[jira] [Created] (OAK-10130) Add API to retrieve effective policies for a set of principals for a given path

Sat, 04 Mar 2023 00:55:04 -0800 

Angela Schreiber created OAK-10130:
--------------------------------------

             Summary: Add API to retrieve effective policies for a set of 
principals for a given path
                 Key: OAK-10130
                 URL: https://issues.apache.org/jira/browse/OAK-10130
             Project: Jackrabbit Oak
          Issue Type: New Feature
          Components: authorization-cug, authorization-principalbased, core, 
jackrabbit-api, security
            Reporter: Angela Schreiber
            Assignee: Angela Schreiber


JCR and Jackrabbit API currently provide the following methods to retrieve 
effective policies:

h4. javax.jcr.security.AccessControlManager
{code}
    AccessControlPolicy[] getEffectivePolicies(String absPath)
            throws PathNotFoundException, AccessDeniedException, 
RepositoryException;
{code}


h4. org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
{code}
    AccessControlPolicy[] getEffectivePolicies(@NotNull Set<Principal> 
principals) throws AccessDeniedException, AccessControlException, 
UnsupportedRepositoryOperationException, RepositoryException;
{code}

h4. The missing piece 
What is not possible today however is retrieving the effective policies for a 
given set of principals that take effect on a particular path. While consumers 
of the method provided {{JackrabbitAccessControlManager}} might be able to 
guess where the policies take effect and thus filter the accordingly, this 
should not be taken for granted and it would be better if there was an API to 
retrieve the filtered set as the implementations of 
{{JackrabbitAccessControlManager}} are able to determine the effect (instead of 
guessing).... in particular when restrictions are present.

I would there suggest to introduce in {{JackrabbitAccessControlManager}} 
something like

{code}
    Iterator<AccessControlPolicy> getEffectivePolicies(@NotNull Set<Principal> 
principals, @Nullable String absPath) throws AccessDeniedException, 
AccessControlException, UnsupportedRepositoryOperationException, 
RepositoryException;
{code}

cc: [~cschneider] who highlighted the issue to me while investigating an issue 
with Sling Content Distribution.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to