Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED
ACL Yaml Scripts Issue
Hi AEM Community,
I am generating User Groups and their permissions via AC Tool following the below documentation -
https://github.com/Netcentric/accesscontroltool/blob/develop/docs/Configuration.md
The YAML file changes are correctly visible on RDE via AC Tool.
However, the permissions defined for multiple groups are not reflecting correctly in AEM.
Please find the below data points -
1. YAML File
- group_config:
- group-A:
- name: "Group A"
description: Base Group for Group A
isMemberOf :
-everyone
-dam-users
path: global
- group-B:
- name: "Group B"
description: Base Group for Group B
isMemberOf: group-A
path: global
- ace_config:
- group-A:
- path: /content
permission: allow
privileges: jcr:read
- path: /content/dam
permission: allow
privileges: jcr:read
- group-B:
- path: /var/workflow/models
permission: deny
privileges: jcr:all
When this YAML file is deployed to RDE, The permissions for Group A are correctly visible while for Group B they are not reflecting.
The YAML file is valid as validated on an online validator.
What could be the reason for this behavior? Any pointers?
@markus_bulla_adobe, @arunpatidar, @kautuk_sahni
Thanks in advance,
Topics
Topics help categorize Community content and increase your ability to discover relevant content.
1 Accepted Solution
Correct answer by
Update(2) - The issue is because of yaml file even though the online yaml validators are showing the file correct. I trimmed the yaml file to basics and applied the configuration, it worked!
Query - Is there any reason as to why online yaml validator and AC Tool's YAML parser with ConfigurationAdmin Plugin will have different results for same file?
Installation triggered: Tue Jul 04 01:53:23 UTC 2023
01:23:23.502: *** Applying AC Tool Configuration...
01:23:23.502: Running with v3.0.9 on instance id f9d383ac-8509-48f1-9bc9-9ffab13435be
01:23:23.502: Using YAML parser with ConfigurationAdmin Plugin placeholder support
01:23:23.502: Using configuration file /apps/eq-dam/acls/group/1.yaml
01:23:23.503: /apps/eq-dam/acls/group/1.yaml has no instructions
01:23:23.503: Using configuration file /apps/eq-dam/acls/group/base-group.yaml
01:23:23.517: Loaded configuration in 14ms
01:23:23.824: Retrieved existing ACLs from repository in 307ms
01:23:23.824: *** Starting installation of 9 authorizables from configuration...
01:23:23.826: Prefetched authorizables in 2ms
01:23:23.918: Prefetched 358 memberships in 92ms
01:23:23.928: Created 0 authorizables (moved 0 authorizables)
01:23:23.928: Finished installation of authorizables without errors in 103ms
01:23:23.932: For paths not contained in the configuration: Cleaned 1 ACEs of path /var/workflow from all ACEs for configured authorizables
01:23:23.932: For paths not contained in the configuration: Cleaned 1 ACEs from 1 paths in repository (ACEs that belong to users in the AC Config, but resided at paths that are not contained in AC Config)
01:23:23.932: *** Starting installation of 39 ACE configurations for 12 paths in content nodes using strategy AceBeanInstallerIncremental...
01:23:24.054: ACL Update Statistics: Changed=10 Unchanged=1 Path not found=1 (action cache hit/miss=0/0)
01:23:24.054: *** Finished installation of 12 ACLs in 121ms
01:23:24.338: Persisted changes of ACLs
01:23:24.338: Successfully applied AC Tool configuration in 836ms
Execution time: 836 ms
Success: true
Hello @Rohan_Garg
Any error messages reported in logs or Netcentric Tool itself? It would be available under security Tab. For logs, We just need to click on verbose link corresponding to the last run in the tool
Also, you need not provide "-" before everyone and dam-users while defining membership
Aanchal Sikka
@aanchal-sikka - Thanks for the reply! There is no error message in the AC Tool's log.
Also, the "-" is just one of the random changes I was trying to make this work.
Update - The configurations are not being applied correctly. Please find the below logs -
Installation triggered: Tue Jul 04 00:52:42 UTC 2023
00:52:42.088: *** Applying AC Tool Configuration...
00:52:42.088: Running with v3.0.9 on instance id f9d383ac-8509-48f1-9bc9-9ffab13435be
00:52:42.088: Using YAML parser with ConfigurationAdmin Plugin placeholder support
00:52:42.088: Loaded configuration in 0ms
00:52:42.459: Retrieved existing ACLs from repository in 370ms
00:52:42.460: *** Starting installation of 0 authorizables from configuration...
00:52:42.461: Prefetched authorizables in 1ms
00:52:42.581: Prefetched 358 memberships in 120ms
00:52:42.581: Created 0 authorizables (moved 0 authorizables)
00:52:42.581: Finished installation of authorizables without errors in 121ms
00:52:42.581: No relevant ACEs to install
00:52:42.581: No changes were made to ACLs (session has no pending changes)
00:52:42.581: Successfully applied AC Tool configuration in 493ms
Execution time: 493 ms
Success: true
There are no changes being made to the ACLs. When I download the dump then I can see that these changes are not being reflected.
Any pointers on why this would happen if the YAML is valid & is correctly being updated on RDE with no errors yet there are no authorizables or changes being deployed on the instance.
Correct answer by
Update(2) - The issue is because of yaml file even though the online yaml validators are showing the file correct. I trimmed the yaml file to basics and applied the configuration, it worked!
Query - Is there any reason as to why online yaml validator and AC Tool's YAML parser with ConfigurationAdmin Plugin will have different results for same file?
Installation triggered: Tue Jul 04 01:53:23 UTC 2023
01:23:23.502: *** Applying AC Tool Configuration...
01:23:23.502: Running with v3.0.9 on instance id f9d383ac-8509-48f1-9bc9-9ffab13435be
01:23:23.502: Using YAML parser with ConfigurationAdmin Plugin placeholder support
01:23:23.502: Using configuration file /apps/eq-dam/acls/group/1.yaml
01:23:23.503: /apps/eq-dam/acls/group/1.yaml has no instructions
01:23:23.503: Using configuration file /apps/eq-dam/acls/group/base-group.yaml
01:23:23.517: Loaded configuration in 14ms
01:23:23.824: Retrieved existing ACLs from repository in 307ms
01:23:23.824: *** Starting installation of 9 authorizables from configuration...
01:23:23.826: Prefetched authorizables in 2ms
01:23:23.918: Prefetched 358 memberships in 92ms
01:23:23.928: Created 0 authorizables (moved 0 authorizables)
01:23:23.928: Finished installation of authorizables without errors in 103ms
01:23:23.932: For paths not contained in the configuration: Cleaned 1 ACEs of path /var/workflow from all ACEs for configured authorizables
01:23:23.932: For paths not contained in the configuration: Cleaned 1 ACEs from 1 paths in repository (ACEs that belong to users in the AC Config, but resided at paths that are not contained in AC Config)
01:23:23.932: *** Starting installation of 39 ACE configurations for 12 paths in content nodes using strategy AceBeanInstallerIncremental...
01:23:24.054: ACL Update Statistics: Changed=10 Unchanged=1 Path not found=1 (action cache hit/miss=0/0)
01:23:24.054: *** Finished installation of 12 ACLs in 121ms
01:23:24.338: Persisted changes of ACLs
01:23:24.338: Successfully applied AC Tool configuration in 836ms
Execution time: 836 ms
Success: true
