Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Retrieve effective permissions in AEM 6.0 using REST services

Avatar

Level 2

Hi,

I'm new in the world of AEM. I have installed AEM 6.0 (author and publish instances).

I'm interested to find a way to retrieve effective permissions on a specific repository node by using a REST call.

For this, I have installed the last version of the OSGi Bundle "jackrabbit.accessmanager" (v2.1.2). With this, we can do this call to get the effective permissions for pa particular not in JSON format: http://localhost:4502/content/mynode.eacl.json.

However, its seems that the effective permissions are not correctly computed... it seems that the ACLs defined with restrictions are not correctly resolved. I think that it's something new in AEM 6.0 because it uses the JackRabbit Oak 1.0.0 Repository instead of a JackRabbit 2.0 Repository... and maybe restrictions are a new concept not correctly handled in the "jackrabbit.accessmanager" bundle?!?

In fact, in the default demo Geometrixx, some ACLs are defined for the "Everyone" group with restrictions (path), for example:

  • everyone - Deny jcr:read - Restrictions rep:glob-libs*/config/*
  • everyone - Deny jcr:read - Restrictions rep:glob-apps*/config/*
  • everyone - Allow jcr:read

The effective permissions for all nodes excluding nodes under the path "libs" and "apps" should be "Allow jcr:read", but the call returns for the "content" node for example:

everyone: { principal: "everyone",denied: [ jcr:read ], order: 3 }

I think that the restrictions are not correctly handled by this bundle... maybe it is outdated and not compatible with the JackRabbit Oak 1.0.0 Repository...

Is there an equivalent or something new to get effective permissions with a REST call in AEM 6.0?

Thanks for your help.

Matthieu

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hi Matthieu,

Automatically migrating permissions from one security model into another one ... that sounds scary. I don't know if it works at all.

To your question: the "rep:glob" (aka "wildcard ACLs")[1] style of ACLs is nothing new in AEM 6.0, it was there also in earlier versions of CQ5 (IIRC I saw it for the first time in 5.3). And I don't know if the effective ACLs can be exposed, because normally there's no need to. The only way I can think of is to create a session with every user (!) and iterate the complete repository (!) with it. Which probbaly takes an incredibly amount of time. You can likely optimize it by looking at the rep:* nodes and assuming, that below them the permissions do not change anymore, but then don't forget the wildcard ACLs (rep:glob), which can take effect on the complete repository.

I would strongly recommend you to engage with Adobe Consulting.

kind regards,
Jörg

[1] http://wiki.apache.org/jackrabbit/AccessControl#Principal-based_ACLs

View solution in original post

12 Replies

Avatar

Employee Advisor

Hi Matthieu,

Why do you need to get the effective permissions for a specific node? Whenever you access the repository using a specific user, the permissions are actually already checked before you access it. So you don't need to perform a manual check for it. So for 99,999% of all cases you don't need to get this data out of the repo (the remaining might be for audit purposes ...)

kind regards,
Jörg

Avatar

Level 1

Hi Jörg,

I explore the possibilities to integrate the data in another application (external). I want to retrieve some specific content nodes (and its attributes), but I also need to replicate the permissions of this node. For this, I need to get the effective permissions not for a specific user but for all defined users. I will do my REST call with an administrator account for example.

Thanks,

Matthieu

Avatar

Employee Advisor

Hi Matthieu,

ok, I understand. But I don't think, that you should replicate the permissions in your external application, but rather use the correct user to request the resource (instead of using always the same user). So you're likely doing more requests, but you don't need to care about permissions onthe 3rd party side anymore.

kind regards,
Jörg

Avatar

Level 2

Yes, I understand your point, but I have some constraints...

I will not be able to dynamically do the query with a "specific user". I really need to get the effective permissions (in terms of users and groups) and push them in another security model with the retrieved content.

Is there no way to do this?

Thanks,

Matthieu

Avatar

Correct answer by
Employee Advisor

Hi Matthieu,

Automatically migrating permissions from one security model into another one ... that sounds scary. I don't know if it works at all.

