Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
SOLVED

Console Error - Principle-Based Access Control Setup

Avatar

Community Advisor

Hi All,

 

I have an issue with the below warning log -

25.11.2022 01:32:19.770 [cm-pxyzabc-eabcxyz-aem-publish-zzzz68f69-hp6ff] *WARN* [20.59.3.67 [1669339939629] GET /content/brandA/us/en/home.html HTTP/1.1] com.adobe.granite.repository.impl.SystemPrincipalsValidation Refactor principal 'custom-system-user' to have principal-based access control setup.

 

The system user is defined in the JSON file (.cfg.json) as below -

Rohan_Garg_0-1669622453776.png

 

The permissions for the system user (ACE and User) are picked from yml file defined as below -

Rohan_Garg_1-1669622618324.png

 

How should I refactor the service user and mapping to use principle name and principle-based authorization ?

 

@arunpatidar@markus_bulla_adobe@B_Sravan@kautuk_sahni 

 

Thanks,

Rohan Garg

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

As per sling documentation (https://sling.apache.org/documentation/the-sling-engine/service-authentication.html) -

Rohan_Garg_0-1669623345935.png

 

The below is the principle based mapping which is what we are already using -

<service-name>[:<subservice-name>]="["<principal name of a JCR system user>{","<principal name of a JCR system user>}"]"   

 

View solution in original post

5 Replies

Avatar

Correct answer by
Community Advisor

As per sling documentation (https://sling.apache.org/documentation/the-sling-engine/service-authentication.html) -

Rohan_Garg_0-1669623345935.png

 

The below is the principle based mapping which is what we are already using -

<service-name>[:<subservice-name>]="["<principal name of a JCR system user>{","<principal name of a JCR system user>}"]"   

 

Avatar

Community Advisor

Can you try to setup user with name as well?

Example

   - al-oneweb-service-write-user:
       - isMemberOf:
         isSystemUser: true
         name: al-oneweb-service-write-user 
         path: /home/users/system/aemlab/oneweb


Arun Patidar

Avatar

Community Advisor

@arunpatidar - Thanks for the quick reply, unfortunately still getting the same result!

Also one observation, the issue is seen only on our STAGE environment and not DEV environment.

The console warning related to this service user is not there on DEV.

Both the environments are using the same version of AEM - 2022.9.8722.20220912T101352Z

 
AEM RELEASE: 2022.9.8722.20220912T101352Z
 

Avatar

Community Advisor

did you deploy the changes in STAGE?

or the observation without the changes?

 

check this also https://github.com/Netcentric/accesscontroltool/issues/563 



Arun Patidar

Avatar

Community Advisor

@arunpatidar - Apologies for the delay in response.

The changes were first deployed on DEV and then STAGE.

Both are getting the warning as seen below -

Line 26316: 29.11.2022 02:16:23.711 [cm-pyyyzzz-ezzzyyy-aem-publish-867777bc68-tssdm] *WARN* [74.78.55.185 [1669688183373] GET /content/brandA/us/en/home.html HTTP/1.1] com.adobe.granite.repository.impl.SystemPrincipalsValidation Refactor principal 'custom-system-user' to have principal-based access control setup

 

I double checked logs from previous days, my earlier observation that warning occurred in DEV and not STAGE was wrong.

For today here's the stats - Post deployment at 7.30 am GMT, the warnings came up again at 11 am.

DM_Service_User_Warning.png