SLING-9449 Repoinit AclUtil#setPrincipalAcl replace exception with log
diff --git a/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java b/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java
index 6c568fa..a57a042 100644
--- a/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java
+++ b/src/main/java/org/apache/sling/jcr/repoinit/impl/AclUtil.java
@@ -170,7 +170,7 @@
Principal principal = AccessControlUtils.getPrincipal(session, principalName);
if (principal == null) {
// due to transient nature of the repo-init the principal lookup may not succeed if completed through query
- // -> save transitent changes and retry principal lookup
+ // -> save transient changes and retry principal lookup
session.save();
principal = AccessControlUtils.getPrincipal(session, principalName);
checkState(principal != null, "Principal not found: " + principalName);
@@ -188,7 +188,10 @@
// no PrincipalAccessControlList available: don't fail if an equivalent path-based entry with the same definition exists
// or if there exists no node at the effective path (unable to evaluate path-based entries).
LOG.info("No PrincipalAccessControlList available for principal {}", principal);
- checkState(containsEquivalentEntry(session, effectivePath, principal, privileges, true, line.getRestrictions()), "No PrincipalAccessControlList available for principal '" + principal + "'.");
+ if (!containsEquivalentEntry(session, effectivePath, principal, privileges, true, line.getRestrictions())) {
+ LOG.warn("No equivalent path-based entry exists for principal {} and effective path {} ", principal.getName(), effectivePath);
+ return;
+ }
} else {
LocalRestrictions restrictions = createLocalRestrictions(line.getRestrictions(), acl, session);
boolean added = acl.addEntry(effectivePath, privileges, restrictions.getRestrictions(), restrictions.getMVRestrictions());
diff --git a/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java b/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java
index 19a1270..751a420 100644
--- a/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java
+++ b/src/test/java/org/apache/sling/jcr/repoinit/PrincipalBasedAclTest.java
@@ -460,12 +460,11 @@
assertEquals(2, pacl.size());
}
- @Test(expected = RuntimeException.class)
+ @Test
public void principalAclNotAvailable() throws Exception {
try {
// create service user outside of supported tree for principal-based access control
U.parseAndExecute("create service user otherSystemPrincipal");
- // principal-based ac-setup must fail as service user is not located below supported path
String setup = "set principal ACL for otherSystemPrincipal \n"
+ "allow jcr:read on " + path + "\n"
+ "end";
@@ -475,7 +474,7 @@
}
}
- @Test(expected = RuntimeException.class)
+ @Test
public void principalAclNotAvailableRestrictionMismatch() throws Exception {
JackrabbitAccessControlManager acMgr = (JackrabbitAccessControlManager) adminSession.getAccessControlManager();
try {
@@ -490,8 +489,6 @@
Principal principal = adminSession.getUserManager().getAuthorizable("otherSystemPrincipal").getPrincipal();
assertTrue(acMgr.hasPrivileges(path, Collections.singleton(principal), AccessControlUtils.privilegesFromNames(adminSession, Privilege.JCR_READ)));
- // setting up principal-acl will not succeed (principal not located below supported path)
- // since effective entry doesn't match the restriction -> setup must fail
setup = "set principal ACL for otherSystemPrincipal \n"
+ "allow jcr:read on " + path + " restriction(rep:glob,*mismatch)\n"
+ "end";
