subject:"Re\: Everyone ACL Read on \/"

Re: Everyone ACL Read on /

2020-03-12 Thread Bertrand Delacretaz

Hi,

On Thu, Mar 12, 2020 at 7:25 AM Oliver Lietz  wrote:
> On Wednesday, March 11, 2020 10:05:20 PM CET Cris Rockwell wrote:
> > ...I am asking why this default exists.
> > Is there is a rationale for the default or no?...

> It is convenient for the Sling Starter and the sample applications...

I think that's the key - the Sling Starter is not meant to be
production ready, it's more meant for experimenting and learning and a
somewhat open access helps for that.

I have just added a comment to clarify that in the
https://github.com/apache/sling-org-apache-sling-starter README.

-Bertrand

Re: Everyone ACL Read on /

2020-03-12 Thread Oliver Lietz

On Wednesday, March 11, 2020 10:05:20 PM CET Cris Rockwell wrote:
> I think your response helps in a way. I am asking why this default exists.
> Is there is a rationale for the default or no? Based on your response, it
> should be deleted if the application needs to control ACL read permissions,
> and maybe there is no reason for the default other than to ensure everyone
> can read everything under /content.

It is convenient for the Sling Starter and the sample applications.

When you build your own Sling application (incl. starter or features) you 
usually configure it depending on your requirements (Tar vs Mongo, blob store, 
etc.) and use not the default values.

What is your use case? How would removing the read permission for /content 
help?

O.

> Cris
> 
> > On Mar 11, 2020, at 3:42 PM, Oliver Lietz  wrote:
> > 
> > On Wednesday, March 11, 2020 8:34:12 PM CET Cris Rockwell wrote:
> >> Hi Oliver
> >> 
> >> Thanks for the fast reply. Can I ask the exact same set of questions
> >> about
> >> default jcr:read access for everyone on /content? Is that required?
> > 
> > It depends on your application. If you do not want to serve content to
> > anonymous users/clients you can remove the read permissions.
> > You can even remove the whole JCR from Sling if you do not want to serve
> > content from it.
> > 
> > Does it help?
> > 
> > Regards,
> > O.
> > 
> >> Cris Rockwell
> >> 
> >>> On Mar 11, 2020, at 3:05 PM, Oliver Lietz  wrote:
> >>> 
> >>> On Wednesday, March 11, 2020 6:50:51 PM CET Cris Rockwell wrote:
>  Hello Sling Users
> >>> 
> >>> Hi Cris,
> >>> 
>  When I launch Sling, there is an ACL for jrc:read for the everyone
>  ‘principle' on jcr:root, as described in the repoinit.txt
>  http://archive.apache.org/dist/sling/org.apache.sling.launchpad-9.jar
>  
>  
>  I have found these resources:
>  
>  http://apache-sling.73963.n3.nabble.com/Principal-quot-everyone-quot-is
>  -n
>  ot-> clear-td4078544.html
>    s
>  -no t-clear-td4078544.html>
>  https://jackrabbit.apache.org/oak/docs/security/user/membership.html
>  
>  
>  But I still have questions:
>  * Why is everyone by default granted jcr:read access to the whole
>  repository? * If you wanted to control access, isn’t it better to
>  whitelist
>  (i.e. grant) instead of deny? * If the everyone ACL jcr:read rule was
>  deleted from root, what problems should be expected?
> >>> 
> >>> That was changed several years ago already, see SLING-6130 and current
> >>> setup:
> >>> 
> >>> https://github.com/apache/sling-org-apache-sling-starter/blob/master/src
> >>> /m
> >>> ain/ provisioning/repoinit.txt
> >>> 
> >>> Regards,
> >>> O.
> >>> 
>  Many thanks!

Re: Everyone ACL Read on /

2020-03-11 Thread Cris Rockwell

I think your response helps in a way. I am asking why this default exists. Is 
there is a rationale for the default or no? Based on your response, it should 
be deleted if the application needs to control ACL read permissions, and maybe 
there is no reason for the default other than to ensure everyone can read 
everything under /content.

