Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
Description
based on my reading of https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/handlers/RepPolicyEntryHandler.java#L56
i don't see how the converter would handle service user permissions that are defined for the repository level that in JCR access control management API are defined using a null path.
with the default authorization module in oak the corresponding ACL is stored at the root node with a dedicated policy node named rep:repoPolicy (see http://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#representation)
i guess this bug requires 3 steps:
- adjust the regexp in the handler
- adjust "Acl" class (which reprents an Ace) to make sure repo-level aces are properly identified (e.g. extra method isRepositoryLevel or set the correct path field to null)
- adjust https://github.com/apache/sling-org-apache-sling-feature-cpconverter/blob/master/src/main/java/org/apache/sling/feature/cpconverter/acl/DefaultAclManager.java#L242 to proper create repository level entries with repo-init. according to https://sling.apache.org/documentation/bundles/repository-initialization.html this is achieved using the following special path:
set ACL for alice,bob
allow jcr:namespaceManagement on :repository
end
Attachments
Attachments
Issue Links
- is blocked by
-
SLING-9966 Update dependency to org.apache.sling.repoinit.parser
- Closed
- is related to
-
SLING-9692 Add support for principal-based access control entries
- Closed
- requires
-
SLING-9976 Refactor RepPolicyEntryHandler to allow for other types of access control lists
- Closed
- links to