Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
while discussing the improvements suggested by antoniu98 in OAK-10173 we found that the API definition of org.apache.jackrabbit.api.security.user.QueryBuilder.impersonates(String name) is not really aligned with Impersonation.allows(Subject).
while for the current implementation this doesn't matter as only the admin user is able to impersonate everyone irrespective of the information stored in rep:impersonators properties, we can only make a best-effort guess on whether the specified principal name might result upon login in a subject that contains any of the configure impersonators principals.
ultimately, i would be desirable if there was a way to pass a subject to org.apache.jackrabbit.api.security.user.QueryBuilder.impersonates (or something equivalent) in order to make it properly aligned with Impersonation.allows(Subject).
note that expanding the API would also require adjusting https://github.com/apache/jackrabbit/blob/trunk/jackrabbit-jcr-commons/src/main/ja[…]ackrabbit/commons/jackrabbit/user/AuthorizableQueryManager.java.
cc: antoniu98 FYI
Attachments
Issue Links
- relates to
-
OAK-10173 Allow configured principals to impersonate any user
-
- Closed
-