[
https://issues.apache.org/jira/browse/SLING-981?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Eric Norman updated SLING-981:
--
Attachment: SLING-981_patch.txt
Hi Ian,
I agree that bootstrapping the principals and security policies is an important
feature that is missing from sling.
I've taken a look at your contribution and in my opinion this functionality
should really be integrated into the base ContentLoader. I think that would be
easier to maintain and ensures that the nodes are created before the ACLs.
I've prepared a new patch (attached as SLING-981_patch.txt) that provides the
same functionality by patching the org.apache.sling.jcr.contentloader bundle.
Also for clarity, I have slightly modified the JSON syntax you had proposed.
Hopefully there will not be any conflicts with node properties using the new
reserved names 'security:acl' and 'security:princpals'.
The new JSON syntax to create Users and Groups:
{
"security:principals" : [
{
"name":"TestUser1",
"password":"mypassword",
"extraProp1":"extraProp1Value"
},
{
"name":"TestGroup1",
"isgroup":"true",
"members":["TestUser1"],
"extraProp1":"extraProp1Value"
}
]
}
And the JSON syntax to create an ACL for the current node:
{
"security:acl" : [
{
"principal" : "TestGroup1",
"granted" : [
"jcr:read",
"jcr:write"
]
},
{
"principal" : "TestUser1",
"granted" : [
"jcr:read"
],
"denied" : [
"jcr:write"
]
}
]
}
What do you think?
> A security loader, along the lines of the contentloader to make it possible
> to populate ACL,s and Authorizables on startup
> --
>
> Key: SLING-981
> URL: https://issues.apache.org/jira/browse/SLING-981
> Project: Sling
> Issue Type: New Feature
> Components: JCR Contentloader
>Reporter: Ian Boston
> Attachments: securityloader.tgz, SLING-981_patch.txt
>
>
> Th small tar to follow allows bundles to include a Sakai-Initial-Security (to
> be renamed) header in the manifest that points to a json file containing acl
> and authorizable setup for the repository. This may include users or groups
> as required by the acl's and the acls. In for form
> {
> "principals" : [
> {
> "name":"owner",
> "isgroup":"true",
> "members":[],
> "dynamic":"true"
> },
> {
> "name":"everyone",
> "isgroup":"true",
> "members":[],
> "dynamic":"true"
> }
> ],
> "acl" : [
> {
> "path":"/_private",
> "principal":"owner",
> "privil...@jcr:read":"granted",
> "privil...@jcr:write":"granted"
>
> },
> {
> "path":"/public",
> "principal":"owner",
> "privil...@jcr:read":"granted",
> "privil...@jcr:write":"granted"
>
> },
> {
> "path":"/public",
> "principal":"everyone",
> "privil...@jcr:read":"granted"
> }
> ]
> }
> The code is largely based on the contentloader with quite a bit of copying
> (ugly sorry), but since it may not be wanted in in some installations I feel
> its better off in its own bundle. If its acceptable to have it in all
> distributions, then obviusly it should be a patch to contentloader.
> I looked and asked for this functionality already existing in Sling, but
> could not find it hence the patch. If there is a better way of doing the same
> already in the code base then closing this with "invalid" would be the right
> thing to do.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
