Task #2613
Convert existing deny/denyFirst rules to allowFirst rules
100%
Description
We decided to convert all deny/denyFirst access rules to use the allow/allowFirst approach assuming there is no loss of the semantics of the access control block.
This mostly means removing "deny public" rules which is the implicit behavior if there is no "allow public" rule.
Related issues
History
#1 Updated by Ben Leinfelder about 12 years ago
Here are my SQL notes for the "conversion"
Analyze the number of rules that need to be addressed:
select principal_name, perm_type, count(*) from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name != 'public' group by principal_name, perm_type;
select * from xml_access where guid in (select guid from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name != 'public');
Then do these steps to update all of them to use allowFirst only
1.) Delete the unnecessary public deny rules:
select count(guid) from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name = 'public';
delete from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name = 'public';
2.) Delete the non-public deny rules (after examining them!):
select * from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name != 'public';
delete from xml_access where perm_order = 'denyFirst' and perm_type = 'deny' and principal_name != 'public';
3.) Update all denyFirst rules
select perm_type, count(*) from xml_access where perm_order = 'denyFirst' group by perm_type;
update xml_access set perm_order = 'allowFirst' where perm_order = 'denyFirst';
#2 Updated by Ben Leinfelder over 11 years ago
- Status changed from New to Closed
- translation missing: en.field_remaining_hours set to 0.0
This has been completed on our big three (KNB, LTER, PISCO)
