[OAK-9763] Allow for restrictions evaluation against set of effective principal - ASF JIRA

Agile Board

Attach files

Attach Screenshot

Add vote

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: authorization-principalbased, core, security, security-spi
Labels:
None

Description

Today it is not possible to plug a custom RestrictionProvider with restrictions (or restriction-patterns for that matter) that would allow to evaluate against the effective set of principals for which permission evaluation is executed.

Reason: In contrast to AuthorizationConfiguration.getPermissionProvider()AuthorizationConfiguration.getRestrictionProvider() does not get the set of effective principals passed.

What is possible today is something like e.g.

allow everyone jcr:read on /content with restriction jcr:title = "abc"

What is not feasible today is something like

allow everyone jcr:read on /content with restriction ownerPropery = currentPrincipal()

as the restriction evaluation today is agnostic of the principals for which the restrictions are being evaluated.

This improvement aims for investigating what it would take to make the set of principals available with the PermissionProvider available to the RestrictionProvider during evaluation.

cc: Tom Blackford