding
{quote}
You have to use the personal access token
{quote}
i checked in the settings and it seems that my access token got invalidated
between yesterday and today. recreating it fixed the issue.
> Migrate Oak from SVN to Git
> ---
>
> Key: OAK-9440
> URL: https://issues.apache.org/jira/browse/OAK-9440
> Project: Jackrabbit Oak
> Issue Type: Improvement
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Attachments: jackrabbit-check-release-for-gitv1.patch,
> jackrabbit-live-site-migrate-to-gitv1.patch,
> jackrabbit-site-release-for-gitv1.patch
>
>
> # migrate the SVN repository at
> [https://svn.apache.org/repos/asf/jackrabbit/oak/] to a Git repository named
> "jackrabbit-oak" - tracked in INFRA-22016 (/)
> # migrate GitHub SVN mirror at [https://github.com/apache/jackrabbit-oak] to
> mirror the new native Git repo (at Gitbox) - tracked in INFRA-22016 (/)
> # -change the main branch name from "trunk" to "main"-
> # make the SVN repository read only - tracked in INFRA-22016 (/)
> # adjust Jenkins jobs
> ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-matrix/]
> (/)
> ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-trunk/]
> (/)
> # adjust release check scripts, fixed in r48468 (/)
> ## [https://dist.apache.org/repos/dist/dev/jackrabbit/check-release.sh]
> attached to [^jackrabbit-check-release-for-gitv1.patch]
> # adjust documentation, this includes
> ## [http://jackrabbit.apache.org/jcr/creating-releases.html] attached to
> [^jackrabbit-site-release-for-gitv1.patch], applied in r1890993 (/)
> ## [https://jackrabbit.apache.org/oak/] (only manually maintained in
> [https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/)|https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/]
> proposed to remove and redirect to /oak/docs instead in
> [^jackrabbit-live-site-migrate-to-gitv1.patch], done in r1890995, (/)
> ## [https://jackrabbit.apache.org/oak/docs/dev_getting_started.html],
> contained in GH PR, (/)
> ## [https://jackrabbit.apache.org/oak/docs/developing-with-git.html],
> contained in GH PR, (/)
> ##
> # adjust scm references in pom.xml (/)
> ## primary source should be Gitbox URL (not Github), contained in GH PR
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9462) Extensible DynamicMembershipProvider
[
https://issues.apache.org/jira/browse/OAK-9462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9462:
--
Fix Version/s: 1.42.0
> Extensible DynamicMembershipProvider
>
>
> Key: OAK-9462
> URL: https://issues.apache.org/jira/browse/OAK-9462
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external, core, security-spi
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
> Fix For: 1.42.0
>
>
> Today the only built-in dynamic
> {{org.apache.jackrabbit.api.security.user.Group}} is the one associated with
> the everyone principal that automatically has every other group and user as
> member.
> In order to allow for additional flexibility we should consider introducing a
> {{DynamicMembershipProvider}} interface. while by default a single
> implementation for the everyone group would be present as today, it would
> allow to provide additional implementations. e.g. for those groups configured
> with the _automembership_ option defined with {{DefaultSyncConfig}}, when
> additionally _dynamicmembership_ is enabled.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9475) Document DynamicMembershipProvider
Angela Schreiber created OAK-9475: - Summary: Document DynamicMembershipProvider Key: OAK-9475 URL: https://issues.apache.org/jira/browse/OAK-9475 Project: Jackrabbit Oak Issue Type: Technical task Components: doc Reporter: Angela Schreiber Assignee: Angela Schreiber Fix For: 1.42.0 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (OAK-9475) Document DynamicMembershipProvider
[ https://issues.apache.org/jira/browse/OAK-9475?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber resolved OAK-9475. --- Resolution: Fixed > Document DynamicMembershipProvider > --- > > Key: OAK-9475 > URL: https://issues.apache.org/jira/browse/OAK-9475 > Project: Jackrabbit Oak > Issue Type: Technical task > Components: doc >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Major > Fix For: 1.42.0 > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Reopened] (OAK-9440) Migrate Oak from SVN to Git
[
https://issues.apache.org/jira/browse/OAK-9440?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber reopened OAK-9440:
---
[~kwin], the last oak build failed due to unapproved license:
https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-trunk/264/org.apache.jackrabbit$jackrabbit-oak/
{quote}
[INFO] --- apache-rat-plugin:0.13:check (default) @ jackrabbit-oak ---
[INFO] Enabled default license matchers.
[INFO] Will parse SCM ignores for exclusions...
[INFO] Parsing exclusions from
/home/jenkins/workspace/Jackrabbit/jackrabbit-oak-trunk/.gitignore
[INFO] Finished adding exclusions from SCM ignore files.
[INFO] 112 implicit excludes (use -debug for more details).
[INFO] 10 explicit excludes (use -debug for more details).
[INFO] 202 resources included (use -debug for more details)
[INFO] Rat check: Summary over all files. Unapproved: 1, unknown: 1, generated:
0, approved: 158 licenses.
[INFO] Enabled default license matchers.
[INFO] Will parse SCM ignores for exclusions...
[INFO] Parsing exclusions from
/home/jenkins/workspace/Jackrabbit/jackrabbit-oak-trunk/.gitignore
[INFO] Finished adding exclusions from SCM ignore files.
[INFO] 112 implicit excludes (use -debug for more details).
[INFO] 10 explicit excludes (use -debug for more details).
[INFO] 202 resources included (use -debug for more details)
[WARNING] Files with unapproved licenses:
.asf.yaml
{quote}
the file .asf.yaml was introduced by a commit with this msg:
{quote}
OAK-9440 update pom.xml for migrated SCM repositories to GitBox/GitHub (#296)
update documentation add .asf.yaml to adjust Github metadata
{quote}
> Migrate Oak from SVN to Git
> ---
>
> Key: OAK-9440
> URL: https://issues.apache.org/jira/browse/OAK-9440
> Project: Jackrabbit Oak
> Issue Type: Improvement
>Reporter: Konrad Windszus
>Assignee: Konrad Windszus
>Priority: Major
> Attachments: jackrabbit-check-release-for-gitv1.patch,
> jackrabbit-live-site-migrate-to-gitv1.patch,
> jackrabbit-site-release-for-gitv1.patch
>
>
> # migrate the SVN repository at
> [https://svn.apache.org/repos/asf/jackrabbit/oak/] to a Git repository named
> "jackrabbit-oak" - tracked in INFRA-22016 (/)
> # migrate GitHub SVN mirror at [https://github.com/apache/jackrabbit-oak] to
> mirror the new native Git repo (at Gitbox) - tracked in INFRA-22016 (/)
> # -change the main branch name from "trunk" to "main"-
> # make the SVN repository read only - tracked in INFRA-22016 (/)
> # adjust Jenkins jobs
> ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-matrix/]
> (/)
> ## [https://ci-builds.apache.org/job/Jackrabbit/job/jackrabbit-oak-trunk/]
> (/)
> # adjust release check scripts, fixed in r48468 (/)
> ## [https://dist.apache.org/repos/dist/dev/jackrabbit/check-release.sh]
> attached to [^jackrabbit-check-release-for-gitv1.patch]
> # adjust documentation, this includes
> ## [http://jackrabbit.apache.org/jcr/creating-releases.html] attached to
> [^jackrabbit-site-release-for-gitv1.patch], applied in r1890993 (/)
> ## [https://jackrabbit.apache.org/oak/] (only manually maintained in
> [https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/)|https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/]
> proposed to remove and redirect to /oak/docs instead in
> [^jackrabbit-live-site-migrate-to-gitv1.patch], done in r1890995, (/)
> ## [https://jackrabbit.apache.org/oak/docs/dev_getting_started.html],
> contained in GH PR, (/)
> ## [https://jackrabbit.apache.org/oak/docs/developing-with-git.html],
> contained in GH PR, (/)
> ##
> # adjust scm references in pom.xml (/)
> ## primary source should be Gitbox URL (not Github), contained in GH PR
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-9462) Extensible DynamicMembershipProvider
[
https://issues.apache.org/jira/browse/OAK-9462?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9462.
---
Resolution: Fixed
> Extensible DynamicMembershipProvider
>
>
> Key: OAK-9462
> URL: https://issues.apache.org/jira/browse/OAK-9462
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external, core, security-spi
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
> Fix For: 1.42.0
>
>
> Today the only built-in dynamic
> {{org.apache.jackrabbit.api.security.user.Group}} is the one associated with
> the everyone principal that automatically has every other group and user as
> member.