Cris

> On Mar 11, 2020, at 3:42 PM, Oliver Lietz  wrote:
> 
> On Wednesday, March 11, 2020 8:34:12 PM CET Cris Rockwell wrote:
>> Hi Oliver
>> 
>> Thanks for the fast reply. Can I ask the exact same set of questions about
>> default jcr:read access for everyone on /content? Is that required?
> 
> It depends on your application. If you do not want to serve content to 
> anonymous users/clients you can remove the read permissions.
> You can even remove the whole JCR from Sling if you do not want to serve 
> content from it.
> 
> Does it help?
> 
> Regards,
> O.
> 
> 
>> Cris Rockwell
>> 
>> 
>>> On Mar 11, 2020, at 3:05 PM, Oliver Lietz  wrote:
>>> 
>>> On Wednesday, March 11, 2020 6:50:51 PM CET Cris Rockwell wrote:
 Hello Sling Users
>>> 
>>> Hi Cris,
>>> 
 When I launch Sling, there is an ACL for jrc:read for the everyone
 ‘principle' on jcr:root, as described in the repoinit.txt
 http://archive.apache.org/dist/sling/org.apache.sling.launchpad-9.jar
 
 
 I have found these resources:
 
 http://apache-sling.73963.n3.nabble.com/Principal-quot-everyone-quot-is-n
 ot-> clear-td4078544.html
 
 https://jackrabbit.apache.org/oak/docs/security/user/membership.html
 
 
 But I still have questions:
 * Why is everyone by default granted jcr:read access to the whole
 repository? * If you wanted to control access, isn’t it better to
 whitelist
 (i.e. grant) instead of deny? * If the everyone ACL jcr:read rule was
 deleted from root, what problems should be expected?
>>> 
>>> That was changed several years ago already, see SLING-6130 and current
>>> setup:
>>> 
>>> https://github.com/apache/sling-org-apache-sling-starter/blob/master/src/m
>>> ain/ provisioning/repoinit.txt
>>> 
>>> Regards,
>>> O.
>>> 
 Many thanks!
> 
> 
> 
>

Re: Everyone ACL Read on /

2020-03-11 Thread Oliver Lietz

On Wednesday, March 11, 2020 8:34:12 PM CET Cris Rockwell wrote:
> Hi Oliver
> 
> Thanks for the fast reply. Can I ask the exact same set of questions about
> default jcr:read access for everyone on /content? Is that required?

It depends on your application. If you do not want to serve content to 
anonymous users/clients you can remove the read permissions.
You can even remove the whole JCR from Sling if you do not want to serve 
content from it.

Does it help?

Regards,
O.


> Cris Rockwell
> Applications Architect Sr
> College of Literature, Science, and the Arts | University of Michigan
> LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor,
> MI I 48109 Desk: 734.763.6818 | Email: cmroc...@umich.edu
> 
> > On Mar 11, 2020, at 3:05 PM, Oliver Lietz  wrote:
> > 
> > On Wednesday, March 11, 2020 6:50:51 PM CET Cris Rockwell wrote:
> >> Hello Sling Users
> > 
> > Hi Cris,
> > 
> >> When I launch Sling, there is an ACL for jrc:read for the everyone
> >> ‘principle' on jcr:root, as described in the repoinit.txt
> >> http://archive.apache.org/dist/sling/org.apache.sling.launchpad-9.jar
> >> 
> >> 
> >> I have found these resources:
> >> 
> >> http://apache-sling.73963.n3.nabble.com/Principal-quot-everyone-quot-is-n
> >> ot-> clear-td4078544.html
> >>  >> -no t-clear-td4078544.html>
> >> https://jackrabbit.apache.org/oak/docs/security/user/membership.html
> >> 
> >> 
> >> But I still have questions:
> >> * Why is everyone by default granted jcr:read access to the whole
> >> repository? * If you wanted to control access, isn’t it better to
> >> whitelist
> >> (i.e. grant) instead of deny? * If the everyone ACL jcr:read rule was
> >> deleted from root, what problems should be expected?
> > 
> > That was changed several years ago already, see SLING-6130 and current
> > setup:
> > 
> > https://github.com/apache/sling-org-apache-sling-starter/blob/master/src/m
> > ain/ provisioning/repoinit.txt
> > 
> > Regards,
> > O.
> > 
> >> Many thanks!
> >> Cris Rockwell
> >> Applications Architect Sr
> >> College of Literature, Science, and the Arts | University of Michigan
> >> LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann
> >> Arbor, MI I 48109 Desk: 734.763.6818 | Email: cmroc...@umich.edu

Re: Everyone ACL Read on /

2020-03-11 Thread Cris Rockwell

Hi Oliver

Thanks for the fast reply. Can I ask the exact same set of questions about 
default jcr:read access for everyone on /content? Is that required?

