From d3ba4d89a216b7804c297ad310a66cae3d8b12e5 Mon Sep 17 00:00:00 2001 From: David Webster Date: Fri, 24 Nov 2017 12:37:49 +0000 Subject: [PATCH 1/4] RM-5900: Document Extended Permission Service. --- rm-community/documentation/README.md | 1 + .../extendedPermissionService.md | 62 +++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 rm-community/documentation/extendedPermissionService.md diff --git a/rm-community/documentation/README.md b/rm-community/documentation/README.md index 2ad570b4f3..7f958b9eb7 100644 --- a/rm-community/documentation/README.md +++ b/rm-community/documentation/README.md @@ -2,3 +2,4 @@ * [Enterprise Technical Documentation](../../rm-enterprise/documentation/README.md) (the link will only work if this repository contains the enterprise code) * [Overview of the design of RM](overview.md) +* [Extended permission service](extendedPermissionService.md) diff --git a/rm-community/documentation/extendedPermissionService.md b/rm-community/documentation/extendedPermissionService.md new file mode 100644 index 0000000000..530cb92fa3 --- /dev/null +++ b/rm-community/documentation/extendedPermissionService.md @@ -0,0 +1,62 @@ +## Alfresco Governance Services' Extended Permission Service + +![Completeness Badge](https://img.shields.io/badge/Document_Level-Complete-green.svg?style=flat-square) + +![Version Badge](https://img.shields.io/badge/Version-Current-blue.svg?style=flat-square) + +### Purpose + +When working on the Records Management module, we needed additional functionality around permissions, and therefore +introduced the [ExtendedPermissionService](../../rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/impl/ExtendedPermissionServiceImpl.java). + +### Overview + +The ExtendedPermissionService is wired in, via [Spring config](../../rm-community-repo/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml) +to extend Alfresco's core PermissionService, and adds support for: +* the [RMPermissionModel](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java), which defines the available permissions capabilities. +* the [PermissionProcessorRegistry](../../rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/processor/PermissionProcessorRegistry.java), which introduces pre- and post- processors. +* other minor method extensions (e.g. to setInheritParentPermissions) + +### Permission Processor Registry + +This was added in RM 2.4 to support the requirements around the additional security classifications and markings. + +The registry is simply two array lists, one for pre-processors and one for post-processors, which are iterated around +before / after (respectively) the wrapped call PermissionService.hasPermission + +Out of the box, a system with the RM module installed will have the following permissions processors defined: + +#### Community: + +##### Pre-processors: +* None. + +##### Post-processors: +* [RecordsManagementPermissionPostProcessor](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/permission/RecordsManagementPermissionPostProcessor.java) + * If the node is an RM node (i.e. it has the [RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/model/RecordsManagementModel.java) marker aspect) and the + core permissions evaluates to DENIED, then this post processor allows read/writes if the appropriate read/file + permissions are present. + +#### Enterprise: +(links only work in clones of Enterprise repos) + +##### Pre-processors: +* [SecurityMarksPermissionPreProcessor](../../rm-enterprise/rm-enterprise-repo/src/main/java/org/alfresco/module/org_alfresco_module_rm/securitymarks/permission/SecurityMarksPermissionPreProcessor.java) + * For all content: denies the result if the required security clearance rules (for classification or marks) are not satisfied. (uses +[securityClearanceService.isClearedFor](../../rm-enterprise/rm-enterprise-repo/src/main/java/org/alfresco/module/org_alfresco_module_rm/securitymarks/SecurityClearanceServiceImpl.java)) + +##### Post-processors: +* None. + + +### Configuration and Extension points + +Additional processors can be defined by extending either [PermissionPreProcessorBaseImpl](../../rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/processor/impl/PermissionPreProcessorBaseImpl.java) +or [PermissionPostProcessorBaseImpl](../../rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/processor/impl/PermissionPostProcessorBaseImpl.java) +which