[ https://issues.apache.org/jira/browse/OAK-10424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Angela Schreiber resolved OAK-10424. ------------------------------------ Fix Version/s: 1.62.0 Resolution: Fixed hi [~madamcin] , i took the liberty to assign this ticket to you since you have worked on it through multiple iterations. thanks a lot for this contribution! i am going to resolve the ticket now that the changes are merged and resolve the ticket. i am very much looking forward to your next contrib. > Allow Fast Query Size and Insecure Facets to be selectively enabled with > query options for permitted principals > ---------------------------------------------------------------------------------------------------------------- > > Key: OAK-10424 > URL: https://issues.apache.org/jira/browse/OAK-10424 > Project: Jackrabbit Oak > Issue Type: Improvement > Affects Versions: 1.56.0 > Reporter: Mark Adamcin > Assignee: Mark Adamcin > Priority: Major > Labels: query > Fix For: 1.62.0 > > > Setting the global QueryEngineSettingsService.getFastQuerySize() value to > true is currently the only way to allow service users to leverage JCR query > for collecting accurate repository count metrics in a performant way. > However, doing so in a multiuser repository may be inadvisable because the > fast result size is returned to the caller without considering the caller's > read permissions over the paths returned in the result, which may allow less > privileged users to discover the presence of nodes that are not otherwise > visible to them. > See > [https://jackrabbit.apache.org/oak/docs/query/query-engine.html#result-size] > As an alternative to the global setting, Oak should provide a query option > alongside [TRAVERSAL, OFFSET / LIMIT, and INDEX > TAG|https://jackrabbit.apache.org/oak/docs/query/query-engine.html#query-options], > such as "INSECURE RESULT SIZE" . > Similarly, IndexDefinition.SecureFacetConfiguration.MODE.INSECURE (insecure > facets) can provide extremely valuable counts for property value distribution > in large repositories. At the moment, it can only be defined on an index > definition, even though it governs the facet counts at query time and has no > effect on the persisted content of the index at all. Like fastQuerySize, Oak > should provide a query option such as "INSECURE FACETS", for permitted system > users to leverage insecure facets even when the query execution plan uses an > index definition that only allows secure or statistical facet security. > For example, > select a.[jcr:path] from [nt:base] as a where contains(a.[text], 'Hello > World') option(insecure result size, insecure facets, offset 10) > To address the security risk, the application should also provide a > configuration of some kind to restrict the ability to effectively leverage > this option to permitted system users, which could be implemented as a JCR > repository privilege or an allowlist property in the > QueryEngineSettingsService configuration. > I have provided a PR that adds support for an INSECURE RESULT SIZE query > option and an INSECURE FACETS query option, as well as an > "rep:insecureQueryOptions" repository privilege. I think the JCR > privilege-based approach for configuration of this permission is more aligned > with how system users are defined in practice, but this approach requires a > minor version increase in the following oak-security-spi packages: > * org.apache.jackrabbit.oak.spi.security.authorization.permission > * org.apache.jackrabbit.oak.spi.security.privilege > Because all registered permissions are serialized into a long bitset, there > is clearly a premium on adding another built-in privilege, so I figured that > it would be better to choose a name for the privilege that would make it > applicable to both of these new options, and any future query options that > may involve a tradeoff between security and performance. > -- This message was sent by Atlassian Jira (v8.20.10#820010)