kwin
commented
5 years ago Can you give some use cases where the service user does lead to issues? The “Why” is not clear to me from this issue’s description.
Open ghenzler opened 5 years ago
kwin
commented
5 years ago Can you give some use cases where the service user does lead to issues? The “Why” is not clear to me from this issue’s description.
ghenzler
commented
5 years ago @kwin The trigger why I created this issue is that for some reason when working on plain Apache Sling and installing accesscontroltool-package via Composum, the service use is created but the ACLs for the service user on / as contained in the package are ignored. For AEM it works flawlessly. Obviously for this issue also the root cause should be tracked down instead of just using the admin session.
However in general from a conceptional point of view, you could argue that the "system setting up security" should run with super user rights (that would be admin in AEM). Also I thought there were scenarios with rep glob denies on root, where the AC Tool service user would be able to lock out the AC Tool user from certain nodes, but I tested a bit and it turns out this is not the case (as long as not the ac tool user itself is explicitly locked out using its very own principal).
With recent AEM versions, using an admin session leads to an exception. However for special use cases it is possible to whitelist a bundle for admin sessions via a config for PID org.apache.sling.jcr.base.internal.LoginAdminWhitelist.fragment.
The default should remain in a way that the service user is used, however if the AC Tool is whitelisted by an admin for admin session usage, it should rather use that session.