Cris Rockwell
Applications Architect Sr  
College of Literature, Science, and the Arts | University of Michigan 
LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor, MI 
I 48109
Desk: 734.763.6818 | Email: cmroc...@umich.edu



> On Mar 11, 2020, at 3:05 PM, Oliver Lietz  wrote:
> 
> On Wednesday, March 11, 2020 6:50:51 PM CET Cris Rockwell wrote:
>> Hello Sling Users
> 
> Hi Cris,
> 
>> When I launch Sling, there is an ACL for jrc:read for the everyone
>> ‘principle' on jcr:root, as described in the repoinit.txt
>> http://archive.apache.org/dist/sling/org.apache.sling.launchpad-9.jar
>> 
>> 
>> I have found these resources:
>> 
>> http://apache-sling.73963.n3.nabble.com/Principal-quot-everyone-quot-is-not->
>>  clear-td4078544.html
>> > t-clear-td4078544.html>
>> https://jackrabbit.apache.org/oak/docs/security/user/membership.html
>> 
>> 
>> But I still have questions:
>> * Why is everyone by default granted jcr:read access to the whole
>> repository? * If you wanted to control access, isn’t it better to whitelist
>> (i.e. grant) instead of deny? * If the everyone ACL jcr:read rule was
>> deleted from root, what problems should be expected?
> 
> That was changed several years ago already, see SLING-6130 and current setup:
> 
> https://github.com/apache/sling-org-apache-sling-starter/blob/master/src/main/
> provisioning/repoinit.txt
> 
> Regards,
> O.
> 
> 
>> Many thanks!
>> Cris Rockwell
>> Applications Architect Sr
>> College of Literature, Science, and the Arts | University of Michigan
>> LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor,
>> MI I 48109 Desk: 734.763.6818 | Email: cmroc...@umich.edu
> 
> 
> 
>

Re: Everyone ACL Read on /

2020-03-11 Thread Oliver Lietz

On Wednesday, March 11, 2020 6:50:51 PM CET Cris Rockwell wrote:
> Hello Sling Users

Hi Cris,

> When I launch Sling, there is an ACL for jrc:read for the everyone
> ‘principle' on jcr:root, as described in the repoinit.txt
> http://archive.apache.org/dist/sling/org.apache.sling.launchpad-9.jar
> 
> 
> I have found these resources:
> 
> http://apache-sling.73963.n3.nabble.com/Principal-quot-everyone-quot-is-not-> 
> clear-td4078544.html
>  t-clear-td4078544.html>
> https://jackrabbit.apache.org/oak/docs/security/user/membership.html
> 
> 
> But I still have questions:
> * Why is everyone by default granted jcr:read access to the whole
> repository? * If you wanted to control access, isn’t it better to whitelist
> (i.e. grant) instead of deny? * If the everyone ACL jcr:read rule was
> deleted from root, what problems should be expected?

That was changed several years ago already, see SLING-6130 and current setup:

https://github.com/apache/sling-org-apache-sling-starter/blob/master/src/main/
provisioning/repoinit.txt

Regards,
O.


> Many thanks!
> Cris Rockwell
> Applications Architect Sr
> College of Literature, Science, and the Arts | University of Michigan
> LSA Technology Services | 6503 Haven Hall | 505 S. State Street | Ann Arbor,
> MI I 48109 Desk: 734.763.6818 | Email: cmroc...@umich.edu

Re: Everyone ACL Read on /

Re: Everyone ACL Read on /

Re: Everyone ACL Read on /

Re: Everyone ACL Read on /

Re: Everyone ACL Read on /

Re: Everyone ACL Read on /

6 matches

Site Navigation

Mail list logo

Footer information