Support ignoreMissingPrincipals with ACLs

[Copilot]

This PR implements support for ignoring missing principals during ACL installation, similar to SLING-12115. This allows creating ACLs without creating the corresponding groups/users, deferring that to external group sync processes.

Problem

By default, Oak in AEMaaCS is more lenient and allows unbound principals in ACLs using org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl.importBehavior = besteffort. However, the Access Control Tool would fail when trying to install ACEs for principals that don't exist in the repository, making it incompatible with workflows where:

• ACL definitions are managed separately from group/user creation
• External systems handle group synchronization
• Principals are created after ACL installation

Solution

Added a new global configuration option ignoreMissingPrincipals that enables lenient principal handling during ACE installation:

global_config:
  ignoreMissingPrincipals: true

ace_config:
  - path: /content/test
    permission: allow
    privileges: jcr:read
    principal: external-group  # Will be ignored instead of failing

When enabled, the tool will:

• Continue ACL installation even if referenced principals don't exist
• Log warning messages about missing principals instead of failing
• Allow external processes to create the principals later

Implementation Details

• GlobalConfiguration: Added ignoreMissingPrincipals configuration field with proper parsing, validation, and merge support
• BaseAceBeanInstaller: Modified installPrivileges() to catch and handle missing principal exceptions when the option is enabled
• ACE Installers: Updated both Classic and Incremental installers to support lenient mode
• Error Handling: Added intelligent exception detection to distinguish principal-not-found errors from other repository issues
• Comprehensive Testing: Added tests for configuration parsing and behavior validation

Backward Compatibility

This change is fully backward compatible:

• Default behavior remains unchanged (principals must exist)
• New functionality is opt-in via configuration
• All existing tests continue to pass
• No breaking changes to existing APIs

Usage

Organizations can now separate ACL management from principal/group management by enabling this feature, making the tool compatible with external group sync workflows and Oak's lenient import behavior in AEMaaCS environments.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Support ignoreMissingPrincipals with ACLs</issue_title>
<issue_description>Similar to what was implemented in https://issues.apache.org/jira/browse/SLING-12115 it should be supported to create ACLs without creating the according group/user but just defer that to external group sync.
By default now Oak in AEMaaCS is more lenient, i.e. it allows unbound principals in ACLs (using org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl.importBehavior = besteffort, https://github.com/apache/jackrabbit-oak/blob/52755d8ad5915c5cd3cb037b848036930e8297b7/oak-security-spi/src/main/java/org/apache/jackrabbit/oak/spi/xml/ImportBehavior.java#L44)</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #852

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.