[jira] [Commented] (SLING-12842) Missing documentation for ACLOptions=ignoreMissingPrincipal (SLING-12115)

Thu, 26 Jun 2025 03:03:08 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-12842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17986319#comment-17986319
 ] 

Angela Schreiber commented on SLING-12842:
------------------------------------------

copying from [~jsedding]'s comment on SLING-12115 fro anybody that is looking 
for the syntax while we are working on getting the repoinit documentation 
updated:

{code}
set ACL on / (ACLOptions=ignoreMissingPrincipal)
...
end

set ACL for nonExistingPrincipal (ACLOptions=ignoreMissingPrincipal)
...
end
{code}

Background Information:
Jackrabbit Oak comes with an configuration option for the authorization setup 
that relaxes the JCR contract that principals must be know to the repository in 
order to use them for access control setup. originally just intended for XML 
import (e.g. upon replication) the configuration option is also respected 
during regular API calls.
see 
https://jackrabbit.apache.org/oak/docs/security/accesscontrol/default.html#configuration
With option "BESTEFFORT" the repository will allow to set ac content for 
non-existing principals or principals with administrative access (i.e. the ac 
content has no effect at all -> false sense of security) and just log the 
'violation'.



> Missing documentation for ACLOptions=ignoreMissingPrincipal (SLING-12115)
> -------------------------------------------------------------------------
>
>                 Key: SLING-12842
>                 URL: https://issues.apache.org/jira/browse/SLING-12842
>             Project: Sling
>          Issue Type: Bug
>          Components: Documentation, Repoinit
>            Reporter: Angela Schreiber
>            Assignee: Julian Sedding
>            Priority: Major
>
> hi [~jsedding], i was looking for the repoinit feature that allows to create 
> ac-setup for non existing principals which i recalled was added to the 
> implementation.
> as far as i can see this has indeed been added with SLING-12115 but i don't 
> see it reflected in the documentation, which makes it a bit cumbersome to 
> recommend it despite the fact that this is a very useful.
> wdyt?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to