• Home
• org.apache.jackrabbit
• oak-core
• 1.7.7
• source code
• PermissionConstants.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants Maven / Gradle / Ivy

/*
 * Licensed to the Apache Software Foundation (ASF) under one or more
 * contributor license agreements.  See the NOTICE file distributed with
 * this work for additional information regarding copyright ownership.
 * The ASF licenses this file to You under the Apache License, Version 2.0
 * (the "License"); you may not use this file except in compliance with
 * the License.  You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.apache.jackrabbit.oak.spi.security.authorization.permission;

import java.util.Set;

import com.google.common.collect.ImmutableSet;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;

/**
 * Implementation specific constants related to permission evaluation.
 *
 * @since OAK 1.0
 */
public interface PermissionConstants {

    String NT_REP_PERMISSIONS = "rep:Permissions";
    String NT_REP_PERMISSION_STORE = "rep:PermissionStore";
    String REP_PERMISSION_STORE = "rep:permissionStore";
    String PERMISSIONS_STORE_PATH = '/' + JcrConstants.JCR_SYSTEM + '/' + REP_PERMISSION_STORE;

    String REP_ACCESS_CONTROLLED_PATH = "rep:accessControlledPath";
	String REP_IS_ALLOW = "rep:isAllow";
    String REP_PRIVILEGE_BITS = "rep:privileges";

    Set PERMISSION_NODETYPE_NAMES = ImmutableSet.of(NT_REP_PERMISSIONS, NT_REP_PERMISSION_STORE);
    Set PERMISSION_NODE_NAMES = ImmutableSet.of(REP_PERMISSION_STORE);
    Set PERMISSION_PROPERTY_NAMES = ImmutableSet.of(REP_ACCESS_CONTROLLED_PATH, REP_PRIVILEGE_BITS);

    /**
     * Configuration parameter to enforce backwards compatible permission
     * validation with respect to user management and node removal:
     *
     * 

     *     
User Management: As of OAK 1.0 creation/removal of user and
     *     groups as well as modification of user/group specific protected properties
     *     requires {@link Permissions#USER_MANAGEMENT USER_MANAGEMENT}
     *     permissions while in Jackrabbit 2.0 they were covered by regular item
     *     write permissions.
     *     
Removing Nodes: As of OAK 1.0 removing a node will succeed if the
     *     removal is granted on that specific node irrespective of the permission
     *     granted or denied within the subtree. This contrasts to JR 2.0 where
     *     removal of a node only succeeded if all child items (nodes and properties)
     *     could be removed.
     * 
     *
     * In order to enforce backwards compatible behavior of the listed permissions
     * above the access control configuration setup needs to contain the
     * {@code #PARAM_PERMISSIONS_JR2} configuration parameter whose value is
     * expected to be a comma separated string of permission names for which
     * backwards compatible behavior should be turned on.

     *
     * Currently the following values are respected:
     * 

     *     
"USER_MANAGEMENT" : to avoid enforcing {@link org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions#USER_MANAGEMENT}
     *     permission.
     *     
"REMOVE_NODE" : to enforce permission checks for all items located
     *     in the subtree in case of removal.
     * 
     * @since OAK 1.0
     */
    String PARAM_PERMISSIONS_JR2 = "permissionsJr2";

    /**
     * Value of the {@link #PARAM_PERMISSIONS_JR2} configuration parameter that
     * contains all value entries.
     */
    String VALUE_PERMISSIONS_JR2 = Permissions.getString(Permissions.USER_MANAGEMENT | Permissions.REMOVE_NODE);

    /**
     * Configuration parameter specifying additional principals that should be
     * treated as 'administrator' thus get granted full permissions on the
     * complete repository content.
     *
     * @since OAK 1.0
     */
    String PARAM_ADMINISTRATIVE_PRINCIPALS = "administrativePrincipals";

    /**
     * Configuration parameter to enable full read access to regular nodes and
     * properties at the specified paths.
     *
     * @since OAK 1.0
     */
    String PARAM_READ_PATHS = "readPaths";

    /**
     * Default value for the {@link #PARAM_READ_PATHS} configuration parameter.
     *
     * @since OAK 1.0
     */
    Set DEFAULT_READ_PATHS = ImmutableSet.of(
            NamespaceConstants.NAMESPACES_PATH,
            NodeTypeConstants.NODE_TYPES_PATH,
            PrivilegeConstants.PRIVILEGES_PATH
    );
}