To your question: the "rep:glob" (aka "wildcard ACLs")[1] style of ACLs is nothing new in AEM 6.0, it was there also in earlier versions of CQ5 (IIRC I saw it for the first time in 5.3). And I don't know if the effective ACLs can be exposed, because normally there's no need to. The only way I can think of is to create a session with every user (!) and iterate the complete repository (!) with it. Which probbaly takes an incredibly amount of time. You can likely optimize it by looking at the rep:* nodes and assuming, that below them the permissions do not change anymore, but then don't forget the wildcard ACLs (rep:glob), which can take effect on the complete repository.

I would strongly recommend you to engage with Adobe Consulting.

kind regards,
Jörg

[1] http://wiki.apache.org/jackrabbit/AccessControl#Principal-based_ACLs

Avatar

Level 1

Hi Jörg,

Thanks for you reply.

Since an administrator can see all effective permissions for a specific path in CRX Explorer > Access Control, there is probably a way to retrieve this information. No ?

Thanks,

Matthieu

Avatar

Employee Advisor

Hi,

yes, there might be an API to do it (it could also be, that the CRX Explorer has some logic builtin to imitate the ACL evaluation of Jackrabbit/Oak). But it doesn't display the effective ACLs for all users and for all nodes, which is probably what you need.

kind regards,
Jörg

Avatar

Level 2

I don't understand why it would not be possible. If I have a way to retrieve effective permissions for a specific node, I'm able to determine if the user has access or not.

For example with the Geometixx Demo and this call: http://localhost:4502/content.eacl.json 

I get this: 

{ content-authors: { principal: "content-authors", granted: [ "jcr:versionManagement", "crx:replicate", "jcr:lockManagement", "rep:write" ], order: 0 }, administrators: { principal: "administrators", granted: [ "jcr:all" ], order: 1 }, contributor: { principal: "contributor", granted: [ "jcr:read" ], order: 2 }, everyone: { principal: "everyone", denied: [ "jcr:read" ], order: 3 } }

I'm able to evaluate who has access to the node "Content". The only issue in this bundle is that I doesn't seem to take care of the "Restrictions".

I will have all users and/groups and their permissions... 

I don't understand your last statement:

"But it doesn't display the effective ACLs for all users and for all nodes, which is probably what you need."

Thanks,

Matthieu

Avatar

Employee Advisor

Hi Matthieu,

Yes, that might work, but I don't have the code for this specific servlet registered to the select "eacl" available to me; I also only find the interface "accessmanager", which you can use to query permissions on the user owning the session. I don't find an OSGI bundle containing the string "accessmanager" in my AEM 6.0.

Basically you can get all the information you need out of the system. But assuming a reasonable large repository and a few hundreds of users this is not a process which can be executed within minutes. Please also be aware, that wildcard ACLs can be applied not only on node level, but even on properties level (which is not used ootb, but which is possible to implement).

kind regards,
Jörg

Avatar

Level 2

Hi Jörg,

I use this bundle to get this response: http://sling.apache.org/documentation/bundles/managing-permissions-jackrabbit-accessmanager.html.

And I think that this call can be used in the AccessManager:

  • getEffectivePolicies(String)

Ref.: http://jackrabbit.apache.org/oak/docs/security/accesscontrol/editing.html

However, I think that will have to implement my own servlet to expose this call in REST.

Thanks,

Matthieu

Avatar

Employee Advisor

Hi Matthieu,

if the getEffectivePolicies() call does not respect wildcard ACLs, then please raise a ticket at the jackrabbit project.

And btw: Why isn't "GET http://localhost:4052/content.eacl.json" ReStfull? 🙂

kind regards,
Jörg

Avatar

Level 2

Hi Jörg,

Yes, it seems that the OSGi Bundle "JackRabbit.AccessManager" doesn't correctly compute the effective permissions when one or more restrictions are defined. They simply compute the deny set and the allow set no matter if the restrictions is applied or not to the specific resource path...

I have implemented my own servlet (with another custom selector) that calls the AccessManager.getEffectivePolicies(resourcePath) of the JCR API and I have all policies including these with a restriction. I will probably need to do my own algorithm to compute the final denied and allowed sets.

For you last question, no sure to understand it... this call is Restful, however, it doesn't return the expected result...

Thanks,

Matthieu