Angela Schreiber created SLING-9956:
---------------------------------------
Summary: RepPolicyEntryHandler ignores ACEs on repository level
Key: SLING-9956
URL: https://issues.apache.org/jira/browse/SLING-9956
Project: Sling
Issue Type: Bug
Components: Content-Package to Feature Model Converter
Reporter: Angela Schreiber
based on my reading of
https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandler.java#L56
i don't see how the converter would handle service user permissions that are
defined for the repository level that in JCR access control management API are
defined using a {{null}} path.
with the default authorization module in oak the corresponding ACL is stored at
the root node with a dedicated policy node named {{rep:repoPolicy}} (see
http://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#representation)
i guess this bug requires 2 steps:
- adjust the regexp in the handler
- adjust "Acl" class (which reprents an Ace) to make sure repo-level aces are
properly identified (e.g. extra method isRepositoryLevel or set the correct
path field to null)
- adjust
https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/acl/DefaultAclManager.java#L242
to proper create repository level entries with repo-init. according to
https://sling.apache.org/documentation/bundles/repository-initialization.html
this is achieved using the following special path:
{code}
set ACL for alice,bob
allow jcr:namespaceManagement on :repository
end
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
