Adobe Experience Manager Sites & More

wimsymons · 9/16/20

Hi all,

I hit this roadblock today.

I have a duplicate ACE on /content/cq:tags and there seems to be no way to remove it.

Here is a screenshot from CRX/DE:

I'm running AEM 6.5.6.0.

When I click the red (-) icon on either one of the duplicate ACL to remove it, I get the following error:

Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccessControl0013: Duplicate ACE '/content/cq:tags/rep:policy/allow7' found in policy
        at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.accessViolation(AccessControlValidator.java:309)
        at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.checkValidPolicy(AccessControlValidator.java:210)
        at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.checkValidTree(AccessControlValidator.java:162)
        at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.childNodeChanged(AccessControlValidator.java:140)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeChanged(VisibleValidator.java:113)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeChanged(VisibleValidator.java:30)
        at org.apache.jackrabbit.oak.spi.commit.CompositeEditor.childNodeChanged(CompositeEditor.java:121)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:142)
        at org.apache.jackrabbit.oak.segment.MapRecord.compare(MapRecord.java:444)
        at org.apache.jackrabbit.oak.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:651)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:147)
        at org.apache.jackrabbit.oak.segment.MapRecord$4.childNodeChanged(MapRecord.java:471)
        at org.apache.jackrabbit.oak.segment.MapRecord.compare(MapRecord.java:517)
        at org.apache.jackrabbit.oak.segment.MapRecord.compare(MapRecord.java:462)
        at org.apache.jackrabbit.oak.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:651)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:147)
        at org.apache.jackrabbit.oak.segment.MapRecord.compare(MapRecord.java:517)
        at org.apache.jackrabbit.oak.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:651)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.process(EditorDiff.java:51)
        at org.apache.jackrabbit.oak.spi.commit.EditorHook.processCommit(EditorHook.java:54)
        at org.apache.jackrabbit.oak.spi.commit.CompositeHook.processCommit(CompositeHook.java:60)
        at org.apache.jackrabbit.oak.segment.scheduler.Commit.apply(Commit.java:99)
        at org.apache.jackrabbit.oak.segment.scheduler.LockBasedScheduler.execute(LockBasedScheduler.java:299)
        at org.apache.jackrabbit.oak.segment.scheduler.LockBasedScheduler.schedule(LockBasedScheduler.java:270)
        at org.apache.jackrabbit.oak.segment.SegmentNodeStore.merge(SegmentNodeStore.java:211)
        at org.apache.jackrabbit.oak.core.MutableRoot.commit(MutableRoot.java:251)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.commit(SessionDelegate.java:346)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:493)
        ... 60 common frames omitted

I still have no clue how it's possible to create this.

I see 2 possible options on how it was created, but I haven't investigated further:

this is created after doing a partial sidegrade using crx2oak without importing users and/or groups
this is created by running the purgeAllAuthorizablesFromConfiguration() and/or apply() methods from the Netcentric Access Control Tool JMX bean

Does anyone know a way to remove this duplicate ACE?

Thanks!

Vijayalakshmi_S · 9/16/20

Hi @wimsymons,

As you have done migration of subtree using crx2oak, can you check if there is a duplicate entry in old repository as well?

Also share the instance version from which you migrated to 6.5.6

wimsymons · 9/16/20

Just checked. There is no duplicate entry in the old repository. We migrated content from 6.4.4.0.

Vijayalakshmi_S · 9/16/20

Hi @wimsymons,

Can you try the below options

Try removing from Access Control Editor (console from /crx/explorer/index.jsp) - Should be same behavior but just a try.
Access /useradmin - search for your group "fragment-everyone" -> Permissions Tab -> remove the read access on cq:tags path and save -> Observe ACL list in /content/cq:tags and see if entry is removed/amended (This approach is to amend the permission for the problematic group on respective path from useradmin console)
- If success, then give the desired permissions to the group for respective path from same /useradmin console.

wimsymons · 9/16/20

I did some more research. ACTool can't handle the duplicates, but if I remove the duplicate using CRX/DE before running ACTool it works fine. I can remove the duplicate ACL. After that ACTool has no more issues either. If I bump into the problem again I will try the Access Control Editor.

wimsymons · 9/17/20

Error?

Adobe Experience Manager Sites & More

How to fix OakAccessControl0013: Duplicate ACE

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe