Service user cannot access resources tagged with CUG policy

Question

Background: I have pages that are tagged with CUG policy to allow read access to the page to the user who belongs to a specific group. The access for the end-user works as expected. However, I would like the service user to have access to all the nodes in JCR tree regardless of if the resource has CUG policy set or not.

I have added the service user to exclude from CUG evalution using following config. However, the service user still does have access to the resources that are tagged with CUG policy (group).

Below is CUG exclude OSGI config that I updated to exclude the service user. (Adding service user principal to the list)

org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugExcludeImpl

However, the service user still does not have access to the resources that are tagged with CUG policy. Would appreciate any input, suggestion, recommendation from the AEM experts in the community.

zaddm98685815 · Accepted Answer

Below approach resolved the issue for me.

If the service user has access to the content through rep:policy then rep:cugPolicy wont apply to the service user. Service user should still be able to access the nodes that has CUG policy applied to it.

If you are injecting OSGI component into a POJO using bundle context, in the example below, injecting ResourceResolverFactory you would need to add the service user to user mapper amendment

org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended

config to allow the service user to access content through a particular bundle

    BundleContext bundleContext = FrameworkUtil.getBundle(ResourceResolverFactory.class).getBundleContext();
            ServiceReference serviceReference = bundleContext
.getServiceReference(ResourceResolverFactory.class.getName());
            ResourceResolverFactory resourceResolverFactory = (ResourceResolverFactory) bundleContext
.getService(serviceReference);
            Map<String, Object> param = new HashMap<>();
            param.put(ResourceResolverFactory.SUBSERVICE, "service-user");

Add the following config to user mapper amendment

The above approach worked for me

arunpatidar · Answer

Hi @zaddm98685815
Ideally, this should work. A silly question to ask, have you deployed this OSGI configuration on the publish instance? Additionally, try adding the service user to the respective CUG group to see if it works.

Is the system user part of everyone group?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded