apache sling & friends tech meetup berlin, 26-28 … · 2020-02-28 · apache sling &...
TRANSCRIPT
APACHE SLING & FRIENDS TECH MEETUPBERLIN, 26-28 SEPTEMBER 2016
AC Tool – Simplified Rights & Roles RolloutR. Gruber, J. Koschorke, Netcentric
adaptTo() 2016 2
What are ACLs?
What Are ACLs Used For?
adaptTo() 2016 3
adaptTo() 2016 4
Why to use a tool for ACL rollout?
Why Use a Tool for AC Rules?
adaptTo() 2016 5
Tend to be complex Need to be understandable Must be consistent Need to be portable between stages Need automation
Why a New Tool?
adaptTo() 2016 6
Aspect Content Package ACL Setup Service AC Tool
Readability hard to readreadable for small setups
humanreadable files
Run mode support
Consistency old entries stay old entries staydeletes oldACLs
Export ACL Packager
Maintenance complexone OSGIconfiguration
multiple files
Why a New Tool?
adaptTo() 2016 6
Aspect Content Package ACL Setup Service AC Tool
Readability hard to readreadable for small setups
humanreadable files
Run mode support
Consistency old entries stay old entries staydeletes oldACLs
Export ACL Packager
Maintenance complexone OSGIconfiguration
multiple files
Why a New Tool?
adaptTo() 2016 6
Aspect Content Package ACL Setup Service AC Tool
Readability hard to readreadable for small setups
humanreadable files
Run mode support
Consistency old entries stay old entries staydeletes oldACLs
Export ACL Packager
Maintenance complexone OSGIconfiguration
multiple files
Why a New Tool?
adaptTo() 2016 6
Aspect Content Package ACL Setup Service AC Tool
Readability hard to readreadable for small setups
humanreadable files
Run mode support
Consistency old entries stay old entries staydeletes oldACLs
Export ACL Packager
Maintenance complexone OSGIconfiguration
multiple files
Why a New Tool?
adaptTo() 2016 6
Aspect Content Package ACL Setup Service AC Tool
Readability hard to readreadable for small setups
humanreadable files
Run mode support
Consistency old entries stay old entries staydeletes oldACLs
Export ACL Packager
Maintenance complexone OSGIconfiguration
multiple files
Why a New Tool?
adaptTo() 2016 6
Aspect Content Package ACL Setup Service AC Tool
Readability hard to readreadable for small setups
humanreadable files
Run mode support
Consistency old entries stay old entries staydeletes oldACLs
Export ACL Packager
Maintenance complexone OSGIconfiguration
multiple files
adaptTo() 2016 7
How does AC Tool work?
File Structure
adaptTo() 2016 8
Yaml format Multiple files per folder Run mode in folder name
Sections
adaptTo() 2016 9
- group_config……
- user_config……
- ace_config……
config.yaml- editors
- name: Page Editors…
- admins- name: Page Editors
…
Group configuration
- editors- path: /content
…- admins
- path: /content…
ACEs
Group Definitions
adaptTo() 2016 10
- group_config:
- editors:
- name: Page Editors
isMemberOf: staff
members: joe
description: All page editors
path: myproject
Assign ACEs to Groups
adaptTo() 2016 11
Simple ACE
- ace_config:
- editors:
- path: /content
permission: allow
privileges: jcr:read,rep:write
Assign ACEs to Groups
adaptTo() 2016 12
Using restrictions- ace_config:
- editors:
- path: /content
permission: allow
privileges: jcr:read
restrictions:
rep:glob: /jcr:*
Restrict to jcrattributes
ACE ordering
adaptTo() 2016 13
Consistent order of ACEs
System ACEs
Deny rules
Allow rules
14
User Creation
User Creation: user_config
15
Primarily for test users and System users Profile content creation Preferences content creation
User Creation: Examples
16
- poweruser
- name: PowerUserTestUser
isMemberOf: powerusers
password: secret
path: myproject
profileContent: <jcr:root
jcr:primaryType="nt:unstructured"
email="[email protected]"/>
- system_reader:
- name: system-reader
isMemberOf: system-read
path: myproject
isSystemUser: true
17
Installation of ACEs
Curl
JCR Listener
Install Hook
Installation: JMX
18
JMX
Curl
JCR Listener
Install Hook
Installation: JMX
19
JMX
status informations
Curl
JCR Listener
Install Hook
Installation: JMX
20
JMX
execute
Curl
JCR Listener
Install Hook
Installation: JMX
21
JMX
purge permissions
Curl
JCR Listener
Install Hook
Installation: JMX
22
JMX
create exports
JMX
JCR Listener
Install Hook
Installation: Curl
23
Curlcurl -sS --retry 1 -u admin:admin -X POST
"http://localhost:4502/system/console/jmx/biz.netcentric
cq.tools.actool:id='ac+installation'/op/execute/"
JMX
Curl
Install Hook
Installation: JCR Listener
24
• Event based trigger:• On new upload• On change in deployed config• Can be disabled
JCR Listener
JMX
Curl
JCR Listener
Installation: Install Hook
25
Install Hook
<plugin>
<groupId>com.day.jcr.vault</groupId>
<artifactId>content-package-maven-plugin</artifactId>
<configuration>
<properties>
<installhook.actool.class>
biz.netcentric.cq.tools.actool.installhook.AcToolInstallHook
</installhook.actool.class>
</properties>
</configuration>
</plugin>
26
Live Demo
27
Best Practices
Best Practises: Some General Hints
28
Avoid deny ACEs whenever possible Split configuration files by project/topic Create demo users with test content Keep it simple
Best Practises: Fragments
29
Dogma: separation of functional aspects and content Permission specific groups: fragments Functional fragments Content fragments
In addition: One fragment-basic-restrict-for-everyone One fragment-basic-allow
Best Practises: Fragments
30
Desired group permissions through combination of fragments
Best Practises: Fragments
31
PROs Separation of allow and denies, no mix Decreased length of ACLs Reusability Transparency
CONs Increased number of total groups
32
Links
Links
33
AC Tool homepage:https://github.com/Netcentric/accesscontroltool
Netcentric:https://github.com/Netcentrichttp://www.netcentric.biz/
34
Thank you