> In order to allow for additional flexibility we should consider introducing a
> {{DynamicMembershipProvider}} interface. while by default a single
> implementation for the everyone group would be present as today, it would
> allow to provide additional implementations. e.g. for those groups configured
> with the _automembership_ option defined with {{DefaultSyncConfig}}, when
> additionally _dynamicmembership_ is enabled.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9492) UserInitializer: info property of 'principalName' index not accurate
Angela Schreiber created OAK-9492: - Summary: UserInitializer: info property of 'principalName' index not accurate Key: OAK-9492 URL: https://issues.apache.org/jira/browse/OAK-9492 Project: Jackrabbit Oak Issue Type: Improvement Components: core Reporter: Angela Schreiber -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9492) UserInitializer: info property of 'principalName' index not accurate
[ https://issues.apache.org/jira/browse/OAK-9492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-9492: -- Description: the description of the 'principalName' index definition stored in the 'info' property is IMHO misleading. [~thomasm], do you recall what your intention was when stating _if it was constructed manually_? that sounds a bit odd as the rep:principalName property is always defined when a new user/group is created through the API. on JCR level users/groups cannot be created manually using regular write operations due to the protected nature some properties. > UserInitializer: info property of 'principalName' index not accurate > > > Key: OAK-9492 > URL: https://issues.apache.org/jira/browse/OAK-9492 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: core >Reporter: Angela Schreiber >Priority: Trivial > > the description of the 'principalName' index definition stored in the 'info' > property is IMHO misleading. > [~thomasm], do you recall what your intention was when stating _if it was > constructed manually_? that sounds a bit odd as the rep:principalName > property is always defined when a new user/group is created through the API. > on JCR level users/groups cannot be created manually using regular write > operations due to the protected nature some properties. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (OAK-9492) UserInitializer: info property of 'principalName' index not accurate
[ https://issues.apache.org/jira/browse/OAK-9492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber reassigned OAK-9492: - Assignee: Angela Schreiber > UserInitializer: info property of 'principalName' index not accurate > > > Key: OAK-9492 > URL: https://issues.apache.org/jira/browse/OAK-9492 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: core >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Trivial > > the description of the 'principalName' index definition stored in the 'info' > property is IMHO misleading. > [~thomasm], do you recall what your intention was when stating _if it was > constructed manually_? that sounds a bit odd as the rep:principalName > property is always defined when a new user/group is created through the API. > on JCR level users/groups cannot be created manually using regular write > operations due to the protected nature some properties. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OAK-9493) Use index option to for security relevant queries
Angela Schreiber created OAK-9493: - Summary: Use index option to for security relevant queries Key: OAK-9493 URL: https://issues.apache.org/jira/browse/OAK-9493 Project: Jackrabbit Oak Issue Type: Improvement Components: core, security Reporter: Angela Schreiber Assignee: Angela Schreiber while investigating a potential issue with principal-lookup [~thomasm] made me aware of the index-option (see https://jackrabbit.apache.org/oak/docs/query/query-engine.html#Query_Option_Index_Tag) that allows to enforce the usage of a dedicated index when executing a query. i would like to review all security relevant queries and add the index option for those that are known to be relevant for consistency and/or security. cc: [~kpauls], fyi as this relates to the recent discussion regarding system-user-validation upon service-user-mapping in Sling. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9492) UserInitializer: info property of 'principalName' index not accurate
[ https://issues.apache.org/jira/browse/OAK-9492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-9492: -- Fix Version/s: 1.42.0 > UserInitializer: info property of 'principalName' index not accurate > > > Key: OAK-9492 > URL: https://issues.apache.org/jira/browse/OAK-9492 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: core >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Trivial > Fix For: 1.42.0 > > > the description of the 'principalName' index definition stored in the 'info' > property is IMHO misleading. > [~thomasm], do you recall what your intention was when stating _if it was > constructed manually_? that sounds a bit odd as the rep:principalName > property is always defined when a new user/group is created through the API. > on JCR level users/groups cannot be created manually using regular write > operations due to the protected nature some properties. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (OAK-9492) UserInitializer: info property of 'principalName' index not accurate
[ https://issues.apache.org/jira/browse/OAK-9492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber resolved OAK-9492. --- Resolution: Fixed rev c2e53253bf..f2ec93eac8 > UserInitializer: info property of 'principalName' index not accurate > > > Key: OAK-9492 > URL: https://issues.apache.org/jira/browse/OAK-9492 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: core >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Trivial > > the description of the 'principalName' index definition stored in the 'info' > property is IMHO misleading. > [~thomasm], do you recall what your intention was when stating _if it was > constructed manually_? that sounds a bit odd as the rep:principalName > property is always defined when a new user/group is created through the API. > on JCR level users/groups cannot be created manually using regular write > operations due to the protected nature some properties. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9494) Check if a privilege is applicable to a node
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9494:
--
Component/s: api
> Check if a privilege is applicable to a node
>
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: api, commons
>Reporter: Joerg Hoh
>Priority: Major
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OAK-9494) Check if a privilege is applicable to a node
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381281#comment-17381281
]
Angela Schreiber commented on OAK-9494:
---
[~joerghoh], thanks for reporting i agree that the fully qualified name
constants are making it super-hard to compare sets of jcr names (like privilege
names in this case). what should work though is comparing privileges
themselves i.e. not looking at the names.
e.g. something like:
{code}
// TODO: if all aggregated privileges are required -> extract using
Privilege.isAggregate() and Privilege.getAggregatedPrivileges()
Set privileges =
ImmutableSet.copyOf(accessControlManger.getPrivileges(absPath));
PrivilegeManager privilegeManager = ((JackrabbitWorkspace)
session.getWorkspace()).getPrivilegeManager();
boolean canRead =
privileges.contains(privilegeManager.getPrivilege(Privilege.JCR_READ));
{code}
let me know if that works until we have complete this improvement.
> Check if a privilege is applicable to a node
>
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: commons
>Reporter: Joerg Hoh
>Priority: Major
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9494) Check if a privilege is granted at a node
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9494:
--
Summary: Check if a privilege is granted at a node (was: Check if a
privilege is applicable to a node)
> Check if a privilege is granted at a node
> -
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: api, commons
>Reporter: Joerg Hoh
>Priority: Major
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (OAK-9494) Check if a privilege is granted at a node
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17381281#comment-17381281
]
Angela Schreiber edited comment on OAK-9494 at 7/15/21, 11:54 AM:
--
[~joerghoh], thanks for reporting i agree that the fully qualified name
constants are making it super-hard to compare sets of jcr names (like privilege
names in this case). what should work though is comparing privileges
themselves i.e. not looking at the names.
e.g. something like:
{code}
// TODO: if all aggregated privileges are required -> extract using
Privilege.isAggregate() and Privilege.getAggregatedPrivileges()
Set privileges =
ImmutableSet.copyOf(accessControlManger.getPrivileges(absPath));
Privilege readPrivilege =
boolean canRead = privileges.contains(readPrivilege);
{code}
and privilege can be access using ac-mgr or privilege manager (thanks for
reminding me of that!):
{code}
readPrivilege = acMgr.privilegeFromName(Privilege.JCR_READ)
or
PrivilegeManager privilegeManager = ((JackrabbitWorkspace)
session.getWorkspace()).getPrivilegeManager();
readPrivilege = privilegeManager.getPrivilege(Privilege.JCR_READ)
{code}
let me know if that works until we have complete this improvement.
btw: i believe that you want to check if a given privilege is granted at a
particular node and not check if you can apply it. applicable privileges
for a given path are covered by a different API method:
{{AccessControlManager.getSupportedPrivileges(String absPath)}} will return an
array of privileges that can be used/applied at the given path
was (Author: anchela):
[~joerghoh], thanks for reporting i agree that the fully qualified name
constants are making it super-hard to compare sets of jcr names (like privilege
names in this case). what should work though is comparing privileges
themselves i.e. not looking at the names.
e.g. something like:
{code}
// TODO: if all aggregated privileges are required -> extract using
Privilege.isAggregate() and Privilege.getAggregatedPrivileges()
Set privileges =
ImmutableSet.copyOf(accessControlManger.getPrivileges(absPath));
PrivilegeManager privilegeManager = ((JackrabbitWorkspace)
session.getWorkspace()).getPrivilegeManager();
boolean canRead =
privileges.contains(privilegeManager.getPrivilege(Privilege.JCR_READ));
{code}
let me know if that works until we have complete this improvement.
> Check if a privilege is granted at a node
> -
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: api, commons
>Reporter: Joerg Hoh
>Priority: Major
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9494:
--
Summary: Check if a privilege name is included in a set/array of Privileges
obtained from AccessControlManager.getPrivileges (was: Check if a privilege is
granted at a node)
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: api, commons
>Reporter: Joerg Hoh
>Priority: Major
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17382043#comment-17382043
]
Angela Schreiber commented on OAK-9494:
---
hi [~joerghoh], thanks for the additional information that's helpful. what
i could envision is a new method like e.g. {{PrivilegeManager.includes(@NotNull
Privilege[] privileges, @NotNull String... privilegeNames)}} with a default
(for backwards compatibility) and a (hopefully) efficient implementation in Oak
directly operation on {{PrivilegeBitsProvider}}. but IMHO it definitely makes
sense to get some benchmark results before committing any changes to Jackrabbit
API.
the benchmark could e.g. compare
- PrivilegeManager.includes
- manually resolving all aggregated names from the privilege-array and verify
if it includes the selected names
- multiple calls to AccessControlManager.hasPrivileges for the selected names.
wdyt?
