Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

How to fix OakAccessControl0013: Duplicate ACE

wimsymons
Level 4
Level 4

Hi all,

I hit this roadblock today. 🙁

I have a duplicate ACE on /content/cq:tags and there seems to be no way to remove it.

Here is a screenshot from CRX/DE:

Schermafbeelding 2020-09-15 om 09.04.25.png

I'm running AEM 6.5.6.0.

When I click the red (-) icon on either one of the duplicate ACL to remove it, I get the following error:

 

Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccessControl0013: Duplicate ACE '/content/cq:tags/rep:policy/allow7' found in policy
        at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.accessViolation(AccessControlValidator.java:309)
        at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.checkValidPolicy(AccessControlValidator.java:210)
        at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.checkValidTree(AccessControlValidator.java:162)
        at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidator.childNodeChanged(AccessControlValidator.java:140)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeChanged(VisibleValidator.java:113)
        at org.apache.jackrabbit.oak.spi.commit.VisibleValidator.childNodeChanged(VisibleValidator.java:30)
        at org.apache.jackrabbit.oak.spi.commit.CompositeEditor.childNodeChanged(CompositeEditor.java:121)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:142)
        at org.apache.jackrabbit.oak.segment.MapRecord.compare(MapRecord.java:444)
        at org.apache.jackrabbit.oak.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:651)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:147)
        at org.apache.jackrabbit.oak.segment.MapRecord$4.childNodeChanged(MapRecord.java:471)
        at org.apache.jackrabbit.oak.segment.MapRecord.compare(MapRecord.java:517)
        at org.apache.jackrabbit.oak.segment.MapRecord.compare(MapRecord.java:462)
        at org.apache.jackrabbit.oak.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:651)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.childNodeChanged(EditorDiff.java:147)
        at org.apache.jackrabbit.oak.segment.MapRecord.compare(MapRecord.java:517)
        at org.apache.jackrabbit.oak.segment.SegmentNodeState.compareAgainstBaseState(SegmentNodeState.java:651)
        at org.apache.jackrabbit.oak.spi.commit.EditorDiff.process(EditorDiff.java:51)
        at org.apache.jackrabbit.oak.spi.commit.EditorHook.processCommit(EditorHook.java:54)
        at org.apache.jackrabbit.oak.spi.commit.CompositeHook.processCommit(CompositeHook.java:60)
        at org.apache.jackrabbit.oak.segment.scheduler.Commit.apply(Commit.java:99)
        at org.apache.jackrabbit.oak.segment.scheduler.LockBasedScheduler.execute(LockBasedScheduler.java:299)
        at org.apache.jackrabbit.oak.segment.scheduler.LockBasedScheduler.schedule(LockBasedScheduler.java:270)
        at org.apache.jackrabbit.oak.segment.SegmentNodeStore.merge(SegmentNodeStore.java:211)
        at org.apache.jackrabbit.oak.core.MutableRoot.commit(MutableRoot.java:251)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.commit(SessionDelegate.java:346)
        at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.save(SessionDelegate.java:493)
        ... 60 common frames omitted

 

I still have no clue how it's possible to create this.

I see 2 possible options on how it was created, but I haven't investigated further:

Does anyone know a way to remove this duplicate ACE?

Thanks!

5 Replies
Vijayalakshmi_S
Community Advisor
Community Advisor

Hi @wimsymons,

As you have done migration of subtree using crx2oak, can you check if there is a duplicate entry in old repository as well?

Also share the instance version from which you migrated to 6.5.6

wimsymons
Level 4
Level 4
Just checked. There is no duplicate entry in the old repository. We migrated content from 6.4.4.0.
Vijayalakshmi_S
Community Advisor
Community Advisor

Hi @wimsymons,

Can you try the below options

  • Try removing from Access Control Editor (console from /crx/explorer/index.jsp) - Should be same behavior but just a try.
  • Access /useradmin - search for your group "fragment-everyone" -> Permissions Tab -> remove the read access on cq:tags path and save -> Observe ACL list in /content/cq:tags and see if entry is removed/amended (This approach is to amend the permission for the problematic group on respective path from useradmin console)
    • If success, then give the desired permissions to the group for respective path from same /useradmin console. 
wimsymons
Level 4
Level 4
I did some more research. ACTool can't handle the duplicates, but if I remove the duplicate using CRX/DE before running ACTool it works fine. I can remove the duplicate ACL. After that ACTool has no more issues either. If I bump into the problem again I will try the Access Control Editor.