Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Ensure Service User with Write Permissions Issue

Avatar

Level 2

Hey guys,

 

I'm trying to ensure a service user on AEM as a Cloud Service with the following permissions on the "aces" property in a config json file

 

 

"type=allow;privileges=jcr:all;path=/content",
"type=allow;privileges=jcr:all;path=/conf",
"type=allow;privileges=jcr:all;path=/libs/msm/wcm/rolloutconfigs"

 

This works fine on my local, with the correct permissions being set in usradmin. Unfortunately, when I try and deploy this code, I receive the following error 

 

com.adobe.acs.commons.users.impl.EnsureAuthorizableException: Failed to ensure [ ADD ] of Service User [ writeStoreDataServiceUser ]
	at com.adobe.acs.commons.users.impl.EnsureServiceUser.ensure(EnsureServiceUser.java:137) [com.adobe.acs.acs-aem-commons-bundle:5.1.2]
	at com.adobe.acs.commons.users.impl.EnsureServiceUser.activate(EnsureServiceUser.java:268) [com.adobe.acs.acs-aem-commons-bundle:5.1.2]
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.base/java.lang.reflect.Method.invoke(Unknown Source)
	at org.apache.felix.scr.impl.inject.methods.BaseMethod.invokeMethod(BaseMethod.java:244) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.BaseMethod.access$500(BaseMethod.java:41) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.BaseMethod$Resolved.invoke(BaseMethod.java:685) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.BaseMethod.invoke(BaseMethod.java:529) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:318) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:308) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.createImplementationObject(SingleComponentManager.java:354) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.createComponent(SingleComponentManager.java:115) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:1000) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.getServiceInternal(SingleComponentManager.java:973) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:918) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.framework.ServiceRegistrationImpl.getFactoryUnchecked(ServiceRegistrationImpl.java:349)
	at org.apache.felix.framework.ServiceRegistrationImpl.getService(ServiceRegistrationImpl.java:249)
	at org.apache.felix.framework.ServiceRegistry.getService(ServiceRegistry.java:362)
	at org.apache.felix.framework.Felix.getService(Felix.java:3984)
	at org.apache.felix.framework.BundleContextImpl.getService(BundleContextImpl.java:450)
	at org.apache.felix.scr.impl.manager.SingleRefPair.getServiceObject(SingleRefPair.java:88) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.inject.methods.BindMethod.getServiceObject(BindMethod.java:675) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.DependencyManager.getServiceObject(DependencyManager.java:2556) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.DependencyManager.doInvokeBindMethod(DependencyManager.java:2075) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.DependencyManager.invokeBindMethod(DependencyManager.java:2058) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.SingleComponentManager.invokeBindMethod(SingleComponentManager.java:443) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.DependencyManager$MultipleDynamicCustomizer.addedService(DependencyManager.java:333) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.DependencyManager$MultipleDynamicCustomizer.addedService(DependencyManager.java:301) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1200) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.customizerAdded(ServiceTracker.java:1121) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.trackAdding(ServiceTracker.java:928) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ServiceTracker$AbstractTracked.track(ServiceTracker.java:864) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ServiceTracker$Tracked.serviceChanged(ServiceTracker.java:1152) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.BundleComponentActivator$ListenerInfo.serviceChanged(BundleComponentActivator.java:114) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.framework.EventDispatcher.invokeServiceListenerCallback(EventDispatcher.java:990)
	at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:838)
	at org.apache.felix.framework.EventDispatcher.fireServiceEvent(EventDispatcher.java:545)
	at org.apache.felix.framework.Felix.fireServiceEvent(Felix.java:4863)
	at org.apache.felix.framework.Felix.registerService(Felix.java:3834)
	at org.apache.felix.framework.BundleContextImpl.registerService(BundleContextImpl.java:328)
	at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:929) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.AbstractComponentManager$3.register(AbstractComponentManager.java:915) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.RegistrationManager.changeRegistration(RegistrationManager.java:133) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.AbstractComponentManager.registerService(AbstractComponentManager.java:984) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:752) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.AbstractComponentManager.enableInternal(AbstractComponentManager.java:674) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.AbstractComponentManager.enable(AbstractComponentManager.java:437) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.manager.ConfigurableComponentHolder.enableComponents(ConfigurableComponentHolder.java:667) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.BundleComponentActivator.initialEnable(BundleComponentActivator.java:305) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.Activator.loadComponents(Activator.java:554) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.Activator.access$200(Activator.java:70) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.Activator$ScrExtension.start(Activator.java:421) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.AbstractExtender.createExtension(AbstractExtender.java:196) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.AbstractExtender.modifiedBundle(AbstractExtender.java:169) [org.apache.felix.scr:2.1.30]
	at org.apache.felix.scr.impl.AbstractExtender.modifiedBundle(AbstractExtender.java:49) [org.apache.felix.scr:2.1.30]
	at org.osgi.util.tracker.BundleTracker$Tracked.customizerModified(BundleTracker.java:488)
	at org.osgi.util.tracker.BundleTracker$Tracked.customizerModified(BundleTracker.java:420)
	at org.osgi.util.tracker.AbstractTracked.track(AbstractTracked.java:232)
	at org.osgi.util.tracker.BundleTracker$Tracked.bundleChanged(BundleTracker.java:450)
	at org.apache.felix.framework.EventDispatcher.invokeBundleListenerCallback(EventDispatcher.java:915)
	at org.apache.felix.framework.EventDispatcher.fireEventImmediately(EventDispatcher.java:834)
	at org.apache.felix.framework.EventDispatcher.fireBundleEvent(EventDispatcher.java:516)
	at org.apache.felix.framework.Felix.fireBundleEvent(Felix.java:4847)
	at org.apache.felix.framework.Felix.startBundle(Felix.java:2363)
	at org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1566)
	at org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:308)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: javax.jcr.nodetype.ConstraintViolationException: org.apache.jackrabbit.oak.spi.state.ReadyOnlyBuilderException: This builder is read-only.
	at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:286) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.setPolicy(AccessControlManagerDelegator.java:122) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.jcr.delegate.JackrabbitAccessControlManagerDelegator.setPolicy(JackrabbitAccessControlManagerDelegator.java:181) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13]
	at com.adobe.acs.commons.users.impl.EnsureAce.ensureAces(EnsureAce.java:180) [com.adobe.acs.acs-aem-commons-bundle:5.1.2]
	at com.adobe.acs.commons.users.impl.EnsureServiceUser.ensureExistance(EnsureServiceUser.java:159) [com.adobe.acs.acs-aem-commons-bundle:5.1.2]
	at com.adobe.acs.commons.users.impl.EnsureServiceUser.ensure(EnsureServiceUser.java:117) [com.adobe.acs.acs-aem-commons-bundle:5.1.2]
	... 68 common frames omitted
Caused by: org.apache.jackrabbit.oak.spi.state.ReadyOnlyBuilderException: This builder is read-only.
	at org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder.unsupported(ReadOnlyBuilder.java:44) [org.apache.jackrabbit.oak-store-spi:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder.setChildNode(ReadOnlyBuilder.java:200) [org.apache.jackrabbit.oak-store-spi:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.core.SecureNodeBuilder.setChildNode(SecureNodeBuilder.java:314) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.plugins.tree.impl.AbstractMutableTree.addChild(AbstractMutableTree.java:75) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.core.MutableTree.addChild(MutableTree.java:199) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.plugins.tree.TreeUtil.addChild(TreeUtil.java:289) [org.apache.jackrabbit.oak-security-spi:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.createAclTree(AccessControlManagerImpl.java:443) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setNodeBasedAcl(AccessControlManagerImpl.java:293) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.setPolicy(AccessControlManagerImpl.java:213) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.security.authorization.composite.CompositeAccessControlManager.setPolicy(CompositeAccessControlManager.java:116) [org.apache.jackrabbit.oak-core:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$8.performVoid(AccessControlManagerDelegator.java:125) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13]
	at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:280) [org.apache.jackrabbit.oak-jcr:1.42.0.T20220304165513-8fe0b13]
	... 73 common frames omitted