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: api, commons
>Reporter: Joerg Hoh
>Priority: Major
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Assigned] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber reassigned OAK-9494:
-
Assignee: Angela Schreiber
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: api, commons
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9494:
--
Component/s: (was: commons)
(was: api)
security
jackrabbit-api
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api, security
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384382#comment-17384382
]
Angela Schreiber commented on OAK-9494:
---
after a second thought, i believe adding additional methods to
{{JackrabbitAccessControlManager}} would be better. e.g. something like
{{JackrabbitAccessControlManager.getPrivilegeCollection(String absPath)}},
where {{PrivilegeCollection}} would essentially be a 'wrapper' around an array
of privileges, without having to build the privilege objects unless explicitly
requested. in addition that {PrivilegeCollection}} would allow to to evaluate
if certain privileges are included by specifying names only. if needed the new
interface could easily be extended later to also perform tasks like
{{getPrivilegeNames}} or {{getAggregatedPrivilegeNames()}}.
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api, security
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384382#comment-17384382
]
Angela Schreiber edited comment on OAK-9494 at 7/21/21, 7:15 AM:
-
after a second thought, i believe adding additional methods to
{{JackrabbitAccessControlManager}} would be better. e.g. something like
{{JackrabbitAccessControlManager.getPrivilegeCollection(String absPath)}},
where {{PrivilegeCollection}} would essentially be a 'wrapper' around an array
of privileges, without having to build the privilege objects unless explicitly
requested. in addition that {{PrivilegeCollection}} would allow to to evaluate
if certain privileges are included by specifying names only. if needed the new
interface could easily be extended later to also perform tasks like
{{getPrivilegeNames}} or {{getAggregatedPrivilegeNames()}}.
was (Author: anchela):
after a second thought, i believe adding additional methods to
{{JackrabbitAccessControlManager}} would be better. e.g. something like
{{JackrabbitAccessControlManager.getPrivilegeCollection(String absPath)}},
where {{PrivilegeCollection}} would essentially be a 'wrapper' around an array
of privileges, without having to build the privilege objects unless explicitly
requested. in addition that {PrivilegeCollection}} would allow to to evaluate
if certain privileges are included by specifying names only. if needed the new
interface could easily be extended later to also perform tasks like
{{getPrivilegeNames}} or {{getAggregatedPrivilegeNames()}}.
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api, security
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384719#comment-17384719
]
Angela Schreiber commented on OAK-9494:
---
initial changes committed rv. 023f63235d..5f241a4426
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api, security
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
> Attachments:
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION_20210720_142800.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_HAS_PRIVILEGES_20210720_145010.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_JCR_PRIVILEGE_NAME_AGGREGATION_20210720_144405.csv
>
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9494:
--
Attachment:
GetPrivilegeCollectionIncludeNamesTest_JCR_PRIVILEGE_NAME_AGGREGATION_20210720_144405.csv
GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_HAS_PRIVILEGES_20210720_145010.csv
GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION_20210720_142800.csv
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api, security
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
> Attachments:
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION_20210720_142800.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_HAS_PRIVILEGES_20210720_145010.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_JCR_PRIVILEGE_NAME_AGGREGATION_20210720_144405.csv
>
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384719#comment-17384719
]
Angela Schreiber edited comment on OAK-9494 at 7/21/21, 7:58 AM:
-
* initial changes committed rv. 023f63235d..5f241a4426
* result of benchmarks attached:
** ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION : new method
{{JackrabbitAccessControlManager.getPrivilegeCollection}} with repeated calls
to 'includes' for the given randon priv-names
** JCR_PRIVILEGE_NAME_AGGREGATION : {{AccessControlManager.getPrivileges}}
with manually extracting aggregated names and then repeated testing if the
given random priv-names are included.
** ACCESSCONTORL_MANAGER_HAS_PRIVILEGES : repeated calls to
{{AccessControlManager.hasPrivileges}} for the given randomly selected
privileges
was (Author: anchela):
initial changes committed rv. 023f63235d..5f241a4426
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api, security
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
> Attachments:
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION_20210720_142800.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_HAS_PRIVILEGES_20210720_145010.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_JCR_PRIVILEGE_NAME_AGGREGATION_20210720_144405.csv
>
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384719#comment-17384719
]
Angela Schreiber edited comment on OAK-9494 at 7/21/21, 7:59 AM:
-
* initial changes committed rv. 023f63235d..5f241a4426
* result of benchmarks attached:
** ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION : new method
{{JackrabbitAccessControlManager.getPrivilegeCollection}} with repeated calls
to 'includes' for the given randon priv-names
** JCR_PRIVILEGE_NAME_AGGREGATION : {{AccessControlManager.getPrivileges}}
with manually extracting aggregated names and then repeated testing if the
given random priv-names are included.
** ACCESSCONTORL_MANAGER_HAS_PRIVILEGES : repeated calls to
{{AccessControlManager.hasPrivileges}} for the given randomly selected
privileges
* update oak-docu : {color:#00875A}TODO{color}
was (Author: anchela):
* initial changes committed rv. 023f63235d..5f241a4426
* result of benchmarks attached:
** ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION : new method
{{JackrabbitAccessControlManager.getPrivilegeCollection}} with repeated calls
to 'includes' for the given randon priv-names
** JCR_PRIVILEGE_NAME_AGGREGATION : {{AccessControlManager.getPrivileges}}
with manually extracting aggregated names and then repeated testing if the
given random priv-names are included.
* update oak-docu : {color:#00875A}TODO{color}
** ACCESSCONTORL_MANAGER_HAS_PRIVILEGES : repeated calls to
{{AccessControlManager.hasPrivileges}} for the given randomly selected
privileges
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api, security
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
> Attachments:
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION_20210720_142800.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_HAS_PRIVILEGES_20210720_145010.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_JCR_PRIVILEGE_NAME_AGGREGATION_20210720_144405.csv
>
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384719#comment-17384719
]
Angela Schreiber edited comment on OAK-9494 at 7/21/21, 7:59 AM:
-
* initial changes committed rv. 023f63235d..5f241a4426
* result of benchmarks attached:
** ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION : new method
{{JackrabbitAccessControlManager.getPrivilegeCollection}} with repeated calls
to 'includes' for the given randon priv-names
** JCR_PRIVILEGE_NAME_AGGREGATION : {{AccessControlManager.getPrivileges}}
with manually extracting aggregated names and then repeated testing if the
given random priv-names are included.
* update oak-docu : {color:#00875A}TODO{color}
** ACCESSCONTORL_MANAGER_HAS_PRIVILEGES : repeated calls to
{{AccessControlManager.hasPrivileges}} for the given randomly selected
privileges
was (Author: anchela):
* initial changes committed rv. 023f63235d..5f241a4426
* result of benchmarks attached:
** ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION : new method
{{JackrabbitAccessControlManager.getPrivilegeCollection}} with repeated calls
to 'includes' for the given randon priv-names
** JCR_PRIVILEGE_NAME_AGGREGATION : {{AccessControlManager.getPrivileges}}
with manually extracting aggregated names and then repeated testing if the
given random priv-names are included.
** ACCESSCONTORL_MANAGER_HAS_PRIVILEGES : repeated calls to
{{AccessControlManager.hasPrivileges}} for the given randomly selected
privileges
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api, security
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
> Attachments:
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION_20210720_142800.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_HAS_PRIVILEGES_20210720_145010.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_JCR_PRIVILEGE_NAME_AGGREGATION_20210720_144405.csv
>
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9505) README of oak-doc refers to svn
Angela Schreiber created OAK-9505: - Summary: README of oak-doc refers to svn Key: OAK-9505 URL: https://issues.apache.org/jira/browse/OAK-9505 Project: Jackrabbit Oak Issue Type: Documentation Components: doc Reporter: Angela Schreiber [~mreutegg], following the move to git, the README.md of _oak-doc_ also needs a bit of attention. it still refers to svn checkout/commit. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9505) README and general information in oak-doc refers to svn
[ https://issues.apache.org/jira/browse/OAK-9505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-9505: -- Summary: README and general information in oak-doc refers to svn (was: README of oak-doc refers to svn ) > README and general information in oak-doc refers to svn > > > Key: OAK-9505 > URL: https://issues.apache.org/jira/browse/OAK-9505 > Project: Jackrabbit Oak > Issue Type: Documentation > Components: doc >Reporter: Angela Schreiber >Priority: Minor > > [~mreutegg], following the move to git, the README.md of _oak-doc_ also needs > a bit of attention. it still refers to svn checkout/commit. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9505) README and general information in oak-doc refers to svn
[
https://issues.apache.org/jira/browse/OAK-9505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9505:
--
Priority: Major (was: Minor)
> README and general information in oak-doc refers to svn
>
>
> Key: OAK-9505
> URL: https://issues.apache.org/jira/browse/OAK-9505
> Project: Jackrabbit Oak
> Issue Type: Documentation
> Components: doc
>Reporter: Angela Schreiber
>Priority: Major
>
> [~mreutegg], following the move to git, the README.md of _oak-doc_ also needs
> a bit of attention. it still refers to svn checkout/commit.
