Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

A question about groovy console on AEM cloud

Avatar

Level 9
Level 9
1/3/23 5:21:50 AM

We have just discovered the groovy console, which is very powerful but also dangerous (from malicious or accidental use)

 

  1. How do you secure Groovy console on Author on AEM cloud?  The only auth levels provided by AEM cloud admin console are "user" and "administrator" for the author and for publish.  Typically we use dispatcher to block all but our admin VPN IP, but this wont work for author.
  2. What is the point of ever running groovy console on Publish?  If publish was hacked in this way, it would be different from author, and get overwritten.  Surely it should only exist on author, then any changes it makes synced to publish?

Thanks for any tips!

Views

3.6K

Replies

13
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Level 1
Level 1
1/3/23 11:49:40 PM

I will share some of my experiences with groovy console.

We are using groovy console mostly for tasks, which can be automated. For example you want to migrate one component into another, you want to perform some content clean ups, you want to regenerate renditions for specific assets, when they don't have a specific rendition generated, and so on and so on. In some cases (like component migration) you will want to do it also on Publish instance, as this will eliminate the need of page activations (which goes in thousands from time to time).

Regarding securit, only specified users/groups can run groovy scripts, which minimizes the risk of being hacked. I would suggest to keep that list as short as possible.

Also, there is a tool called AEM Easy Content Upgrade tool, which adds a feature of running scripts automatically when they are placed in proper structure in your package (and there are other features as well).

This way you don't need to give access to groovy console to anyone, as only admin and AECU service user will be able to run scripts by default through groovy console. Also, you don't need direct access to publishers, as AECU will run the scripts for you.

I've never used it on AEM as a Cloud, but I saw that this tool is compatibile with it, so I would suggest to give it a try.

 

View solution in original post

Views

3.6K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
13 Replies

Avatar

Employee Advisor
Employee Advisor
1/3/23 5:24:57 AM

You cannot access a publish instance directly on AEM as a Cloud Service, so it does not make any sense to deploy it there.

 

On author you can directly access it, and you should restrict access to it by access control.

Views

3.6K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 9
Level 9
1/6/23 11:11:54 AM
In response to Jörg_Hoh

Thanks Jorg. Access control is not something we have managed to figure out or get working with cloud AEM managed by admin console.  we just use the two profiles AEM provides out of the box (user and admin for each env).   We gave up because of the known issues with groups set in admin console not replicating properly, and our inability to set permissions or groups via build and deployment.

Luckily, groovyConsole does have a way to manage access by setting the group in the admin console, which works when AEM replicates the group set in the admin console (works 95% of the time).  However, this method of controlling access to groovy console isnt used by the easy updater unfortunately.

Views

3.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
1/3/23 7:56:38 AM

You can restricted groovy for certain users via https://github.com/icfnext/aem-groovy-console#osgi-configuration 

 

To enable access to the Groovy Console from /groovyconsole, update the Groovy Console Configuration Service via the OSGi console configuration page to enable the vanity path. 

 

Script Execution Allowed Groups List of group names that are authorized to use the console. By default, only the 'admin' user has permission to execute scripts. []


Arun Patidar

Views

3.6K

Replies

8
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 9
Level 9
1/6/23 11:07:20 AM
In response to arunpatidar

the osgi config defining which groups can run console scripts is great, but unfortunately it doesn't stop anyone running scripts via the "AEM Easy Content Upgrade tool".  The easy updater doesn't seem to have any security options.

Views

3.6K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
1/6/23 11:59:54 AM
In response to TB3dock

The access to this tool can also be restricted using ACL 
The scripts and audit stored inside /var/groovyconsole , this can also be restricted using ACL.

 

 



Arun Patidar

Views

3.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
6/6/24 7:22:24 AM
In response to arunpatidar

Hi @arunpatidar 

I need to update the user.mapping value for the below path. Kindly share the best approach to do the same.

/apps/groovyconsole/osgiconfig/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-groovy-console

current

aem-groovy-console-bundle=groovy-console-system-user

 

Expected

aem-groovy-console-bundle=[groovy-console-system-user]

Views

1.5K

Replies

5
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
6/6/24 8:11:20 AM
In response to Lakshmi99

Hi @Lakshmi99 
You can try to update the same config file or create a new one?

 

In Adobe Experience Manager (AEM), the preference order for OSGi configuration file types is as follows:

  1. sling Node (Repository-based Configuration)
  2. .config
  3. .cfg.json
  4. .cfg Files
  5. .xml Files


Arun Patidar

Views

1.5K

Replies

4
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
6/6/24 10:33:38 PM
In response to arunpatidar

Hi @arunpatidar thank you for the reply.

