Re: Sling Oak restrictions not working - am I missing something?

[Georg Henzler]

Hi John,

I had a look and I could reproduce. I have used this module to hide 
existing nodes (denies), that's why I've never run into it.


The root cause is that for the create case, not only [1] but also [2] 
gets called (since there is no tree available). ResourceTypePattern [3] 
always returns false in the same way as oak ootb NodeTypePattern [4]. So 
I'm not sure if we can even solve this, but I'd like to try, please 
create an issue in JIRA for this.


-Georg

[1] 
https://github.com/apache/jackrabbit-oak/blob/64a7e291c8dfd32ef36648ace0b0c6ee80780e2d/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.java#L40


[2] 
https://github.com/apache/jackrabbit-oak/blob/trunk/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionPattern.java#L50


[3] 
https://github.com/apache/sling-org-apache-sling-oak-restrictions/blob/8574518f43969db9e4f8bbeb4e825d6d05ee41f8/src/main/java/org/apache/sling/oak/restrictions/impl/ResourceTypePattern.java#L150


[4] 
https://github.com/apache/jackrabbit-oak/blob/dc43f39e3203561542640218d2ec9a39c846ff2f/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/restriction/NodeTypePattern.java#L54


On 2019-03-02 00:16, John Logan wrote:

Hi,



I'm playing around with the Sling Oak restriction feature and I can't
seem to get it working.



The simple case I'm trying right now is to allow a user 'alice' to
have full access to all nodes at or below nodes with Sling resource
type 'foo'.  Here's the test procedure I'm following:



1.) Fire up sling-starter 11 and log into the Composum browser as 
admin.


2.) Add a user 'alice'.

3.) Add permission jcr:read to '/' for alice so she can browse in 
Composum.


4.) Create a sling:Folder node '/content/data' with Sling resource type 
'foo'.


5.) Create a sling:Folder node '/content/data/child1' with Sling
resource type 'foo'.

6.) For the '/content/data' node, add a permission with principal
'alice', rule 'allow', privileges 'jcr:all', and restrictions
'sling:resourceTypesWithDescendants=foo'.

7.) In a separate browser, log in as alice and go to Composum.

8.) As alice, try to create the node '/content/data/child2'.



Expected: User 'alice' can create the node.

Actual: The Composum "Create New Node" dialog displays the error
"Error 400 javax.jcr.AccessDeniedException: OakAccess: Access
denied" and the node is not created.



If I check effective permissions in Composum for /content/data and
/content/data/child1, I see that 'alice' does receive jcr:all for both
nodes.  Further, I can perform this check either as admin or alice,
whereas I cannot look at permissions on /content as alice.



If I try the Sling POST servlet as alice to create the node, I get a
different exception
"org.apache.sling.api.resource.PersistenceException: Resource at
'/content/data/foo' is not modifiable."



Am I misunderstanding something about how restrictions work?  Thank
you for any guidance you can offer!



John



The stack trace for the failure when creating via Composum is:



Caused by: org.apache.jackrabbit.oak.api.CommitFailedException:
OakAccess: Access denied

at
org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:210)
[org.apache.jackrabbit.oak-core:1.8.8]

at
org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.childNodeAdded(PermissionValidator.java:148)
[org.apache.jackrabbit.oak-core:1.8.8]

at
org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:106)
[org.apache.jackrabbit.oak-store-spi:1.8.8]

at
org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeAdded(VisibleValidator.java:32)
[org.apache.jackrabbit.oak-store-spi:1.8.8]



The stack trace for Sling POST is:



org.apache.sling.api.resource.PersistenceException: Resource at
'/content/data/child2' is not modifiable.

at
org.apache.sling.servlets.post.impl.helper.SlingPropertyValueHandler.setProperty(SlingPropertyValueHandler.java:114)

at
org.apache.sling.servlets.post.impl.operations.ModifyOperation.writeContent(ModifyOperation.java:372)
[org.apache.sling.servlets.post:2.3.26]

at
org.apache.sling.servlets.post.impl.operations.ModifyOperation.doRun(ModifyOperation.java:93)
[org.apache.sling.servlets.post:2.3.26]

at
org.apache.sling.servlets.post.impl.operations.AbstractPostOperation.run(AbstractPostOperation.java:99)
[org.apache.sling.servlets.post:2.3.26]

at
org.apache.sling.servlets.post.impl.SlingPostServlet.doPost(SlingPostServlet.java:228)
[org.apache.sling.servlets.post:2.3.26]

Re: [ANN] New Apache Sling PMC Chair: Robert Munteanu

[Georg Henzler]

Congratulations also from my side!

On 2017-11-17 10:26, Andrei Dulvac wrote:

Congratulations!


On Fri, Nov 17, 2017, 10:07 Julian Sedding  wrote:


Congratulations Robert!

Regards
Julian

On Thu, Nov 16, 2017 at 5:29 PM, Roy Teeuwen  wrote:
> Congratulations Robert!
>
> Greets,
> Roy
>
>> On 16 Nov 2017, at 15:25, Carsten Ziegeler 
wrote:
>>
>> Hi,
>>
>> it's my pleasure to announce that Robert took up the role as our new PMC
>> chair.
>>
>> Congrats Robert!
>>
>> Regards
>> Carsten
>> --
>> Carsten Ziegeler
>> Adobe Research Switzerland
>> cziege...@apache.org
>

Re: Sling Health Checks

[Georg Henzler]

Hi Jason,

no it is not possible at the moment - but nobody stops you to make the 
HC component also provide an additional, custom MBean that shares some 
additional result properties of the HC execution to other services.


In theory the HC result could be extended to allow for custom properties 
(that are then in turn exposed via JMX), but the idea behind the HCs is 
that due to the clearly defined result type (with a clear semantic for 
each status) consumers can easily decide whether an instance is healthy 
or not, additional properties might be confusing. Could you describe 
your use case in a bit more detail?


Regards
Georg

On 2017-01-30 18:56, Jason Bailey wrote:

Anyone know if it's possible to use the Sling Health Checks to expose
a value via the MBean other than the ones explicitly defined in the
Result Object?

Thanks
-Jason