[OAK-9761] Investigate evaluation improvement for subtrees with read access to all regular nodes/properties - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Epic
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: authorization-principalbased, core, security, security-spi
Labels:
None

Epic Name:
Improve permission evaluation for subtrees with read access to all regular nodes/properties

Description

Today permission evaluation contains a shortcut for evaluation of read access when a given session is known to have full read access on a given subtree i.e. including reading all access control content stored below that tree.

In case TreePermission.canReadAll() returns true the SecureNodeState will no longer create a permission-evaluating wrapper around child items.

However, due to the nature of the default access control management that allows for nested allow-deny entries, TreePermission.canReadAll() returns false unless the subject is known to have full administrative access.

This goal of this improvement is to investigate additional optimizations for cases where read-access to regular items is granted in a given subtree like it is e.g. the case of those paths that are defined to be always readable (see e.g. https://github.com/apache/jackrabbit-oak/blob/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.java#L107-L113)

cc: joerghoh, rma61870@adobe.com

Attachments

Issue Links

is related to

OAK-9762 Implement org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractTreePermission.canReadAll

Open

Activity

People

Assignee:: Angela Schreiber

Reporter:: Angela Schreiber

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 06/May/22 12:40

Updated:: 06/May/22 12:47