> while searching for outdated security related links, additionally spotted:
> - participating.md : {{The latest Oak sources are available for checkout from
> [svn][1]}}
> - roadmap.md : {{releases directly from
> [trunk](https://svn.apache.org/repos/asf/jackrabbit/oak/trunk/):}}
> - branching.md :
> {{-DbranchBase=https://svn.apache.org/repos/asf/jackrabbit/oak/branches \}}
> - pom.xml :
> {{scm:svn:https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/docs}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9505) README and general information in oak-doc refers to svn
[
https://issues.apache.org/jira/browse/OAK-9505?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9505:
--
Description:
[~mreutegg], following the move to git, the README.md of _oak-doc_ also needs a
bit of attention. it still refers to svn checkout/commit.
while searching for outdated security related links, additionally spotted:
- participating.md : {{The latest Oak sources are available for checkout from
[svn][1]}}
- roadmap.md : {{releases directly from
[trunk](https://svn.apache.org/repos/asf/jackrabbit/oak/trunk/):}}
- branching.md :
{{-DbranchBase=https://svn.apache.org/repos/asf/jackrabbit/oak/branches \}}
- pom.xml :
{{scm:svn:https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/docs}}
was:[~mreutegg], following the move to git, the README.md of _oak-doc_ also
needs a bit of attention. it still refers to svn checkout/commit.
> README and general information in oak-doc refers to svn
>
>
> Key: OAK-9505
> URL: https://issues.apache.org/jira/browse/OAK-9505
> Project: Jackrabbit Oak
> Issue Type: Documentation
> Components: doc
>Reporter: Angela Schreiber
>Priority: Minor
>
> [~mreutegg], following the move to git, the README.md of _oak-doc_ also needs
> a bit of attention. it still refers to svn checkout/commit.
> while searching for outdated security related links, additionally spotted:
> - participating.md : {{The latest Oak sources are available for checkout from
> [svn][1]}}
> - roadmap.md : {{releases directly from
> [trunk](https://svn.apache.org/repos/asf/jackrabbit/oak/trunk/):}}
> - branching.md :
> {{-DbranchBase=https://svn.apache.org/repos/asf/jackrabbit/oak/branches \}}
> - pom.xml :
> {{scm:svn:https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/docs}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9506) Oak Security Documentation : links to Jackrabbit-API point to svn
Angela Schreiber created OAK-9506: - Summary: Oak Security Documentation : links to Jackrabbit-API point to svn Key: OAK-9506 URL: https://issues.apache.org/jira/browse/OAK-9506 Project: Jackrabbit Oak Issue Type: Documentation Components: doc, security Reporter: Angela Schreiber Assignee: Angela Schreiber with OAK-8339 the Jackrabbit API has been moved to the Oak source but the links to security related interfaces still point to svn.apache.org. instead they are now generated with the oak javadoc and links should be adjusted such that they capture the latest state of the API. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (OAK-9507) link to PrincipalProvider points to wrong resource
[
https://issues.apache.org/jira/browse/OAK-9507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber reassigned OAK-9507:
-
Assignee: Angela Schreiber
> link to PrincipalProvider points to wrong resource
> --
>
> Key: OAK-9507
> URL: https://issues.apache.org/jira/browse/OAK-9507
> Project: Jackrabbit Oak
> Issue Type: Documentation
> Components: doc
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
>
> on https://jackrabbit.apache.org/oak/docs/security/principal/differences.html
> the link to the {{PrincipalProvider}} points to the {{PrincipalManager}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9507) link to PrincipalProvider points to wrong resource
Angela Schreiber created OAK-9507:
-
Summary: link to PrincipalProvider points to wrong resource
Key: OAK-9507
URL: https://issues.apache.org/jira/browse/OAK-9507
Project: Jackrabbit Oak
Issue Type: Documentation
Components: doc
Reporter: Angela Schreiber
on https://jackrabbit.apache.org/oak/docs/security/principal/differences.html
the link to the {{PrincipalProvider}} points to the {{PrincipalManager}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-9507) link to PrincipalProvider points to wrong resource
[
https://issues.apache.org/jira/browse/OAK-9507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9507.
---
Fix Version/s: 1.42.0
Resolution: Fixed
5f241a4426..111c0af140
> link to PrincipalProvider points to wrong resource
> --
>
> Key: OAK-9507
> URL: https://issues.apache.org/jira/browse/OAK-9507
> Project: Jackrabbit Oak
> Issue Type: Documentation
> Components: doc
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
> Fix For: 1.42.0
>
>
> on https://jackrabbit.apache.org/oak/docs/security/principal/differences.html
> the link to the {{PrincipalProvider}} points to the {{PrincipalManager}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384719#comment-17384719
]
Angela Schreiber edited comment on OAK-9494 at 7/21/21, 9:40 AM:
-
* initial changes committed rv. 023f63235d..5f241a4426
* result of benchmarks attached:
** ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION : new method
{{JackrabbitAccessControlManager.getPrivilegeCollection}} with repeated calls
to 'includes' for the given randon priv-names
** JCR_PRIVILEGE_NAME_AGGREGATION : {{AccessControlManager.getPrivileges}}
with manually extracting aggregated names and then repeated testing if the
given random priv-names are included.
** ACCESSCONTORL_MANAGER_HAS_PRIVILEGES : repeated calls to
{{AccessControlManager.hasPrivileges}} for the given randomly selected
privileges
* update oak-docu : rev. 5f241a4426..111c0af140
was (Author: anchela):
* initial changes committed rv. 023f63235d..5f241a4426
* result of benchmarks attached:
** ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION : new method
{{JackrabbitAccessControlManager.getPrivilegeCollection}} with repeated calls
to 'includes' for the given randon priv-names
** JCR_PRIVILEGE_NAME_AGGREGATION : {{AccessControlManager.getPrivileges}}
with manually extracting aggregated names and then repeated testing if the
given random priv-names are included.
** ACCESSCONTORL_MANAGER_HAS_PRIVILEGES : repeated calls to
{{AccessControlManager.hasPrivileges}} for the given randomly selected
privileges
* update oak-docu : {color:#00875A}TODO{color}
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api, security
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
> Attachments:
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION_20210720_142800.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_HAS_PRIVILEGES_20210720_145010.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_JCR_PRIVILEGE_NAME_AGGREGATION_20210720_144405.csv
>
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-9506) Oak Security Documentation : links to Jackrabbit-API point to svn
[ https://issues.apache.org/jira/browse/OAK-9506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber resolved OAK-9506. --- Fix Version/s: 1.42.0 Resolution: Fixed 5f241a4426..111c0af140 > Oak Security Documentation : links to Jackrabbit-API point to svn > - > > Key: OAK-9506 > URL: https://issues.apache.org/jira/browse/OAK-9506 > Project: Jackrabbit Oak > Issue Type: Documentation > Components: doc, security >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Major > Fix For: 1.42.0 > > > with OAK-8339 the Jackrabbit API has been moved to the Oak source but the > links to security related interfaces still point to svn.apache.org. instead > they are now generated with the oak javadoc and links should be adjusted such > that they capture the latest state of the API. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9494.
---
Fix Version/s: 1.42.0
Resolution: Fixed
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api, security
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
> Fix For: 1.42.0
>
> Attachments:
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION_20210720_142800.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_HAS_PRIVILEGES_20210720_145010.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_JCR_PRIVILEGE_NAME_AGGREGATION_20210720_144405.csv
>
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OAK-9494) Check if a privilege name is included in a set/array of Privileges obtained from AccessControlManager.getPrivileges
[
https://issues.apache.org/jira/browse/OAK-9494?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384784#comment-17384784
]
Angela Schreiber commented on OAK-9494:
---
[~joerghoh], the new methods will be available with Oak 1.42.0. if you see need
for additional methods on {{PrivilegeCollection}} please create a separate
improvement.
> Check if a privilege name is included in a set/array of Privileges obtained
> from AccessControlManager.getPrivileges
> ---
>
> Key: OAK-9494
> URL: https://issues.apache.org/jira/browse/OAK-9494
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jackrabbit-api, security
>Reporter: Joerg Hoh
>Assignee: Angela Schreiber
>Priority: Major
> Fix For: 1.42.0
>
> Attachments:
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_GET_PRIVILEGE_COLLECTION_20210720_142800.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_ACCESSCONTORL_MANAGER_HAS_PRIVILEGES_20210720_145010.csv,
>
> GetPrivilegeCollectionIncludeNamesTest_JCR_PRIVILEGE_NAME_AGGREGATION_20210720_144405.csv
>
>
> I have a case where I need to check for a session if individual privileges
> are available for a specific node. For performance reasons I want to avoid to
> execute multiple calls to {{accessControlManager.hasPrivilege(...)}}, but get
> all Privileges of that node once and the set various flags based on the
> presene of certain privileges or not.
> I want to use something like this:
> {code}
> Set applicablePrivilegeNames =
> ...(accessControlManager.getPrivileges(path))...
> boolean canAddChildNodes =
> applicablePrivilegeNames.contains(Privilege.JCR_ADD_CHILD_NODES);
> boolean canWrite = applicablePrivilegeNames.contains(Privilege.WRITE);
> {code}
> It should work with aggregates as well.