call the add method on the appropriate list during init. + +### Performance Implications + +There is certainly a performance overhead when adding additional processing to permission checks. This is most noticeable + in the SecurityMarksPermissionPreProcessor where we need to call out to an external service. This has been profiled + heavily and optimised during 2.5 and 2.6 development. \ No newline at end of file From a3c5fc26f05eac1099ea11d6f162ed6e0827f4f7 Mon Sep 17 00:00:00 2001 From: David Webster Date: Fri, 24 Nov 2017 12:43:35 +0000 Subject: [PATCH 2/4] RM-5900: minor link updates --- rm-community/documentation/extendedPermissionService.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rm-community/documentation/extendedPermissionService.md b/rm-community/documentation/extendedPermissionService.md index 530cb92fa3..e260762891 100644 --- a/rm-community/documentation/extendedPermissionService.md +++ b/rm-community/documentation/extendedPermissionService.md @@ -11,7 +11,7 @@ introduced the [ExtendedPermissionService](../../rm-community/rm-community-repo/ ### Overview -The ExtendedPermissionService is wired in, via [Spring config](../../rm-community-repo/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml) +The ExtendedPermissionService is wired in, via [Spring config](../../rm-community/rm-community-repo/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml), to extend Alfresco's core PermissionService, and adds support for: * the [RMPermissionModel](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java), which defines the available permissions capabilities. * the [PermissionProcessorRegistry](../../rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/processor/PermissionProcessorRegistry.java), which introduces pre- and post- processors. @@ -33,7 +33,7 @@ Out of the box, a system with the RM module installed will have the following pe ##### Post-processors: * [RecordsManagementPermissionPostProcessor](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/permission/RecordsManagementPermissionPostProcessor.java) - * If the node is an RM node (i.e. it has the [RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/model/RecordsManagementModel.java) marker aspect) and the + * If the node is an RM node (i.e. it has the [RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/model/RecordsManagementModel.java#L184) marker aspect) and the core permissions evaluates to DENIED, then this post processor allows read/writes if the appropriate read/file permissions are present. @@ -43,7 +43,7 @@ Out of the box, a system with the RM module installed will have the following pe ##### Pre-processors: * [SecurityMarksPermissionPreProcessor](../../rm-enterprise/rm-enterprise-repo/src/main/java/org/alfresco/module/org_alfresco_module_rm/securitymarks/permission/SecurityMarksPermissionPreProcessor.java) * For all content: denies the result if the required security clearance rules (for classification or marks) are not satisfied. (uses -[securityClearanceService.isClearedFor](../../rm-enterprise/rm-enterprise-repo/src/main/java/org/alfresco/module/org_alfresco_module_rm/securitymarks/SecurityClearanceServiceImpl.java)) +[securityClearanceService.isClearedFor](../../rm-enterprise/rm-enterprise-repo/src/main/java/org/alfresco/module/org_alfresco_module_rm/securitymarks/SecurityClearanceServiceImpl.java#L86)) ##### Post-processors: * None. From 31b4115209afe05b2692a186e950eaec1e3126c5 Mon Sep 17 00:00:00 2001 From: David Webster Date: Fri, 24 Nov 2017 12:47:03 +0000 Subject: [PATCH 3/4] RM-5900: minor link updates --- rm-community/documentation/extendedPermissionService.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rm-community/documentation/extendedPermissionService.md b/rm-community/documentation/extendedPermissionService.md index e260762891..14da46f65e 100644 --- a/rm-community/documentation/extendedPermissionService.md +++ b/rm-community/documentation/extendedPermissionService.md @@ -11,7 +11,7 @@ introduced the [ExtendedPermissionService](../../rm-community/rm-community-repo/ ### Overview -The ExtendedPermissionService is wired in, via [Spring config](../../rm-community/rm-community-repo/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml), +The ExtendedPermissionService is wired in, via [Spring