APACHE SLING & FRIENDS TECH MEETUPBERLIN, 26-28 SEPTEMBER 2016

AC Tool – Simplified Rights & Roles RolloutR. Gruber, J. Koschorke, Netcentric

adaptTo() 2016 2

What are ACLs?

What Are ACLs Used For?

adaptTo() 2016 3

adaptTo() 2016 4

Why to use a tool for ACL rollout?

Why Use a Tool for AC Rules?

adaptTo() 2016 5

Tend to be complex Need to be understandable Must be consistent Need to be portable between stages Need automation

Why a New Tool?

adaptTo() 2016 6

Aspect Content Package ACL Setup Service AC Tool

Readability hard to readreadable for small setups

humanreadable files

Run mode support

Consistency old entries stay old entries staydeletes oldACLs

Export ACL Packager

Maintenance complexone OSGIconfiguration

multiple files

Why a New Tool?

adaptTo() 2016 6

Aspect Content Package ACL Setup Service AC Tool

Readability hard to readreadable for small setups

humanreadable files

Run mode support

Consistency old entries stay old entries staydeletes oldACLs

Export ACL Packager

Maintenance complexone OSGIconfiguration

multiple files

Why a New Tool?

adaptTo() 2016 6

Aspect Content Package ACL Setup Service AC Tool

Readability hard to readreadable for small setups

humanreadable files

Run mode support

Consistency old entries stay old entries staydeletes oldACLs

Export ACL Packager

Maintenance complexone OSGIconfiguration

multiple files

Why a New Tool?

adaptTo() 2016 6

Aspect Content Package ACL Setup Service AC Tool

Readability hard to readreadable for small setups

humanreadable files

Run mode support

Consistency old entries stay old entries staydeletes oldACLs

Export ACL Packager

Maintenance complexone OSGIconfiguration

multiple files

Why a New Tool?

adaptTo() 2016 6

Aspect Content Package ACL Setup Service AC Tool

Readability hard to readreadable for small setups

humanreadable files

Run mode support

Consistency old entries stay old entries staydeletes oldACLs

Export ACL Packager

Maintenance complexone OSGIconfiguration

multiple files

Why a New Tool?

adaptTo() 2016 6

Aspect Content Package ACL Setup Service AC Tool

Readability hard to readreadable for small setups

humanreadable files

Run mode support

Consistency old entries stay old entries staydeletes oldACLs

Export ACL Packager

Maintenance complexone OSGIconfiguration

multiple files

adaptTo() 2016 7

How does AC Tool work?

File Structure

adaptTo() 2016 8

Yaml format Multiple files per folder Run mode in folder name

Sections

adaptTo() 2016 9

- group_config……

- user_config……

- ace_config……

config.yaml- editors

- name: Page Editors…

- admins- name: Page Editors

…

Group configuration

- editors- path: /content

…- admins

- path: /content…

ACEs

Group Definitions

adaptTo() 2016 10

- group_config:

- editors:

- name: Page Editors

isMemberOf: staff

members: joe

description: All page editors

path: myproject

Assign ACEs to Groups

adaptTo() 2016 11

Simple ACE

- ace_config:

- editors:

- path: /content

permission: allow

privileges: jcr:read,rep:write

Assign ACEs to Groups

adaptTo() 2016 12

Using restrictions- ace_config:

- editors:

- path: /content

permission: allow

privileges: jcr:read

restrictions:

rep:glob: /jcr:*

Restrict to jcrattributes

ACE ordering

adaptTo() 2016 13

Consistent order of ACEs

System ACEs

Deny rules

Allow rules

14

User Creation

User Creation: user_config

15

Primarily for test users and System users Profile content creation Preferences content creation

User Creation: Examples

16

- poweruser

- name: PowerUserTestUser

isMemberOf: powerusers

password: secret

path: myproject

profileContent: <jcr:root

jcr:primaryType="nt:unstructured"

email="poweruser@example.com"/>

- system_reader:

- name: system-reader

isMemberOf: system-read

path: myproject

isSystemUser: true

17

Installation of ACEs

Curl

JCR Listener

Install Hook

Installation: JMX

18

JMX

Curl

JCR Listener

Install Hook

Installation: JMX

19

JMX

status informations

Curl

JCR Listener

Install Hook

Installation: JMX

20

JMX

execute

Curl

JCR Listener

Install Hook

Installation: JMX

21

JMX

purge permissions

Curl

JCR Listener

Install Hook

Installation: JMX

22

JMX

create exports

JMX

JCR Listener

Install Hook

Installation: Curl

23

Curlcurl -sS --retry 1 -u admin:admin -X POST

"http://localhost:4502/system/console/jmx/biz.netcentric

cq.tools.actool:id='ac+installation'/op/execute/"

JMX

Curl

Install Hook

Installation: JCR Listener

24

• Event based trigger:• On new upload• On change in deployed config• Can be disabled

JCR Listener

JMX

Curl

JCR Listener

Installation: Install Hook

25

Install Hook

<plugin>

<groupId>com.day.jcr.vault</groupId>

<artifactId>content-package-maven-plugin</artifactId>

<configuration>

<properties>

<installhook.actool.class>

biz.netcentric.cq.tools.actool.installhook.AcToolInstallHook

</installhook.actool.class>

</properties>

</configuration>

</plugin>

26

Live Demo

27

Best Practices

Best Practises: Some General Hints

28

Avoid deny ACEs whenever possible Split configuration files by project/topic Create demo users with test content Keep it simple

Best Practises: Fragments

29

Dogma: separation of functional aspects and content Permission specific groups: fragments Functional fragments Content fragments

In addition: One fragment-basic-restrict-for-everyone One fragment-basic-allow

Best Practises: Fragments

30

Desired group permissions through combination of fragments

Best Practises: Fragments

31

PROs Separation of allow and denies, no mix Decreased length of ACLs Reusability Transparency

CONs Increased number of total groups

32

Links

Links

33

AC Tool homepage:https://github.com/Netcentric/accesscontroltool

Netcentric:https://github.com/Netcentrichttp://www.netcentric.biz/

34

Thank you