Expand my Community achievements bar.

SOLVED

Cannot create group and modify its ACLs when auto save is disabled on UserManager

Avatar

Level 7

Hi,

When I run the following code, I get an exception that the principal does not exist:

final UserManager userManager = resourceResolver.adaptTo(UserManager.class);
userManager.autoSave(false); // need this line to make this operation atomic

final Group group = userManager.createGroup(
    groupId,
    new UserPrincipal(groupId),
    groupPath
);

AccessControlUtil.replaceAccessControlEntry(
    session,
    "/some/path",
    group.getPrincipal(),
    new String[]{
            Replicator.REPLICATE_PRIVILEGE,
            Privilege.JCR_ALL
    };,
    null, null, null
);

UserPrincipal is a class we have defined:

public class UserPrincipal implements Principal, Serializable {

    private final String name;

    public UserPrincipal(String name) throws IllegalArgumentException {
        this.name = name;
    }

    public String getName() {
        return name;
    }

    // ...
}

If I save the session before invoking replaceAccessControlEntry it works with no problem.

The exception occurs in line 363 of AccessControlUtil:

    acl.addAccessControlEntry(principal, grantedPrivilegeList.toArray(new Privilege[grantedPrivilegeList.size()]));

From there, I cannot debug further as apparently CQ5, after we have installed a bunch of hot fixes, is using version
2.6.6-r1605781 of jackrabbit-core, but that version is not available in Adobe's Nexus repos so my breakpoints go
to /dev/null ;) (I am not sure if my CQ5 instance is using Jackrabbit Core 2.6.6-r1605781, but some adhoc searching
unser cq-quickstart returns 
/crx-quickstart/launchpad/felix/bundle65/version0.2/bundle.jar-embedded/jackrabbit-core-2.6.6-r1605781.jar
so I assume that's the version. Is there a way to find the exact version of jackrabbit core used by my current CQ instance?)

The problem might be here though:

    protected void checkValidEntry(Principal principal, Privilege[] privileges, boolean isAllow, Map<String, Value> restrictions) throws AccessControlException {
        if(principal instanceof UnknownPrincipal) {
            log.debug("Consider fallback principal as valid: {}", principal.getName());
        } else if(!this.principalMgr.hasPrincipal(principal.getName())) {
            if(!this.allowUnknownPrincipals) {
                throw new AccessControlException("Principal " + principal.getName() + " does not exist.");
            }

            log.debug("Consider fallback principal as valid: {}", principal.getName());
        }

        if(this.path == null && restrictions != null && !restrictions.isEmpty()) {
            throw new AccessControlException("Repository level policy does not support restrictions.");
        }
    }

And the culprit code could be:

    } else if(!this.principalMgr.hasPrincipal(principal.getName())) {
        if(!this.allowUnknownPrincipals) {
            throw new AccessControlException("Principal " + principal.getName() + " does not exist.");
        }

Is there a way to set allowUnknownPrincipals to true? Or to make the above code work without saving the session
after createGroup?

Thanks

1 Accepted Solution

Avatar

Correct answer by
Level 10
1 Reply

Avatar

Correct answer by
Level 10

This looks like a potential bug. File a ticket here:

http://helpx.adobe.com/marketing-cloud/experience-manager.html