Expand my Community achievements bar.

SOLVED

Netcentric AC tool giving error on AEMaaCS -Exception in AceServiceImpl: {} java.lang.UnsupportedOperationException: This builder is read-only.

Avatar

Level 2
Hi,   Need expert advice on below issue in AEMaaCS(#aemaacs_onboarding) Netcentric AC Tool[1](<domain-port>/mnt/overlay/netcentric/actool/content/overview.html/actool): In Local cloud SDK, able to successfully create the groups and permissions using Netcentric tool plugin.
But when deploying the same ACL YAML file on Cloud, getting below error on AC Tool[1]:
11:36:35.721: *** Applying AC Tool Configuration...
11:36:35.721: Running with v3.0.2 on instance id 4e7c0244-e576-426c-b9f2-8462ba526b3b with restricted paths: [/bin, /conf, /content, /etc, /home, /system, /tmp, /var, ^/$, ^$]
11:36:35.764: Using YAML parser with ConfigurationAdmin Plugin placeholder support
11:36:35.764: Using configuration file /apps/<client-project>/acl/setup.yaml
11:37:34.967: Loaded configuration in 59.2sec
11:37:42.385: Retrieved existing ACLs from repository in 7.4sec
11:37:42.385: *** Starting installation of 1616 authorizables from configuration...
11:37:47.457: Prefetched 1871 authorizables in 5.1sec
11:38:24.915: Prefetched 5822 memberships in 37.5sec
11:38:32.211: Created 15 authorizables (moved 0 authorizables)
11:38:32.211: Finished installation of authorizables without errors in 49.8sec
11:38:36.889: ERROR: Could not process yaml files / e=java.lang.UnsupportedOperationException: This builder is read-only.
Execution time: 0 ms
Success: false

*ERROR* POST /mnt/overlay/netcentric/actool/content/overview/content/items/actoolpanel HTTP/1.1] biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl Exception in AceServiceImpl: {}
java.lang.UnsupportedOperationException: This builder is read-only.
at org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder.unsupported(ReadOnlyBuilder.java:44) [org.apache.jackrabbit.oak-store-spi:1.40.0.T20220110121513-be5e04f]
at org.apache.jackrabbit.oak.spi.state.ReadOnlyBuilder.remove(ReadOnlyBuilder.java:110) [org.apache.jackrabbit.oak-store-spi:1.40.0.T20220110121513-be5e04f]
at org.apache.jackrabbit.oak.core.SecureNodeBuilder.remove(SecureNodeBuilder.java:166) [org.apache.jackrabbit.oak-core:1.40.0.T20220110121513-be5e04f]
at org.apache.jackrabbit.oak.plugins.tree.impl.AbstractMutableTree.remove(AbstractMutableTree.java:51) [org.apache.jackrabbit.oak-core:1.40.0.T20220110121513-be5e04f]
at org.apache.jackrabbit.oak.core.MutableTree.remove(MutableTree.java:184) [org.apache.jackrabbit.oak-core:1.40.0.T20220110121513-be5e04f]
at org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.removePolicy(AccessControlManagerImpl.java:322) [org.apache.jackrabbit.oak-core:1.40.0.T20220110121513-be5e04f]
at org.apache.jackrabbit.oak.security.authorization.composite.CompositeAccessControlManager.removePolicy(CompositeAccessControlManager.java:127) [org.apache.jackrabbit.oak-core:1.40.0.T20220110121513-be5e04f]
at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator$9.performVoid(AccessControlManagerDelegator.java:135) [org.apache.jackrabbit.oak-jcr:1.40.0.T20220110121513-be5e04f]
at org.apache.jackrabbit.oak.jcr.delegate.SessionDelegate.performVoid(SessionDelegate.java:275) [org.apache.jackrabbit.oak-jcr:1.40.0.T20220110121513-be5e04f]
at org.apache.jackrabbit.oak.jcr.delegate.AccessControlManagerDelegator.removePolicy(AccessControlManagerDelegator.java:132) [org.apache.jackrabbit.oak-jcr:1.40.0.T20220110121513-be5e04f]
at org.apache.jackrabbit.oak.jcr.delegate.JackrabbitAccessControlManagerDelegator.removePolicy(JackrabbitAccessControlManagerDelegator.java:175) [org.apache.jackrabbit.oak-jcr:1.40.0.T20220110121513-be5e04f]
at biz.netcentric.cq.tools.actool.helper.AccessControlUtils.deleteAllEntriesForPrincipalsFromACL(AccessControlUtils.java:196) [biz.netcentric.cq.tools.accesscontroltool.bundle:3.0.2]
at biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.removeAcesForPathsNotInConfig(AcInstallationServiceImpl.java:348) [biz.netcentric.cq.tools.accesscontroltool.bundle:3.0.2]
at biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.installAces(AcInstallationServiceImpl.java:462) [biz.netcentric.cq.tools.accesscontroltool.bundle:3.0.2]
at biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.installAcConfiguration(AcInstallationServiceImpl.java:330) [biz.netcentric.cq.tools.accesscontroltool.bundle:3.0.2]
at biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.installMergedConfigurations(AcInstallationServiceImpl.java:642) [biz.netcentric.cq.tools.accesscontroltool.bundle:3.0.2]
at biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.installConfigurationFiles(AcInstallationServiceImpl.java:289) [biz.netcentric.cq.tools.accesscontroltool.bundle:3.0.2]
at biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.apply(AcInstallationServiceImpl.java:217) [biz.netcentric.cq.tools.accesscontroltool.bundle:3.0.2]
at biz.netcentric.cq.tools.actool.ui.AcToolUiService.doPost(AcToolUiService.java:79) [biz.netcentric.cq.tools.accesscontroltool.bundle:3.0.2]
at biz.netcentric.cq.tools.actool.ui.AcToolTouchUiServlet.doPost(AcToolTouchUiServlet.java:67) [biz.netcentric.cq.tools.accesscontroltool.bundle:3.0.2] 

 

 

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

You are trying on runtime to modify ACLs in the immutable parts of the repository; /libs and /apps are not writeable in AEM CS during runtime.

Check your scripts if you want to set ACLs in these areas, and convert them into repoinit statements.

View solution in original post

3 Replies

Avatar

Correct answer by
Employee Advisor

You are trying on runtime to modify ACLs in the immutable parts of the repository; /libs and /apps are not writeable in AEM CS during runtime.

Check your scripts if you want to set ACLs in these areas, and convert them into repoinit statements.

Avatar

Level 2

There is another thread where similar issue observed using repoinit.

Is it the only solution to move from netcentric to repoinit?

Client YAML has more than 1 Lakh of permissions and groups created that contains ~400 configs related to /apps and /libs only with read only permissions

Avatar

Employee Advisor

Yep, you have to migrate them, because /libs and /apps are read-only during runtime (and that is a limitation you cannot avoid). 

I think that it is a valid feature request on the AC Tool side to dump all rules affecting /libs or /apps as repoinit statements.