Closed kwin closed 3 months ago
Thanks for raising this - we will investigate.
@adobe export issue to Jira project CQDOC
:white_check_mark: Jira issue CQDOC-21695 is successfully created for this GitHub issue.
@kwin
We've checked with RnD and have had the following response:
"the new service user mapping format doesn't require principal-based authorization in order to work. principal-based authorization is just the recommended way to setup permissions for service users.... but has nothing to do with the Sling service user mapping. the latter defines how the service login is performed, not how authorization is done."
Hope that helps, and closing this issue.
That makes a lot of sense. Thanks a lot for the answer and sorry for the noise.
@kwin Absolutely no problem!
@kwin Hello again - we've just had some further information from RnD:
"Sling Service User Mapping and Authentication
the main difference between the deprecated format and the new format is that the latter allows to aggregate multiple service user principals. the resulting subject upon login (both for service session and service resource resolver) contains a set of principals that contains exactly the principals specified in the service user mapping. the first one being used to populate the user id field. there will be no group membership resolution as we don't want service users to be place into groups. service users are part of the application content, while groups are not. permission setup for services (and thus the service users) are part of the development process (thus application) and must not be impacted by changes to permission setup for groups (in particular everyone group).
Access Control Setup for Service Users
Ideally ac setup for service users is principal-based as it would allow us to make it immutable like content below /apps and /libs. That's why service users that support principal-based authorization are place into a dedicated configured subtree.
However, for service users outside of that subtree regular resource-based access control setup can be used."
Again, hope that helps (further).
Issue in ./help/security/best-practices-for-sling-service-user-mapping-and-service-user-definition.md
The best practice
is wrong, as AEM 6.4 and AEM 6.5 (even with SP21) don't ship with the necessary
oak-authorization-principalbased
bundle (compare with https://github.com/Adobe-Consulting-Services/acs-aem-commons/issues/2541#issuecomment-1154902821)