Ensure Service User with Write Permissions Issue | Community
Skip to main content
U
user00928
Level 2
March 21, 2022
Solved

Ensure Service User with Write Permissions Issue

  • March 21, 2022
  • 1 reply
  • 2210 views

Hey guys,

 

I'm trying to ensure a service user on AEM as a Cloud Service with the following permissions on the "aces" property in a config json file

 

 

"type=allow;privileges=jcr:all;path=/content", "type=allow;privileges=jcr:all;path=/conf", "type=allow;privileges=jcr:all;path=/libs/msm/wcm/rolloutconfigs"

 

This works fine on my local, with the correct permissions being set in usradmin. Unfortunately, when I try and deploy this code, I receive the following error 

 

com.adobe.acs.commons.users.impl.EnsureAuthorizableException: Failed to ensure [ ADD ] of Service User [ writeStoreDataServiceUser ] at com.adobe.acs.commons.users.impl.EnsureServiceUser.ensure(EnsureServiceUser.java:137) [com.adobe.acs.acs-aem-commons-bundle:5.1.2] at com.adobe.acs.commons.users.impl.EnsureServiceUser.activate(EnsureServiceUser.java:268) [com.adobe.acs.acs-aem-commons-bundle:5.1.2] at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.base/java.lang.reflect.Method.invoke(Unknown Source) at org.apache.felix.scr.impl.inject.methods.BaseMethod.invokeMethod(BaseMethod.java:244) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.inject.methods.BaseMethod.access$500(BaseMethod.java:41) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.inject.methods.BaseMethod$Resolved.invoke(BaseMethod.java:685) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.inject.methods.BaseMethod.invoke(BaseMethod.java:529) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:318) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:308) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.SingleComponentManager.createImplementationObject(SingleComponentManager.java:354) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.SingleComponentManager.createComponent(SingleComponentManager.java:115) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:1000) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.SingleComponentManager.getServiceInternal(SingleComponentManager.java:973) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:918) [org.apache.felix.scr:2.1.30] at org.apache.felix.framework.ServiceRegistrationImpl.getFactoryUnchecked(ServiceRegistrationImpl.java:349) at org.apache.felix.framework.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:249) at org.apache.felix.framework.ServiceRegistry.getService(ServiceRegistry.java:362) at org.apache.felix.framework.Felix.getService(Felix.java:3984) at org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.java:450) at org.apache.felix.scr.impl.manager.SingleRefPair.getServiceObject(SingleRefPair.java:88) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.inject.methods.BindMethod.getServiceObject(BindMethod.java:675) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.DependencyManager.getServiceObject(DependencyManager.java:2556) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.DependencyManager.doInvokeBindMethod(DependencyManager.java:2075) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.DependencyManager.invokeBindMethod(DependencyManager.java:2058) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.SingleComponentManager.invokeBindMethod(SingleComponentManager.java:443) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.DependencyManager$MultipleDynamicCustomizer.addedService(DependencyManager.java:333) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.DependencyManager$MultipleDynamicCustomizer.addedService(DependencyManager.java:301) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1200) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1121) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.trackAdding(ServiceTracker.java:928) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.track(ServiceTracker.java:864) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.serviceChanged(ServiceTracker.java:1152) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.BundleComponentActivator$ListenerInfo.serviceChanged(BundleComponentActivator.java:114) [org.apache.felix.scr:2.1.30] at org.apache.felix.framework.EventDispatcher.invokeServiceListenerCallback(EventDispatcher.java:990) at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:838) at org.apache.felix.framework.EventDispatcher.fireServiceEvent(EventDispatcher.java:545) at org.apache.felix.framework.Felix.fireServiceEvent(Felix.java:4863) at org.apache.felix.framework.Felix.registerService(Felix.java:3834) at org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:328) at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:929) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:915) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:133) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:984) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:752) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.AbstractComponentManager.enableInternal(AbstractComponentManager.java:674) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.AbstractComponentManager.enable(AbstractComponentManager.java:437) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.enableComponents(ConfigurableComponentHolder.java:667) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.BundleComponentActivator.initialEnable(BundleComponentActivator.java:305) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.Activator.loadComponents(Activator.java:554) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.Activator.access$200(Activator.java:70) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.Activator$ScrExtension.start(Activator.java:421) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.AbstractExtender.createExtension(AbstractExtender.java:196) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.AbstractExtender.modifiedBundle(AbstractExtender.java:169) [org.apache.felix.scr:2.1.30] at org.apache.felix.scr.impl.AbstractExtender.modifiedBundle(AbstractExtender.java:49) [org.apache.felix.scr:2.1.30] at org.osgi.util.tracker.BundleTracker$Tracked.customizerModified(BundleTracker.java:488) at org.osgi.util.tracker.BundleTracker$Tracked.customizerModified(BundleTracker.java:420) at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:232) at org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450) at org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915) at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834) at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516) at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4847) at org.apache.felix.framework.Felix.startBundle(Felix.java:2363) at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1566) at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308) at java.base/java.lang.Thread.run(Unknown Source) Caused by: javax.jcr.nodetype.ConstraintViolationException: org.apache.jackrabbit.oak.spi.state.ReadyOnlyBuilderException: This builder is read-only. at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:286) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.setPolicy(AccessControlManagerDelegator.java:122) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.jcr.delegate.JackrabbitAccessControlManagerDelegator.setPolicy(JackrabbitAccessControlManagerDelegator.java:181) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13] at com.adobe.acs.commons.users.impl.EnsureAce.ensureAces(EnsureAce.java:180) [com.adobe.acs.acs-aem-commons-bundle:5.1.2] at com.adobe.acs.commons.users.impl.EnsureServiceUser.ensureExistance(EnsureServiceUser.java:159) [com.adobe.acs.acs-aem-commons-bundle:5.1.2] at com.adobe.acs.commons.users.impl.EnsureServiceUser.ensure(EnsureServiceUser.java:117) [com.adobe.acs.acs-aem-commons-bundle:5.1.2] ... 68 common frames omitted Caused by: org.apache.jackrabbit.oak.spi.state.ReadyOnlyBuilderException: This builder is read-only. at org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder.unsupported(ReadOnlyBuilder.java:44) [org.apache.jackrabbit.oak-store-spi:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder.setChildNode(ReadOnlyBuilder.java:200) [org.apache.jackrabbit.oak-store-spi:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.core.SecureNodeBuilder.setChildNode(SecureNodeBuilder.java:314) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.plugins.tree.impl.AbstractMutableTree.addChild(AbstractMutableTree.java:75) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.core.MutableTree.addChild(MutableTree.java:199) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.plugins.tree.TreeUtil.addChild(TreeUtil.java:289) [org.apache.jackrabbit.oak-security-spi:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.createAclTree(AccessControlManagerImpl.java:443) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setNodeBasedAcl(AccessControlManagerImpl.java:293) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setPolicy(AccessControlManagerImpl.java:213) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.security.authorization.composite.CompositeAccessControlManager.setPolicy(CompositeAccessControlManager.java:116) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$8.performVoid(AccessControlManagerDelegator.java:125) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13] at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:280) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13] ... 73 common frames omitted