with writeStoreDataServiceUser being the name of my service user.

Oddly enough, when I change the permissions to be read only (see below) it ensures fine.

"type=allow;privileges=jcr:read;path=/content"

 

I'm wondering if there might be a setting in the the cloud manager somewhere that prevents the ensuring of service users with write permissions? Or is there something wrong with the structure of my "aces" property? I investigated the "builder is read-only" error since that seems to be the root of the problem, but was unable to dig anything up in the documentation

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @user00928, according to ACS Commons documentation, you should not use Ensure Authorizable tool on AEM 6.3 and above (this includes AEM as a Cloud Service). So this could be the reason of your issue.

ensure.png

Instead of that use Sling Repo scripts. Here is a good Adobe documentation with code examples how to deal with Service User on AEM as a Cloud Service - https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/developing/advanced/s...

View solution in original post

1 Reply

Avatar

Correct answer by
Community Advisor

Hi @user00928, according to ACS Commons documentation, you should not use Ensure Authorizable tool on AEM 6.3 and above (this includes AEM as a Cloud Service). So this could be the reason of your issue.

ensure.png

Instead of that use Sling Repo scripts. Here is a good Adobe documentation with code examples how to deal with Service User on AEM as a Cloud Service - https://experienceleague.adobe.com/docs/experience-manager-learn/cloud-service/developing/advanced/s...