> Right now it's a bit problematic because {{privilege.getName()}} resolves to
> something like {{jcr:read}}, while the value of {{Privilege.JCR_READ}} is
> {{\{http://www.jcp.org/jcr/1.0}read}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9508) Duplicate code blocks in authorization modules
Angela Schreiber created OAK-9508: - Summary: Duplicate code blocks in authorization modules Key: OAK-9508 URL: https://issues.apache.org/jira/browse/OAK-9508 Project: Jackrabbit Oak Issue Type: Improvement Components: authorization-principalbased, core, security-spi Reporter: Angela Schreiber Assignee: Angela Schreiber there area few duplicate code blocks across oak authorization modules. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (OAK-9508) Duplicate code blocks in authorization modules
[ https://issues.apache.org/jira/browse/OAK-9508?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber resolved OAK-9508. --- Fix Version/s: 1.42.0 Resolution: Fixed rev 111c0af140..7d522cc9fe > Duplicate code blocks in authorization modules > -- > > Key: OAK-9508 > URL: https://issues.apache.org/jira/browse/OAK-9508 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: authorization-principalbased, core, security-spi >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Minor > Fix For: 1.42.0 > > > there area few duplicate code blocks across oak authorization modules. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OAK-9509) Enable minimum line and branch test coverage for oak-jcr
Angela Schreiber created OAK-9509:
-
Summary: Enable minimum line and branch test coverage for oak-jcr
Key: OAK-9509
URL: https://issues.apache.org/jira/browse/OAK-9509
Project: Jackrabbit Oak
Issue Type: Improvement
Components: jcr
Reporter: Angela Schreiber
Assignee: Angela Schreiber
today _jacoco-maven-plugin_ is skipped in _oak-jcr_ and thus doesn't record
line/branch coverage. i would suggest to enable it by default. as of now line
coverage is 72%, branch coverage is 60%.
[~mreutegg], unless you have any concerns i would go ahead and add the 2
properties to the pom.xml:
{code}
false
0.72
0.60
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OAK-9509) Enable minimum line and branch test coverage for oak-jcr
[
https://issues.apache.org/jira/browse/OAK-9509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17385334#comment-17385334
]
Angela Schreiber commented on OAK-9509:
---
[~mreutegg], thanks.
fixed rev. 7d522cc9fe..a3fb5f1db7
> Enable minimum line and branch test coverage for oak-jcr
>
>
> Key: OAK-9509
> URL: https://issues.apache.org/jira/browse/OAK-9509
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jcr
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Minor
>
> today _jacoco-maven-plugin_ is skipped in _oak-jcr_ and thus doesn't record
> line/branch coverage. i would suggest to enable it by default. as of now line
> coverage is 72%, branch coverage is 60%.
> [~mreutegg], unless you have any concerns i would go ahead and add the 2
> properties to the pom.xml:
> {code}
> false
> 0.72
> 0.60
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-9509) Enable minimum line and branch test coverage for oak-jcr
[
https://issues.apache.org/jira/browse/OAK-9509?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9509.
---
Fix Version/s: 1.42.0
Resolution: Fixed
> Enable minimum line and branch test coverage for oak-jcr
>
>
> Key: OAK-9509
> URL: https://issues.apache.org/jira/browse/OAK-9509
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jcr
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Minor
> Fix For: 1.42.0
>
>
> today _jacoco-maven-plugin_ is skipped in _oak-jcr_ and thus doesn't record
> line/branch coverage. i would suggest to enable it by default. as of now line
> coverage is 72%, branch coverage is 60%.
> [~mreutegg], unless you have any concerns i would go ahead and add the 2
> properties to the pom.xml:
> {code}
> false
> 0.72
> 0.60
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OAK-9509) Enable minimum line and branch test coverage for oak-jcr
[
https://issues.apache.org/jira/browse/OAK-9509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17385355#comment-17385355
]
Angela Schreiber commented on OAK-9509:
---
[~mreutegg], oh. rats i will take a look and fix it.
> Enable minimum line and branch test coverage for oak-jcr
>
>
> Key: OAK-9509
> URL: https://issues.apache.org/jira/browse/OAK-9509
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jcr
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Minor
> Fix For: 1.42.0
>
>
> today _jacoco-maven-plugin_ is skipped in _oak-jcr_ and thus doesn't record
> line/branch coverage. i would suggest to enable it by default. as of now line
> coverage is 72%, branch coverage is 60%.
> [~mreutegg], unless you have any concerns i would go ahead and add the 2
> properties to the pom.xml:
> {code}
> false
> 0.72
> 0.60
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Comment Edited] (OAK-9509) Enable minimum line and branch test coverage for oak-jcr
[
https://issues.apache.org/jira/browse/OAK-9509?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17385355#comment-17385355
]
Angela Schreiber edited comment on OAK-9509 at 7/22/21, 8:58 AM:
-
[~mreutegg], oh. rats i will take a look and fix it.
rev. a3fb5f1db7..8634b87b9f : lowered required branch-coverage to the value
reported by jenkins. i planned to cleanup the security related pieces in the
delegate package and add some more tests there in a separate ticket. so, will
keep an eye on it.
was (Author: anchela):
[~mreutegg], oh. rats i will take a look and fix it.
> Enable minimum line and branch test coverage for oak-jcr
>
>
> Key: OAK-9509
> URL: https://issues.apache.org/jira/browse/OAK-9509
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jcr
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Minor
> Fix For: 1.42.0
>
>
> today _jacoco-maven-plugin_ is skipped in _oak-jcr_ and thus doesn't record
> line/branch coverage. i would suggest to enable it by default. as of now line
> coverage is 72%, branch coverage is 60%.
> [~mreutegg], unless you have any concerns i would go ahead and add the 2
> properties to the pom.xml:
> {code}
> false
> 0.72
> 0.60
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-9509) Enable minimum line and branch test coverage for oak-jcr
[
https://issues.apache.org/jira/browse/OAK-9509?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9509.
---
Resolution: Fixed
with slighly lower branch coverage
https://ci-builds.apache.org/blue/organizations/jenkins/Jackrabbit%2Foak-trunk-pr/detail/trunk/17/pipeline/50
passed.
> Enable minimum line and branch test coverage for oak-jcr
>
>
> Key: OAK-9509
> URL: https://issues.apache.org/jira/browse/OAK-9509
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jcr
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Minor
> Fix For: 1.42.0
>
>
> today _jacoco-maven-plugin_ is skipped in _oak-jcr_ and thus doesn't record
> line/branch coverage. i would suggest to enable it by default. as of now line
> coverage is 72%, branch coverage is 60%.
> [~mreutegg], unless you have any concerns i would go ahead and add the 2
> properties to the pom.xml:
> {code}
> false
> 0.72
> 0.60
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (OAK-9505) README and general information in oak-doc refers to svn
[
https://issues.apache.org/jira/browse/OAK-9505?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17385498#comment-17385498
]
Angela Schreiber commented on OAK-9505:
---
[~mreutegg], thanks for taking a look what about the other parts like
participating.md et.al. i listed above?
> README and general information in oak-doc refers to svn
>
>
> Key: OAK-9505
> URL: https://issues.apache.org/jira/browse/OAK-9505
> Project: Jackrabbit Oak
> Issue Type: Documentation
> Components: doc
>Reporter: Angela Schreiber
>Priority: Major
>
> [~mreutegg], following the move to git, the README.md of _oak-doc_ also needs
> a bit of attention. it still refers to svn checkout/commit.
> while searching for outdated security related links, additionally spotted:
> - participating.md : {{The latest Oak sources are available for checkout from
> [svn][1]}}
> - roadmap.md : {{releases directly from
> [trunk](https://svn.apache.org/repos/asf/jackrabbit/oak/trunk/):}}
> - branching.md :
> {{-DbranchBase=https://svn.apache.org/repos/asf/jackrabbit/oak/branches \}}
> - pom.xml :
> {{scm:svn:https://svn.apache.org/repos/asf/jackrabbit/site/live/oak/docs}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9511) Improvements to security related Delegators in org.apache.jackrabbit.oak.jcr.delegate
[
https://issues.apache.org/jira/browse/OAK-9511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9511:
--
Labels: technical_debt (was: )
> Improvements to security related Delegators in
> org.apache.jackrabbit.oak.jcr.delegate
> -
>
> Key: OAK-9511
> URL: https://issues.apache.org/jira/browse/OAK-9511
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jcr
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Minor
> Labels: technical_debt
>
> the security related Delegator classes in
> _org.apache.jackrabbit.oak.jcr.delegate_ deserve a bit of housekeeping.