Its not a custom config file. The below path is under groovyconsole and its a package created through pom.xml.
/apps/groovyconsole/osgiconfig/config/org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-groovy-console

 

And there is a need to update the user.mapping value to this.

 

current

aem-groovy-console-bundle=groovy-console-system-user

 

Expected

aem-groovy-console-bundle=[groovy-console-system-user]

 
Kindly suggest how to handle it.

Thank you

Views

1.5K

Replies

3
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 2
Level 2
6/7/24 7:09:08 AM
In response to arunpatidar

will raise the issue @arunpatidar 

Meantime, I was trying to updating it through groovy script itself. But not its not returning the properties. But the issue here is its still showing as node instead of config file. Any help to resolve it please? Can't change it to config in higher environments as I don't have access.

Lakshmi99_0-1717769300431.png

 

 

import org.osgi.service.cm.ConfigurationAdmin

def admin = getService(ConfigurationAdmin)

def config = admin.getConfiguration("org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-groovy-console")

def properties = config.properties

def String[] mappings =(String[])properties.get("user.mapping") as List

mappings.add("aem-groovy-console-bundle=[groovy-console-system-user]")

properties.put("user.mapping", mappings.toArray(new String[0]))

config.update(properties)

Views

1.5K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
6/7/24 8:11:03 AM
In response to Lakshmi99

Hi @Lakshmi99 
You can update the node's property at /apps/groovyconsole/osgiconfig/config using jcr/sling api



Arun Patidar

Views

1.5K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Level 1
Level 1
1/3/23 11:49:40 PM

I will share some of my experiences with groovy console.

We are using groovy console mostly for tasks, which can be automated. For example you want to migrate one component into another, you want to perform some content clean ups, you want to regenerate renditions for specific assets, when they don't have a specific rendition generated, and so on and so on. In some cases (like component migration) you will want to do it also on Publish instance, as this will eliminate the need of page activations (which goes in thousands from time to time).

Regarding securit, only specified users/groups can run groovy scripts, which minimizes the risk of being hacked. I would suggest to keep that list as short as possible.

Also, there is a tool called AEM Easy Content Upgrade tool, which adds a feature of running scripts automatically when they are placed in proper structure in your package (and there are other features as well).

This way you don't need to give access to groovy console to anyone, as only admin and AECU service user will be able to run scripts by default through groovy console. Also, you don't need direct access to publishers, as AECU will run the scripts for you.

I've never used it on AEM as a Cloud, but I saw that this tool is compatibile with it, so I would suggest to give it a try.

 

Views

3.6K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 2
Level 2
7/17/24 7:50:05 AM
In response to makro24

Hi ,

I am trying to setup groovy console on my local AEM 

Following steps :  https://lucanerlich.com/docs/aem/groovy-console/

My build is failing . Kindly help me.

Error: 

[INFO] Using 9 validators for package of type CONTAINER: jackrabbit-accesscontrol (org.apache.jackrabbit.vault.validation.spi.impl.AccessControlValidator), jackrabbit-filter (org.apache.jackrabbit.vault.validation.spi.impl.AdvancedFilterValidator), jackrabbit-properties (org.apache.jackrabbit.vault.validation.spi.impl.AdvancedPropertiesValidator), jackrabbit-docviewparser (org.apache.jackrabbit.vault.validation.spi.impl.DocumentViewParserValidator), jackrabbit-dependencies (org.apache.jackrabbit.vault.validation.spi.impl.DependencyValidator), jackrabbit-emptyelements (org.apache.jackrabbit.vault.validation.spi.impl.EmptyElementsValidator), jackrabbit-mergelimitations (org.apache.jackrabbit.vault.validation.spi.impl.MergeLimitationsValidator), jackrabbit-packagetype (org.apache.jackrabbit.vault.validation.spi.impl.PackageTypeValidator), jackrabbit-nodetypes (org.apache.jackrabbit.vault.validation.spi.impl.nodetype.NodeTypeValidator)
[ERROR] ValidationViolation: "jackrabbit-filter: Node '/apps/c4c-vendor-packages/container/install/aem-groovy-console-all-17.0.0.zip' is not contained in any of the filter rules", filePath=jcr_root\apps\c4c-vendor-packages\container\install\aem-groovy-console-all-17.0.0.zip

 

Kindly help me

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
Replication Event Listener stopped working on AEMaaCS Publisher

Views

97

Likes

0

Replies

4
Create Content Fragment with more than one variations from Excel File

Views

56

Likes

0

Replies

0
RTE full options not appearing in minimized view AEM 6.5 cloud

Views

62

Likes

0

Replies

1
Redirects do not work with x-aem-client-country header

Views

84

Likes

0

Replies

1
Renaming a Assets Folder

Views

120

Likes

0

Replies

4