Fix b/16198970: Config option to skip reading share ACL
The adaptor attempts to preserve access control integrity when sending
Access Control Lists (ACLs) to the GSA. In general, only users that have access
to a file share have access to the files maintained on that share, so the
adaptor includes the share's ACL in those sent to the GSA. However, in some
configurations, the adaptor may not have sufficient permissions to read the
share ACL. In those instances, the broken share ACL will prevent all files
maintained on that file share from appearing in search results. The GSA's
Index Diagnostics for those will also indicate a broken inheritance chain.
If the share ACL cannot be read by the adaptor, the administrator may
skip the attempt to read the share ACL by setting the
'filesystemadaptor.skipShareAccessControl' configuration option to 'true'.
This feeds a highly permissive share ACL to the GSA, rather than the actual
share ACL, leaving only the file system ACLs to control access.
WARNING: Bypassing the file share access control may be inconsistent with
enterprise security policies. This may allow users that do not have access
to the file share to see documents hosted by that file share in search results.
3 files changed