> while doing so i spotted that the param validation in the
> {{UserManagerDelegator}} constructor throws {{IllegalStateException}} instead
> of {{IllegalArgumentException}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9511) Improvements to security related Delegators in org.apache.jackrabbit.oak.jcr.delegate
Angela Schreiber created OAK-9511:
-
Summary: Improvements to security related Delegators in
org.apache.jackrabbit.oak.jcr.delegate
Key: OAK-9511
URL: https://issues.apache.org/jira/browse/OAK-9511
Project: Jackrabbit Oak
Issue Type: Improvement
Components: jcr
Reporter: Angela Schreiber
Assignee: Angela Schreiber
the security related Delegator classes in
_org.apache.jackrabbit.oak.jcr.delegate_ deserve a bit of housekeeping.
while doing so i spotted that the param validation in the
{{UserManagerDelegator}} constructor throws {{IllegalStateException}} instead
of {{IllegalArgumentException}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9508) Duplicate code blocks in authorization modules
[ https://issues.apache.org/jira/browse/OAK-9508?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-9508: -- Labels: technical_debt (was: ) > Duplicate code blocks in authorization modules > -- > > Key: OAK-9508 > URL: https://issues.apache.org/jira/browse/OAK-9508 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: authorization-principalbased, core, security-spi >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Minor > Labels: technical_debt > Fix For: 1.42.0 > > > there area few duplicate code blocks across oak authorization modules. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9509) Enable minimum line and branch test coverage for oak-jcr
[
https://issues.apache.org/jira/browse/OAK-9509?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9509:
--
Labels: technical_debt (was: )
> Enable minimum line and branch test coverage for oak-jcr
>
>
> Key: OAK-9509
> URL: https://issues.apache.org/jira/browse/OAK-9509
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jcr
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Minor
> Labels: technical_debt
> Fix For: 1.42.0
>
>
> today _jacoco-maven-plugin_ is skipped in _oak-jcr_ and thus doesn't record
> line/branch coverage. i would suggest to enable it by default. as of now line
> coverage is 72%, branch coverage is 60%.
> [~mreutegg], unless you have any concerns i would go ahead and add the 2
> properties to the pom.xml:
> {code}
> false
> 0.72
> 0.60
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9507) link to PrincipalProvider points to wrong resource
[
https://issues.apache.org/jira/browse/OAK-9507?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9507:
--
Labels: technical_debt (was: )
> link to PrincipalProvider points to wrong resource
> --
>
> Key: OAK-9507
> URL: https://issues.apache.org/jira/browse/OAK-9507
> Project: Jackrabbit Oak
> Issue Type: Documentation
> Components: doc
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
> Labels: technical_debt
> Fix For: 1.42.0
>
>
> on https://jackrabbit.apache.org/oak/docs/security/principal/differences.html
> the link to the {{PrincipalProvider}} points to the {{PrincipalManager}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9506) Oak Security Documentation : links to Jackrabbit-API point to svn
[ https://issues.apache.org/jira/browse/OAK-9506?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-9506: -- Labels: technical_debt (was: ) > Oak Security Documentation : links to Jackrabbit-API point to svn > - > > Key: OAK-9506 > URL: https://issues.apache.org/jira/browse/OAK-9506 > Project: Jackrabbit Oak > Issue Type: Documentation > Components: doc, security >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Major > Labels: technical_debt > Fix For: 1.42.0 > > > with OAK-8339 the Jackrabbit API has been moved to the Oak source but the > links to security related interfaces still point to svn.apache.org. instead > they are now generated with the oak javadoc and links should be adjusted such > that they capture the latest state of the API. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9492) UserInitializer: info property of 'principalName' index not accurate
[ https://issues.apache.org/jira/browse/OAK-9492?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-9492: -- Labels: technical_debt (was: ) > UserInitializer: info property of 'principalName' index not accurate > > > Key: OAK-9492 > URL: https://issues.apache.org/jira/browse/OAK-9492 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: core >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Trivial > Labels: technical_debt > Fix For: 1.42.0 > > > the description of the 'principalName' index definition stored in the 'info' > property is IMHO misleading. > [~thomasm], do you recall what your intention was when stating _if it was > constructed manually_? that sounds a bit odd as the rep:principalName > property is always defined when a new user/group is created through the API. > on JCR level users/groups cannot be created manually using regular write > operations due to the protected nature some properties. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9474) User Filter for SyncConfigTracker to limit respected references
[
https://issues.apache.org/jira/browse/OAK-9474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9474:
--
Labels: technical_debt (was: )
> User Filter for SyncConfigTracker to limit respected references
>
>
> Key: OAK-9474
> URL: https://issues.apache.org/jira/browse/OAK-9474
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
> Labels: technical_debt
>
> while reviewing the proposed changes for OAK-9462 [~kpauls] noticed that
> {{SyncConfigTracker#hasDynamicMembership}} could be simplified by introducing
> a filter to the service tracking. consequently only synchandler-references
> that have dynamic-membership enabled would be tracked.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9316) Reduce complexity in ExternalGroupPrincipalProvider
[
https://issues.apache.org/jira/browse/OAK-9316?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9316:
--
Labels: technical_debt (was: )
> Reduce complexity in ExternalGroupPrincipalProvider
> ---
>
> Key: OAK-9316
> URL: https://issues.apache.org/jira/browse/OAK-9316
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
>Reporter: Angela Schreiber
>Priority: Minor
> Labels: technical_debt
> Fix For: 1.38.0
>
>
> improve readability and maintainability of {{ExternalGroupPrincipalProvider}}
> by reducing complexity.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9406) Minor improvements to oak-auth-external
[ https://issues.apache.org/jira/browse/OAK-9406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-9406: -- Labels: technical_debt (was: ) > Minor improvements to oak-auth-external > --- > > Key: OAK-9406 > URL: https://issues.apache.org/jira/browse/OAK-9406 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Minor > Labels: technical_debt > Fix For: 1.40.0 > > > there are a couple of minor improvements for oak-auth-external code base > - private fields could be final > - unused imports > - unused log fields > - trivial code simplifications -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9314) Broken javadoc link with ExternalGroupPrincipalProvider#findPrincipals
[ https://issues.apache.org/jira/browse/OAK-9314?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-9314: -- Labels: technical_debt (was: ) > Broken javadoc link with ExternalGroupPrincipalProvider#findPrincipals > -- > > Key: OAK-9314 > URL: https://issues.apache.org/jira/browse/OAK-9314 > Project: Jackrabbit Oak > Issue Type: Bug > Components: auth-external >Reporter: Angela Schreiber >Priority: Minor > Labels: technical_debt > Fix For: 1.38.0 > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9407) Reduce complexity in ExternalLoginModule
[ https://issues.apache.org/jira/browse/OAK-9407?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-9407: -- Labels: technical_debt (was: ) > Reduce complexity in ExternalLoginModule > > > Key: OAK-9407 > URL: https://issues.apache.org/jira/browse/OAK-9407 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: auth-external >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Major > Labels: technical_debt > Fix For: 1.40.0 > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (OAK-9511) Improvements to security related Delegators in org.apache.jackrabbit.oak.jcr.delegate
[
https://issues.apache.org/jira/browse/OAK-9511?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9511.
---
Fix Version/s: 1.42.0
Resolution: Fixed
fixed rev. 6a31283862..36f9c2395b including some additional unit-tests.
> Improvements to security related Delegators in
> org.apache.jackrabbit.oak.jcr.delegate
> -
>
> Key: OAK-9511
> URL: https://issues.apache.org/jira/browse/OAK-9511
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: jcr
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Minor
> Labels: technical_debt
> Fix For: 1.42.0
>
>
> the security related Delegator classes in
> _org.apache.jackrabbit.oak.jcr.delegate_ deserve a bit of housekeeping.
> while doing so i spotted that the param validation in the
> {{UserManagerDelegator}} constructor throws {{IllegalStateException}} instead
> of {{IllegalArgumentException}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9474) Use Filter for SyncConfigTracker to limit respected references
[
https://issues.apache.org/jira/browse/OAK-9474?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9474:
--
Summary: Use Filter for SyncConfigTracker to limit respected references
(was: User Filter for SyncConfigTracker to limit respected references )
> Use Filter for SyncConfigTracker to limit respected references
> ---
>
> Key: OAK-9474
> URL: https://issues.apache.org/jira/browse/OAK-9474
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: auth-external
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
> Labels: technical_debt
>
> while reviewing the proposed changes for OAK-9462 [~kpauls] noticed that
> {{SyncConfigTracker#hasDynamicMembership}} could be simplified by introducing
> a filter to the service tracking. consequently only synchandler-references
> that have dynamic-membership enabled would be tracked.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9512) PrefixPattern.matches(String) always returns false
Angela Schreiber created OAK-9512: - Summary: PrefixPattern.matches(String) always returns false Key: OAK-9512 URL: https://issues.apache.org/jira/browse/OAK-9512 Project: Jackrabbit Oak Issue Type: Bug Components: core, security Reporter: Angela Schreiber Assignee: Angela Schreiber Fix For: 1.42.0 instead of evaluating the prefix of the last segment the method always returns false, which is probably a copy-paste mistake (as the comment/log output suggests). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OAK-9513) PrefixPattern ignores empty namespace perfix
Angela Schreiber created OAK-9513:
-
Summary: PrefixPattern ignores empty namespace perfix
Key: OAK-9513
URL: https://issues.apache.org/jira/browse/OAK-9513
Project: Jackrabbit Oak
Issue Type: Bug
Components: core, security
Reporter: Angela Schreiber
Assignee: Angela Schreiber
JCR defines an empty namespace with an empty prefix which applies to all item
names that just consist of a local name:
{quote]
3.2.5.3 Qualified Form with the Empty Namespace
The qualified form of a name (““, L) (i.e., with the empty string as namespace)
is not written as :L but simply as L. The former is not a valid qualified JCR
name.