with writeStoreDataServiceUser being the name of my service user.

Oddly enough, when I change the permissions to be read only (see below) it ensures fine.

"type=allow;privileges=jcr:read;path=/content"

 

I'm wondering if there might be a setting in the the cloud manager somewhere that prevents the ensuring of service users with write permissions? Or is there something wrong with the structure of my "aces" property? I investigated the "builder is read-only" error since that seems to be the root of the problem, but was unable to dig anything up in the documentation

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by lukasz-m

Hi @user00928, according to ACS Commons documentation, you should not use Ensure Authorizable tool on AEM 6.3 and above (this includes AEM as a Cloud Service). So this could be the reason of your issue.

Instead of that use Sling Repo scripts. Here is a good Adobe documentation with code examples how to deal with Service User on AEM as a Cloud Service - https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/developing/advanced/service-users.html?lang=en

1 reply

lukasz-m
Community Advisor
lukasz-mCommunity AdvisorAccepted solution
Community Advisor
March 22, 2022

Hi @user00928, according to ACS Commons documentation, you should not use Ensure Authorizable tool on AEM 6.3 and above (this includes AEM as a Cloud Service). So this could be the reason of your issue.

Instead of that use Sling Repo scripts. Here is a good Adobe documentation with code examples how to deal with Service User on AEM as a Cloud Service - https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/developing/advanced/service-users.html?lang=en

    Terms & ConditionsAccessibility statement

    Loading footer...