Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-14045

Simplified ACLs

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 6.0
    • Component/s: Core, Core VCS, Security / Rights
    • Epic Link:
    • Tags:
    • Impact type:
      API change
    • Upgrade notes:
      Hide

      Negative ACLs are now disallowed by default. They can be re-enabled in VCS by setting the following property in nuxeo.conf:

      nuxeo.security.allowNegativeACL=true

      (however note that this is incompatible with Elasticsearch indexing). For DBS they cannot be enabled as the storage model doesn't allow them.

      New API added:

      CoreSession.isNegativeAclAllowed()

      This can be used to check whether the current session allows negative ACLs. Negative ACLs are ACLs that include an ACE with a deny (isGranted=false). This does not include the full-blocking ACE for Everyone/Everything, which is always allowed.

      Convenience constructor added:

      ACE(username, permission): constructs an ACE for a given username and permission.

      Convenience constant added:

      ACE.BLOCK: an ACE that blocks all permissions for everyone.

      Show
      Negative ACLs are now disallowed by default. They can be re-enabled in VCS by setting the following property in nuxeo.conf: nuxeo.security.allowNegativeACL=true (however note that this is incompatible with Elasticsearch indexing). For DBS they cannot be enabled as the storage model doesn't allow them. New API added: CoreSession.isNegativeAclAllowed() This can be used to check whether the current session allows negative ACLs. Negative ACLs are ACLs that include an ACE with a deny (isGranted=false). This does not include the full-blocking ACE for Everyone/Everything, which is always allowed. Convenience constructor added: ACE(username, permission): constructs an ACE for a given username and permission. Convenience constant added: ACE.BLOCK: an ACE that blocks all permissions for everyone.
    • Sprint:
      Sprint RepoTeam 5.9.5-1, Sprint RepoTeam 5.9.5-2

      Description

      Implement an ACL model where a document's effective ACLs are only positive ACLs.

      This is possible if the only possible blocking is everything.

      This allows a number of low-level optimisations, and allows ACL checks to be just a set intersection. This also allows a model more compatible with cloud storage, where the access to a document is controlled by just a list of allowed identities.

      1. flag in Nuxeo to enable this mode
      2. checks that no blocking ACLs are set against the rules
      3. low-level optimizations in VCS

        Attachments

          Issue Links

          is duplicated by

          Improvement - An improvement or enhancement to an existing feature or task. NXP-13190 Limited ACL for performance

          • Major - Major loss of function.
          • Resolved
          is required by

          Bug - A problem which impairs or prevents the functions of the product. NXP-15921 Allow negative ACL on Write

          • Critical - Crashes, loss of data, severe memory leak.
          • Resolved

          Task - A task that needs to be done. NXP-15229 Remove ability to setup negative ACLs in the UI

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: