[jira] [Resolved] (OAK-10130) Add API to retrieve effective policies for a set of principals for a given path

[Angela Schreiber (Jira)]

     [ 
https://issues.apache.org/jira/browse/OAK-10130?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Angela Schreiber resolved OAK-10130.
------------------------------------
    Fix Version/s: 1.52.0
       Resolution: Fixed

> Add API to retrieve effective policies for a set of principals for a given 
> path
> -------------------------------------------------------------------------------
>
>                 Key: OAK-10130
>                 URL: https://issues.apache.org/jira/browse/OAK-10130
>             Project: Jackrabbit Oak
>          Issue Type: New Feature
>          Components: authorization-cug, authorization-principalbased, core, 
> jackrabbit-api, security
>            Reporter: Angela Schreiber
>            Assignee: Angela Schreiber
>            Priority: Major
>             Fix For: 1.52.0
>
>
> JCR and Jackrabbit API currently provide the following methods to retrieve 
> effective policies:
> h4. javax.jcr.security.AccessControlManager
> {code}
>     AccessControlPolicy[] getEffectivePolicies(String absPath)
>             throws PathNotFoundException, AccessDeniedException, 
> RepositoryException;
> {code}
> h4. org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
> {code}
>     AccessControlPolicy[] getEffectivePolicies(@NotNull Set<Principal> 
> principals) throws AccessDeniedException, AccessControlException, 
> UnsupportedRepositoryOperationException, RepositoryException;
> {code}
> h4. The missing piece 
> What is not possible today however is retrieving the effective policies for a 
> given set of principals that take effect on a particular path. While 
> consumers of the method provided {{JackrabbitAccessControlManager}} might be 
> able to guess where the policies take effect and thus filter the accordingly, 
> this should not be taken for granted and it would be better if there was an 
> API to retrieve the filtered set as the implementations of 
> {{JackrabbitAccessControlManager}} are able to determine the effect (instead 
> of guessing).... in particular when restrictions are present.
> I would there suggest to introduce in {{JackrabbitAccessControlManager}} 
> something like
> {code}
>     Iterator<AccessControlPolicy> getEffectivePolicies(@NotNull 
> Set<Principal> principals, @Nullable String absPath) throws 
> AccessDeniedException, AccessControlException, 
> UnsupportedRepositoryOperationException, RepositoryException;
> {code}
> cc: [~cschneider] who highlighted the issue to me while investigating an 
> issue with Sling Content Distribution.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)