{quote}
while the {{PrefixPattern}} doesn't prevent the empty prefix to be defined as a
prefix, it currently skips evaluation if prefix of the name to be evaluated is
empty.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (OAK-9513) PrefixPattern ignores empty namespace perfix
[
https://issues.apache.org/jira/browse/OAK-9513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9513:
--
Description:
JCR defines an empty namespace with an empty prefix which applies to all item
names that just consist of a local name:
{quote}
3.2.5.3 Qualified Form with the Empty Namespace
The qualified form of a name (““, L) (i.e., with the empty string as namespace)
is not written as :L but simply as L. The former is not a valid qualified JCR
name.
{quote}
while the {{PrefixPattern}} doesn't prevent the empty prefix to be defined as a
prefix, it currently skips evaluation if prefix of the name to be evaluated is
empty.
was:
JCR defines an empty namespace with an empty prefix which applies to all item
names that just consist of a local name:
{quote]
3.2.5.3 Qualified Form with the Empty Namespace
The qualified form of a name (““, L) (i.e., with the empty string as namespace)
is not written as :L but simply as L. The former is not a valid qualified JCR
name.
{quote}
while the {{PrefixPattern}} doesn't prevent the empty prefix to be defined as a
prefix, it currently skips evaluation if prefix of the name to be evaluated is
empty.
> PrefixPattern ignores empty namespace perfix
>
>
> Key: OAK-9513
> URL: https://issues.apache.org/jira/browse/OAK-9513
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core, security
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Minor
>
> JCR defines an empty namespace with an empty prefix which applies to all item
> names that just consist of a local name:
> {quote}
> 3.2.5.3 Qualified Form with the Empty Namespace
> The qualified form of a name (““, L) (i.e., with the empty string as
> namespace) is not written as :L but simply as L. The former is not a valid
> qualified JCR name.
> {quote}
> while the {{PrefixPattern}} doesn't prevent the empty prefix to be defined as
> a prefix, it currently skips evaluation if prefix of the name to be evaluated
> is empty.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9514) Add RestrictionPattern.matches(@NotNull String path, boolean isProperty)
Angela Schreiber created OAK-9514:
-
Summary: Add RestrictionPattern.matches(@NotNull String path,
boolean isProperty)
Key: OAK-9514
URL: https://issues.apache.org/jira/browse/OAK-9514
Project: Jackrabbit Oak
Issue Type: Improvement
Components: core, security-spi
Reporter: Angela Schreiber
Assignee: Angela Schreiber
the existing method {{RestrictionPattern.matches(@NotNull String path}} doesn't
allow to indicate to the restriction evaluation if the path points to a node or
property. while this makes sense for cases where the nature of the target item
is not known, there are usages of the method throughout oak where the type of
the target item is known (e.g. evaluations for a parent path). for those case
it would be preferrable to call {{RestrictionPattern.matches(@NotNull String
path, boolean isProperty)}}.
For backwards compatibility the new method should come with a default e.g.
falling back to {{RestrictionPattern.matches(@NotNull String path}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-9513) PrefixPattern ignores empty namespace perfix
[
https://issues.apache.org/jira/browse/OAK-9513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9513.
---
Fix Version/s: 1.42.0
Resolution: Fixed
rev. 36f9c2395b..eda02347fc
> PrefixPattern ignores empty namespace perfix
>
>
> Key: OAK-9513
> URL: https://issues.apache.org/jira/browse/OAK-9513
> Project: Jackrabbit Oak
> Issue Type: Bug
> Components: core, security
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Minor
> Fix For: 1.42.0
>
>
> JCR defines an empty namespace with an empty prefix which applies to all item
> names that just consist of a local name:
> {quote}
> 3.2.5.3 Qualified Form with the Empty Namespace
> The qualified form of a name (““, L) (i.e., with the empty string as
> namespace) is not written as :L but simply as L. The former is not a valid
> qualified JCR name.
> {quote}
> while the {{PrefixPattern}} doesn't prevent the empty prefix to be defined as
> a prefix, it currently skips evaluation if prefix of the name to be evaluated
> is empty.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-9514) Add RestrictionPattern.matches(@NotNull String path, boolean isProperty)
[
https://issues.apache.org/jira/browse/OAK-9514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9514.
---
Fix Version/s: 1.42.0
Resolution: Fixed
rev. 36f9c2395b..eda02347fc
> Add RestrictionPattern.matches(@NotNull String path, boolean isProperty)
>
>
> Key: OAK-9514
> URL: https://issues.apache.org/jira/browse/OAK-9514
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: core, security-spi
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
> Fix For: 1.42.0
>
>
> the existing method {{RestrictionPattern.matches(@NotNull String path}}
> doesn't allow to indicate to the restriction evaluation if the path points to
> a node or property. while this makes sense for cases where the nature of the
> target item is not known, there are usages of the method throughout oak where
> the type of the target item is known (e.g. evaluations for a parent path).
> for those case it would be preferrable to call
> {{RestrictionPattern.matches(@NotNull String path, boolean isProperty)}}.
> For backwards compatibility the new method should come with a default e.g.
> falling back to {{RestrictionPattern.matches(@NotNull String path}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Reopened] (OAK-9514) Add RestrictionPattern.matches(@NotNull String path, boolean isProperty)
[
https://issues.apache.org/jira/browse/OAK-9514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber reopened OAK-9514:
---
> Add RestrictionPattern.matches(@NotNull String path, boolean isProperty)
>
>
> Key: OAK-9514
> URL: https://issues.apache.org/jira/browse/OAK-9514
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: core, security-spi
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
> Fix For: 1.42.0
>
>
> the existing method {{RestrictionPattern.matches(@NotNull String path}}
> doesn't allow to indicate to the restriction evaluation if the path points to
> a node or property. while this makes sense for cases where the nature of the
> target item is not known, there are usages of the method throughout oak where
> the type of the target item is known (e.g. evaluations for a parent path).
> for those case it would be preferrable to call
> {{RestrictionPattern.matches(@NotNull String path, boolean isProperty)}}.
> For backwards compatibility the new method should come with a default e.g.
> falling back to {{RestrictionPattern.matches(@NotNull String path}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Issue Comment Deleted] (OAK-9514) Add RestrictionPattern.matches(@NotNull String path, boolean isProperty)
[
https://issues.apache.org/jira/browse/OAK-9514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9514:
--
Comment: was deleted
(was: rev. 36f9c2395b..eda02347fc)
> Add RestrictionPattern.matches(@NotNull String path, boolean isProperty)
>
>
> Key: OAK-9514
> URL: https://issues.apache.org/jira/browse/OAK-9514
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: core, security-spi
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
> Fix For: 1.42.0
>
>
> the existing method {{RestrictionPattern.matches(@NotNull String path}}
> doesn't allow to indicate to the restriction evaluation if the path points to
> a node or property. while this makes sense for cases where the nature of the
> target item is not known, there are usages of the method throughout oak where
> the type of the target item is known (e.g. evaluations for a parent path).
> for those case it would be preferrable to call
> {{RestrictionPattern.matches(@NotNull String path, boolean isProperty)}}.
> For backwards compatibility the new method should come with a default e.g.
> falling back to {{RestrictionPattern.matches(@NotNull String path}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-9512) PrefixPattern.matches(String) always returns false
[ https://issues.apache.org/jira/browse/OAK-9512?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber resolved OAK-9512. --- Resolution: Fixed rev. 36f9c2395b..eda02347fc > PrefixPattern.matches(String) always returns false > -- > > Key: OAK-9512 > URL: https://issues.apache.org/jira/browse/OAK-9512 > Project: Jackrabbit Oak > Issue Type: Bug > Components: core, security >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Minor > Fix For: 1.42.0 > > > instead of evaluating the prefix of the last segment the method always > returns false, which is probably a copy-paste mistake (as the comment/log > output suggests). -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9514) Add RestrictionPattern.matches(@NotNull String path, boolean isProperty)
[
https://issues.apache.org/jira/browse/OAK-9514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9514:
--
Fix Version/s: (was: 1.42.0)
> Add RestrictionPattern.matches(@NotNull String path, boolean isProperty)
>
>
> Key: OAK-9514
> URL: https://issues.apache.org/jira/browse/OAK-9514
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: core, security-spi
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
>
> the existing method {{RestrictionPattern.matches(@NotNull String path}}
> doesn't allow to indicate to the restriction evaluation if the path points to
> a node or property. while this makes sense for cases where the nature of the
> target item is not known, there are usages of the method throughout oak where
> the type of the target item is known (e.g. evaluations for a parent path).
> for those case it would be preferrable to call
> {{RestrictionPattern.matches(@NotNull String path, boolean isProperty)}}.
> For backwards compatibility the new method should come with a default e.g.
> falling back to {{RestrictionPattern.matches(@NotNull String path}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-9514) Add RestrictionPattern.matches(@NotNull String path, boolean isProperty)
[
https://issues.apache.org/jira/browse/OAK-9514?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber resolved OAK-9514.
---
Fix Version/s: 1.42.0
Resolution: Fixed
rev. eda02347fc..65ef6569aa
> Add RestrictionPattern.matches(@NotNull String path, boolean isProperty)
>
>
> Key: OAK-9514
> URL: https://issues.apache.org/jira/browse/OAK-9514
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: core, security-spi
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
> Fix For: 1.42.0
>
>
> the existing method {{RestrictionPattern.matches(@NotNull String path}}
> doesn't allow to indicate to the restriction evaluation if the path points to
> a node or property. while this makes sense for cases where the nature of the
> target item is not known, there are usages of the method throughout oak where
> the type of the target item is known (e.g. evaluations for a parent path).
