Expand my Community achievements bar.

Dive into Adobe Summit 2024! Explore curated list of AEM sessions & labs, register, connect with experts, ask questions, engage, and share insights. Don't miss the excitement.
SOLVED

RepoInit Configuration is not able to set ACL: read permission of a system user in AEM As a Cloud Service

Avatar

Level 1

Hi,

 

I am having one config "org.apache.sling.jcr.repoinit.RepositoryInitializer" and in that I am trying to set 

"set ACL for test-user \r\nallow jcr:read on /libs/dam/content". While deploying the changes in local, it gets deployed easily, but when I deploy this config with my codebase in AEM AACS Server,  it says

[Apache Sling Repository Startup Thread #1] com.adobe.granite.repository.impl.SlingRepositoryManager Exception in a SlingRepositoryInitializer, SlingRepository service registration aborted java.lang.RuntimeException: Failed to set ACL (java.lang.UnsupportedOperationException: This builder is read-only.) AclLine ALLOW {paths=[/libs/dam/content], privileges=[jcr:read]} at org.apache.sling.jcr.repoinit.impl.AclVisitor.setAcl(AclVisitor.java:64) [org.apache.sling.jcr.repoinit:1.1.28] at org.apache.sling.jcr.repoinit.impl.AclVisitor.visitSetAclPrincipal(AclVisitor.java:85) [org.apache.sling.jcr.repoinit:1.1.28]

 

By seeing the below document, it feels like it should work because I am expecting it to set this permission at deployment time.

Screenshot 2021-04-15 at 10.55.23 AM.png

 

Kindly help on this.

Topics

Topics help categorize Community content and increase your ability to discover relevant content.

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @shivanigarg111,

 

How are you getting the session of the JCR? Did you try the system/service user? I feel that the error is because of the lack of user permissions on the repository.

 

Can you share your code snippet?

 

Thanks,

Kiran Vedantam.

View solution in original post

3 Replies

Avatar

Correct answer by
Community Advisor

Hi @shivanigarg111,

 

How are you getting the session of the JCR? Did you try the system/service user? I feel that the error is because of the lack of user permissions on the repository.

 

Can you share your code snippet?

 

Thanks,

Kiran Vedantam.

Avatar

Level 1

HI @Kiran_Vedantam, In the code, I am using system user to fetch the session names "test-user", the issue is not the code, The issue is while cloud manager deploy my codebase with the repoinit config, it fails at deploy to dev step and says I can't set read access to /libs hierarchy. Ideally AEM says I can do that at the time of deployment, but not at the runtime

Avatar

Employee

You can't change anything under /libs. Full stop.

 

Immutability is enforced via a Composite Nodestore [1],

/apps is a mounted nodestore

/libs is another mounted nodestore that you can think of as a read-only 'golden master'

 

Your repo init scripts can do anything under /apps

But you won't be able to do anything under /libs -- you'll encounter runtime errors during the buildImage step of your pipeline and it will ultimately fail.

 

[1] -- https://jackrabbit.apache.org/oak/docs/nodestore/compositens.html