Package org.apache.jackrabbit.oak.spi.security.authorization.permission

Interface PermissionConstants

public interface PermissionConstants
Implementation specific constants related to permission evaluation.
Since:
OAK 1.0

  • Field Details

    • NT_REP_PERMISSIONS

      static final String NT_REP_PERMISSIONS
      See Also:

    • NT_REP_PERMISSION_STORE

      static final String NT_REP_PERMISSION_STORE
      See Also:

    • REP_PERMISSION_STORE

      static final String REP_PERMISSION_STORE
      See Also:

    • PERMISSIONS_STORE_PATH

      static final String PERMISSIONS_STORE_PATH
      See Also:

    • REP_ACCESS_CONTROLLED_PATH

      static final String REP_ACCESS_CONTROLLED_PATH
      See Also:

    • REP_IS_ALLOW

      static final String REP_IS_ALLOW
      See Also:

    • REP_PRIVILEGE_BITS

      static final String REP_PRIVILEGE_BITS
      See Also:

    • REP_NUM_PERMISSIONS

      static final String REP_NUM_PERMISSIONS
      See Also:

    • PERMISSION_NODETYPE_NAMES

      static final Set<String> PERMISSION_NODETYPE_NAMES

    • PERMISSION_NODE_NAMES

      static final Set<String> PERMISSION_NODE_NAMES

    • PERMISSION_PROPERTY_NAMES

      static final Set<String> PERMISSION_PROPERTY_NAMES

    • PARAM_PERMISSIONS_JR2

      static final String PARAM_PERMISSIONS_JR2
      Configuration parameter to enforce backwards compatible permission validation with respect to user management and node removal:
      • User Management: As of OAK 1.0 creation/removal of user and groups as well as modification of user/group specific protected properties requires USER_MANAGEMENT permissions while in Jackrabbit 2.0 they were covered by regular item write permissions.
      • Removing Nodes: As of OAK 1.0 removing a node will succeed if the removal is granted on that specific node irrespective of the permission granted or denied within the subtree. This contrasts to JR 2.0 where removal of a node only succeeded if all child items (nodes and properties) could be removed.
      In order to enforce backwards compatible behavior of the listed permissions above the access control configuration setup needs to contain the #PARAM_PERMISSIONS_JR2 configuration parameter whose value is expected to be a comma separated string of permission names for which backwards compatible behavior should be turned on.

      Currently the following values are respected:

      • "USER_MANAGEMENT" : to avoid enforcing Permissions.USER_MANAGEMENT permission.
      • "REMOVE_NODE" : to enforce permission checks for all items located in the subtree in case of removal.
      Since:
      OAK 1.0
      See Also:

    • VALUE_PERMISSIONS_JR2

      static final String VALUE_PERMISSIONS_JR2
      Value of the PARAM_PERMISSIONS_JR2 configuration parameter that contains all value entries.

    • PARAM_ADMINISTRATIVE_PRINCIPALS

      static final String PARAM_ADMINISTRATIVE_PRINCIPALS
      Configuration parameter specifying additional principals that should be treated as 'administrator' thus get granted full permissions on the complete repository content.
      Since:
      OAK 1.0
      See Also:

    • PARAM_READ_PATHS

      static final String PARAM_READ_PATHS
      Configuration parameter to enable full read access to regular nodes and properties at the specified paths.
      Since:
      OAK 1.0
      See Also:

    • DEFAULT_READ_PATHS

      static final Set<String> DEFAULT_READ_PATHS
      Default value for the PARAM_READ_PATHS configuration parameter.
      Since:
      OAK 1.0