> for those case it would be preferrable to call
> {{RestrictionPattern.matches(@NotNull String path, boolean isProperty)}}.
> For backwards compatibility the new method should come with a default e.g.
> falling back to {{RestrictionPattern.matches(@NotNull String path}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9516) minor improvement to oak-authorization-principalbased
Angela Schreiber created OAK-9516: - Summary: minor improvement to oak-authorization-principalbased Key: OAK-9516 URL: https://issues.apache.org/jira/browse/OAK-9516 Project: Jackrabbit Oak Issue Type: Improvement Components: authorization-principalbased Reporter: Angela Schreiber Assignee: Angela Schreiber Fix For: 1.42.0 - unused imports - unused log fields - private methods that could be static - guava functions can be replaced by lambda or reference - redundant throws in tests - redundant local fields in tests - a few obvious mistakes in tests - typos -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (OAK-9516) minor improvement to oak-authorization-principalbased
[ https://issues.apache.org/jira/browse/OAK-9516?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber resolved OAK-9516. --- Resolution: Fixed rev. 65ef6569aa..47cd655ecf > minor improvement to oak-authorization-principalbased > - > > Key: OAK-9516 > URL: https://issues.apache.org/jira/browse/OAK-9516 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: authorization-principalbased >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Trivial > Fix For: 1.42.0 > > > - unused imports > - unused log fields > - private methods that could be static > - guava functions can be replaced by lambda or reference > - redundant throws in tests > - redundant local fields in tests > - a few obvious mistakes in tests > - typos -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9518) Investigate reducing NodeStore access for permissions defined in immutable mounts
[
https://issues.apache.org/jira/browse/OAK-9518?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Angela Schreiber updated OAK-9518:
--
Summary: Investigate reducing NodeStore access for permissions defined in
immutable mounts (was: Investigate caching of permissions defined in immutable
mounts)
> Investigate reducing NodeStore access for permissions defined in immutable
> mounts
> -
>
> Key: OAK-9518
> URL: https://issues.apache.org/jira/browse/OAK-9518
> Project: Jackrabbit Oak
> Issue Type: Improvement
> Components: core, security
>Reporter: Angela Schreiber
>Assignee: Angela Schreiber
>Priority: Major
>
> when running oak with additional immutable mounts, the permission provider
> will come with a composite {{MountPermissionStore}} that loads entries from
> the different mount points.
> while for the mutable default mount reading the latest permission data from
> the {{NodeStore}} is required whenever the cache gets invalidated, this is
> probably not needed for immutable mounts.
> the goal of the this improvement is to investigate if and under which
> circumstances repeated reads for the immutable mounts can/should be prevented
> and measure the impact on overall performance. this includes taking
> potentially huge amounts of permission entries into account and define
> boundaries in case such an improvement was beneficial for mounts with
> relatively few permissions.
> cc: [~rma61...@adobe.com]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (OAK-9518) Investigate caching of permissions defined in immutable mounts
Angela Schreiber created OAK-9518:
-
Summary: Investigate caching of permissions defined in immutable
mounts
Key: OAK-9518
URL: https://issues.apache.org/jira/browse/OAK-9518
Project: Jackrabbit Oak
Issue Type: Improvement
Components: core, security
Reporter: Angela Schreiber
Assignee: Angela Schreiber
when running oak with additional immutable mounts, the permission provider will
come with a composite {{MountPermissionStore}} that loads entries from the
different mount points.
while for the mutable default mount reading the latest permission data from the
{{NodeStore}} is required whenever the cache gets invalidated, this is probably
not needed for immutable mounts.
the goal of the this improvement is to investigate if and under which
circumstances repeated reads for the immutable mounts can/should be prevented
and measure the impact on overall performance. this includes taking potentially
huge amounts of permission entries into account and define boundaries in case
such an improvement was beneficial for mounts with relatively few permissions.
cc: [~rma61...@adobe.com]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (OAK-2437) 'shallow' access to a node and it's properties
[ https://issues.apache.org/jira/browse/OAK-2437?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber resolved OAK-2437. --- Fix Version/s: 1.42.0 Resolution: Fixed rev. a3eed2d159..518e28f821 > 'shallow' access to a node and it's properties > -- > > Key: OAK-2437 > URL: https://issues.apache.org/jira/browse/OAK-2437 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: core >Reporter: Armand Planche >Assignee: Angela Schreiber >Priority: Major > Fix For: 1.42.0 > > > in many cases it would be helpful to be able to restrict an access control > entry as 'shallow', so affecting only the corresponding node and it's > properties but not the subnodes (and their properties). > With the empty string glob restriction it's possible to restrict to a node > only, but the properties are not included in this case... -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OAK-9525) Minor improvements to oak-authorization-cug
Angela Schreiber created OAK-9525: - Summary: Minor improvements to oak-authorization-cug Key: OAK-9525 URL: https://issues.apache.org/jira/browse/OAK-9525 Project: Jackrabbit Oak Issue Type: Improvement Components: authorization-cug Reporter: Angela Schreiber Assignee: Angela Schreiber - reduce complexity - private methods could be static - private fields could be final - unused imports - -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9525) Minor improvements to oak-authorization-cug
[ https://issues.apache.org/jira/browse/OAK-9525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-9525: -- Labels: tech-debt (was: ) > Minor improvements to oak-authorization-cug > --- > > Key: OAK-9525 > URL: https://issues.apache.org/jira/browse/OAK-9525 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: authorization-cug >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Minor > Labels: tech-debt > > - reduce complexity > - private methods could be static > - private fields could be final > - unused imports > - -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (OAK-9525) Minor improvements to oak-authorization-cug
[ https://issues.apache.org/jira/browse/OAK-9525?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber resolved OAK-9525. --- Fix Version/s: 1.42.0 Resolution: Fixed rev. 47908d0a74..be2553fe30 > Minor improvements to oak-authorization-cug > --- > > Key: OAK-9525 > URL: https://issues.apache.org/jira/browse/OAK-9525 > Project: Jackrabbit Oak > Issue Type: Improvement > Components: authorization-cug >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Minor > Labels: tech-debt > Fix For: 1.42.0 > > > - reduce complexity > - private methods could be static > - private fields could be final > - unused imports > - -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OAK-9526) Incomplete sentence in principalbased_evaluation.md
Angela Schreiber created OAK-9526: - Summary: Incomplete sentence in principalbased_evaluation.md Key: OAK-9526 URL: https://issues.apache.org/jira/browse/OAK-9526 Project: Jackrabbit Oak Issue Type: Documentation Components: docs Reporter: Angela Schreiber Assignee: Angela Schreiber Fix For: 1.42.0 -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-9526) Incomplete sentence in principalbased_evaluation.md
[ https://issues.apache.org/jira/browse/OAK-9526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-9526: -- Labels: tech-debt (was: ) > Incomplete sentence in principalbased_evaluation.md > --- > > Key: OAK-9526 > URL: https://issues.apache.org/jira/browse/OAK-9526 > Project: Jackrabbit Oak > Issue Type: Documentation > Components: docs >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Minor > Labels: tech-debt > Fix For: 1.42.0 > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (OAK-9526) Incomplete sentence in principalbased_evaluation.md
[ https://issues.apache.org/jira/browse/OAK-9526?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber resolved OAK-9526. --- Resolution: Fixed rev. be2553fe30..0af8d5da70 > Incomplete sentence in principalbased_evaluation.md > --- > > Key: OAK-9526 > URL: https://issues.apache.org/jira/browse/OAK-9526 > Project: Jackrabbit Oak > Issue Type: Documentation > Components: docs >Reporter: Angela Schreiber >Assignee: Angela Schreiber >Priority: Minor > Labels: tech-debt > Fix For: 1.42.0 > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (OAK-6756) Convert oak-auth-external to OSGi R6 annotations
[ https://issues.apache.org/jira/browse/OAK-6756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Angela Schreiber updated OAK-6756: -- Labels: technical_debt (was: ) > Convert oak-auth-external to OSGi R6 annotations > > > Key: OAK-6756 > URL: https://issues.apache.org/jira/browse/OAK-6756 > Project: Jackrabbit Oak > Issue Type: Technical task > Components: auth-external >Reporter: Robert Munteanu >Assignee: Angela Schreiber >Priority: Major > Labels: technical_debt > Attachments: cschneider-OAK-6756.osgi-diff.txt > > -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (OAK-9527) Typos in javadoc of security related API
Angela Schreiber created OAK-9527: - Summary: Typos in javadoc of security related API Key: OAK-9527 URL: https://issues.apache.org/jira/browse/OAK-9527 Project: Jackrabbit Oak Issue Type: Improvement Components: jackrabbit-api Reporter: Angela Schreiber Assignee: Angela Schreiber Fix For: 1.42.0 there are a few typos in the security related classes/interfaces in jackrabbit-api -- This message was sent by Atlassian Jira (v8.3.4#803005)
