acs-aem-commons icon indicating copy to clipboard operation
acs-aem-commons copied to clipboard
verified publisher icon Adobe-Consulting-Services

Redundant jcr:read permissions on /conf

Open kwin opened this issue 1 year ago • 7 comments

The repoinit script from https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/master/all/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-acs-commons-all.config grants jcr:read in /conf to several system users. That is redundant as AEM 6.5 and AEMaaCS ship with the following default permissions for everyone:

allow jcr:read on /conf with restrictions: [rep:subtrees: '/global/site-templates/,/settings/wcm/,/sling:configs/,/settings/dam/cfm/models/,/settings/graphql/persistentQueries' ]

kwin avatar Jul 04 '24 16:07 kwin

@YegorKozlov Any idea why we still ran into #3284? Was the aforementioned access control entry not enough (even the service user should inherit from everyone)...

Update: Nevermind, found that redirects are stored below settings/redirects which is not covered by any of the rep:subtrees from above!.

kwin avatar Jul 04 '24 16:07 kwin

@kwin I assume this is the same for marketo? Can we close this?

davidjgonzalez avatar Jul 08 '24 13:07 davidjgonzalez

@davidjgonzalez Sorry, I am not following. Which marketo path/config are you referring to? Why should this justify closing this ticket?

kwin avatar Jul 08 '24 13:07 kwin

@kwin Wrt to the redirects (#3284) based on this thread, it sounds like the current ACLs are necessary due to the OOTB with restrictions (ie we cant remove them), or am i missing something?

davidjgonzalez avatar Jul 08 '24 13:07 davidjgonzalez

I am not familiar with the service users, but as long as they only use content below the allowed subtrees there is no need for it. Potential candidates are

  1. https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/70679422ea50ba281a62abccdf77c1b0690f7b5c/all/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-acs-commons-all.config#L34
  2. https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/70679422ea50ba281a62abccdf77c1b0690f7b5c/all/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-acs-commons-all.config#L40

kwin avatar Jul 08 '24 13:07 kwin

@kwin

the only ACL block need is

# web requests need read access to redirect configurations, e.g. /conf/global/settings/redirects
set ACL for everyone
    allow jcr:read on /conf  restriction(rep:glob,/*/settings/redirects)
    allow jcr:read on /conf  restriction(rep:glob,/*/settings/redirects/*)
end

this one is obsolete, but let me confirm first.

create service user acs-commons-manage-redirects-service with path system/acs-commons
set ACL for acs-commons-manage-redirects-service
    allow jcr:read on /
    allow jcr:read on /conf
end```

YegorKozlov avatar Jul 08 '24 15:07 YegorKozlov

@kwin I'm going to remove this one

create service user acs-commons-manage-redirects-service with path system/acs-commons
set ACL for acs-commons-manage-redirects-service
    allow jcr:read on /
    allow jcr:read on /conf
end

and refactor Redirect Manager to not require service users at all. With redirects readable to everyone we can access them using request's resolver. The service user and the reference to @ResourceResolverFactory will go away.

YegorKozlov avatar Jul 12 '24 14:07 YegorKozlov