config](../../rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml#L105), to extend Alfresco's core PermissionService, and adds support for: * the [RMPermissionModel](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java), which defines the available permissions capabilities. * the [PermissionProcessorRegistry](../../rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/processor/PermissionProcessorRegistry.java), which introduces pre- and post- processors. From 51a47c56c4399404dd30353b2fd8ff7a350dcfa9 Mon Sep 17 00:00:00 2001 From: David Webster Date: Wed, 6 Dec 2017 09:50:50 +0000 Subject: [PATCH 4/4] Documentation updates following review --- .../documentation/extendedPermissionService.md | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/rm-community/documentation/extendedPermissionService.md b/rm-community/documentation/extendedPermissionService.md index 14da46f65e..abc7d4a7d5 100644 --- a/rm-community/documentation/extendedPermissionService.md +++ b/rm-community/documentation/extendedPermissionService.md @@ -11,7 +11,7 @@ introduced the [ExtendedPermissionService](../../rm-community/rm-community-repo/ ### Overview -The ExtendedPermissionService is wired in, via [Spring config](../../rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml#L105), +The ExtendedPermissionService is wired in, via [Spring config](../../rm-community/rm-community-repo/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml), to extend Alfresco's core PermissionService, and adds support for: * the [RMPermissionModel](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/capability/RMPermissionModel.java), which defines the available permissions capabilities. * the [PermissionProcessorRegistry](../../rm-community/rm-community-repo/source/java/org/alfresco/repo/security/permissions/processor/PermissionProcessorRegistry.java), which introduces pre- and post- processors. @@ -33,7 +33,7 @@ Out of the box, a system with the RM module installed will have the following pe ##### Post-processors: * [RecordsManagementPermissionPostProcessor](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/permission/RecordsManagementPermissionPostProcessor.java) - * If the node is an RM node (i.e. it has the [RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/model/RecordsManagementModel.java#L184) marker aspect) and the + * If the node is an RM node (i.e. it has the [RecordsManagementModel.ASPECT_FILE_PLAN_COMPONENT](../../rm-community/rm-community-repo/source/java/org/alfresco/module/org_alfresco_module_rm/model/RecordsManagementModel.java) marker aspect) and the core permissions evaluates to DENIED, then this post processor allows read/writes if the appropriate read/file permissions are present. @@ -43,7 +43,7 @@ Out of the box, a system with the RM module installed will have the following pe ##### Pre-processors: * [SecurityMarksPermissionPreProcessor](../../rm-enterprise/rm-enterprise-repo/src/main/java/org/alfresco/module/org_alfresco_module_rm/securitymarks/permission/SecurityMarksPermissionPreProcessor.java) * For all content: denies the result if the required security clearance rules (for classification or marks) are not satisfied. (uses -[securityClearanceService.isClearedFor](../../rm-enterprise/rm-enterprise-repo/src/main/java/org/alfresco/module/org_alfresco_module_rm/securitymarks/SecurityClearanceServiceImpl.java#L86)) +[securityClearanceService.isClearedFor](../../rm-enterprise/rm-enterprise-repo/src/main/java/org/alfresco/module/org_alfresco_module_rm/securitymarks/SecurityClearanceServiceImpl.java)) ##### Post-processors: * None. @@ -59,4 +59,10 @@ which call the add method on the appropriate list during init. There is certainly a performance overhead when adding additional processing to permission checks. This is most noticeable in the SecurityMarksPermissionPreProcessor where we need to call out to an external service. This has been profiled - heavily and optimised during 2.5 and 2.6 development. \ No newline at end of file + heavily and optimised during 2.5 and 2.6 development. + + ###TODO: + Not yet documented (in related areas of the code) are: + * Capabilities (see rm-capabilities-*.xml, declarativeCapability.java and DeclarativeCompositeCapability.java) + * RM's permission system has an any allow allows policy unlike alfresco which policy is any deny denies + \ No newline at end of file