Allow for removal of access control policies (not just individual entries)

hi bdelacretaz, as outline in SLING-10134 the ability to cleanup access control content with repo-init is currently limited. while investigating ways to remove resource-based service user permissions in existing installations i noticed that there is one piece from the Jackrabbit API missing altogether: AccessControlManager.removePolicy(String absPath, AccessControlPolicy.

repo-init language today allows for removal of individual access control entries and all entries, it doesn't provide the means to drop a policy (without specifying which entries to drop).

the langage extension could look as follows for the 3 main types to set access control:

remove ACL on /libs,/apps
remove ACL for alice, bob, fred
remove principal ACL for alice, bob

IMO no end statement would be required as there are no additional entry specific statements present.

since this would also be needed to cleanup AC content for principals that are being removed, I would strongly suggest to leave the principal-validation step to the repository and not mandate the target principal to exist. In order to not break subsequent executions I would also suggest to only log an INFO if the policy to remove doesn't exist.

implementation wise it could look as follows (untested pseudo-code):

JackrabbitAccessControlList acl = AccessControlUtils.getAccessControlList(acMgr, jcrPath);
if (acl != null) {
      acMgr.removePolicy(acl.getPath(), acl)
} else {
      log.info(".....");
}

PrincipalAccessControlList acl = getPrincipalAccessControlList(acMgr, principal)
if (acl != null) {
      acMgr.removePolicy(acl.getPath(), acl)
} else {
      log.info(".....");
}

for the case remove ACL for alice, bob, fred multiple options exist.... i would need to dig into the repo-init code to see what was best. in theory JackrabbitAccessControlManager.getPolicies(principal) should work and one only need to make sure not to delete the PrincipalAccessControlList if that existed as well.