Angela Schreiber created SLING-10299: ----------------------------------------
Summary: Allow for removal of access control policies (not just individual entries) Key: SLING-10299 URL: https://issues.apache.org/jira/browse/SLING-10299 Project: Sling Issue Type: New Feature Components: Repoinit Affects Versions: Repoinit Parser 1.6.6, Repoinit JCR 1.1.32 Reporter: Angela Schreiber hi [~bdelacretaz], as outline in SLING-10134 the ability to cleanup access control content with repo-init is currently limited. while investigating ways to remove resource-based service user permissions in existing installations i noticed that there is one piece from the Jackrabbit API missing altogether: {{AccessControlManager.removePolicy(String absPath, AccessControlPolicy}}. repo-init language today allows for removal of individual access control entries and all entries, it doesn't provide the means to drop a policy (without specifying which entries to drop). the langage extension could look as follows for the 3 main types to set access control: {code} remove ACL on /libs,/apps remove ACL for alice, bob, fred remove principal ACL for alice, bob {code} IMO no {{end}} statement would be required as there are no additional entry specific statements present. since this would also be needed to cleanup AC content for principals that are being removed, I would strongly suggest to leave the principal-validation step to the repository and mandate the target principal to exist. In order to not break subsequent executions I would also suggest to only log an INFO if the policy to remove doesn't exist. implementation wise it could look as follows (untested pseudo-code): {code} JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, jcrPath); if (acl != null) { acMgr.removePolicy(acl.getPath(), acl) } else { log.info("....."); } {code} {code} PrincipalAccessControlList acl = getPrincipalAccessControlList(acMgr, principal) if (acl != null) { acMgr.removePolicy(acl.getPath(), acl) } else { log.info("....."); } {code} for the case {{remove ACL for alice, bob, fred}} multiple options exist.... i would need to dig into the repo-init code to see what was best. in theory {{JackrabbitAccessControlManager.getPolicies(principal)}} should work and one only need to make sure not to delete the {{PrincipalAccessControlList}} if that existed as well. -- This message was sent by Atlassian Jira (v8.3.4#803005)