resourceResolver.commit() , works on Author server , throws "Access denied" on Publish server

RobertBailey201 31-07-2018

Hi All,

I have a Java component bean which creates a child resource and then calls resourceResolver.commit().

It is working fine on the 6.3 Author server.

But on the 6.3 Publish server it is throwing the following exception:-

org.apache.sling.api.resource.PersistenceException: Unable to commit changes to session.

Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakAccess0000: Access denied

    at org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidator.checkPermissions(PermissionValidator.java:210) [org.apache.jackrabbit.oak-core:1.8.2]

Does anyone know how I can investigate / resolve this?

Thank you for your time.

Accepted Solutions (1)

Accepted Solutions (1)

RobertBailey201 01-08-2018

THANK YOU ALL!!     

Got there eventually using the steps below to create a System User , and then "map" System User with OSGi bundle :-

1.1.  Goto http://localhost:4542/crx/explorer/index.jsp

1.2.  Login as admin

1.3.  Click "User Administration"

1.4.  Click "Create SYSTEM User"

1.5.  Input UserID  (for example "content-writer")

1.6.  Click green tick to create System User

Repeat above process for Publish server (http://localhost:4543/crx/explorer/index.jsp)

2.1.  Goto http://localhost:4542/system/console/configMgr

2.2.  Search for "Apache Sling Service User Mapper Service"

2.3.  Click icon to "Edit the configuration values"

2.4.  Click plus ('+') button to add Service Mappings

2.5.  Input new Service Mappings  (for example "org.apache.sling.models.impl=content-writer"  or  "org.apache.sling.models.impl:content-writer=content-writer")

Repeat above process for Publish server (http://localhost:4543/system/console/configMgr)

After completing above steps , it should be possible to getServiceResourceResolver() using the following Java code :-

    final Map<String, Object> param = new HashMap<>();

    param.put(ResourceResolverFactory.SUBSERVICE, "content-writer");

    final ResourceResolver rr = resourceResolverFactory.getServiceResourceResolver(param);

Answers (11)

Answers (11)

smacdonald2008 01-08-2018

Follow this doc - it shows you all that you need to do. As shown in the Doc:

1 - you need to create a system user.

2 - you need to give correct permissions - for testing grant all permissions by clicking top row.

3- Use Sling Mapping Service to map system user and specify the OSGi symbolic name.

Arun_Patidar
MVP
01-08-2018

Hi,

It seems, you get this wrong.

You need to create a new system user which will be act as a service user.

Service Users in AEM

Then you need to map that user and sub-service with bundle.

Service Users in AEM

Thanks

Arun

edubey 31-07-2018

that is fine but are you using end user session, if yes they should have write permission.

else, use service user will correct permission to perform this operation.

RobertBailey201 01-08-2018

Thank you for your replies.  I have tried running the following Java code , to get a ServiceResourceResolver , for EVERY User listed in http://localhost:4502/useradmin :-

    private void getServiceResourceResolverForUser(final String user)

    {

        try

        {

            final Map<String, Object> param = new HashMap<>();

            param.put(ResourceResolverFactory.SUBSERVICE, user);

            final ResourceResolver rr = resourceResolverFactory.getServiceResourceResolver(param);

            log("SUCCESS: " + rr.toString());

        }

        catch (Exception e)

        {

            log("FAIL: " + e.getMessage());

        }

    }

In every case , I am getting an error saying "Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service"  (see log below).

How can I "enable" a User so that I can get a ServiceResourceResolver for that User ?

Thank you for your time.

______

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service account-manager

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service activity-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service activitypurgesrv

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service admin

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service analytics-content-updater-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service analytcsservice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service anonymous

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service assetlinksharesemce

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service assetusagetrackeruser

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service audit-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service authentication-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service campaign-cloudservice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service campaign-reader

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service campaign-remote

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service canvaspage-actlvate-setvice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service canvaspage-delete-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service cavery

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service cdn-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service clientibs-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service commerce-backend-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service commerce-frontend-semce

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service commerce-orders-seneice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service communities-ad-manager

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service communities-analytics-admin

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service communities-enablement-property-writer

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service communities-index-admin

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service communities-srp-config-reader

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service communities-tag-admin

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service communities-ugc-writer

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service communities-user-admin

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service communities-utility-reader

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service communities-workflow-launcher

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service compat-codeupgrade-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service components-search-seneice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service contentsync-setv•ce

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service cryptoservice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service cog-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service dam-activitmriter•setvice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service dam-asseteventmonitor•service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service dam-formitemseditor-senvice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service dam-replication-sevice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service dam-teammgr-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service dam-update-seneice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service design-cache-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service device-identification-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service dtmsetvice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service dynamic-media-replication

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service dynamic-media-replication-filter

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service dynamicmedia-config-setvice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service fd-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service fontconfig-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service foundation-forms-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service foundation-forms-store-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service hierarchymodification-listener-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service history-listener-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service idsjobprocessor

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service imccoy

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service index-admin

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service installerservice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service ksaner

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service language-manager-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service launch-event-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service launch-promote-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service linkstorage-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service media-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service monitoringScripts

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service msm-semce

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service namespace-mg mt-senvice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service nlp-reader

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service notification-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service oauthsenrice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service offloading-agentmanager

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service offloading-jobcloner

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service offloading-semce

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service omnisearch-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service packagelist-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service page-name-validator-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service pageexporterservice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service personalization-seneice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service polling-impatter-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service primary-resource-search-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service projects-seneice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service recs-de[eted-products listener service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service reference-adjustment-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service reference-processing-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service replication-receiver

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service replication-semce

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service repasitcy-change-listener-semce

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service repasitcy-reader-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service resourcecollectlonservice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service s7dam-config-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service scene7-asset-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service scene7-config-sennce

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service scheduled-expatter-segvice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service searchpromote-semce

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service securiti/ userpropetties-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-context-aware-config-web-console

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-discovery

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-event

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-118n

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-installer-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-jcr•mstall

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-mapping

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-readall

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-rewriter

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-scripting

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-tenant

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service sling-xss

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service snapshotsenvice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service social-enablement replication-user

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service social-enablement-tmp-manager

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service spellchecker-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service se-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service statistics-seneice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service tag-garbage-collection-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service tag-validation-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service targetservice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service taskmanagement-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service translation-config-setvice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service translation-job-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service undo-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service varmstrong

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service version-manager-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service version-purge-serwce

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service wcm-workflow-setvice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service webdavbkpsetvice

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service websetvice-suppatt replication

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service websetvice-suppatt-setvcellbfinder

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service willie.melton@dodglt.com

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service workflow-pacess-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service workflow-repo-reader-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service workflow-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service workflow-user-service

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service wurfl-loader-semce

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service youtube-authenticator-user

FAIL: Cannot derive user name for bundle org.apache.sling.models.impl [489] and sub service zachammitchell@spambob.com

Jitendra_S_Toma 31-07-2018

Yeah. That is how you get resourceResolver from Request object in Sightly POJO. You need to get resource resolver with a specific user who has some level of access on the publish environment.

Reference

You can get more info on this post.

How to get admin session from Repository

FYI

Publish user must have limited access.

RobertBailey201 31-07-2018

Hi,

Thanks for your replies.

The ResourceResolver is injected using the following :-

    @Inject

    private ResourceResolver resourceResolver;

Jitendra_S_Toma 31-07-2018

Hi,

it works in author because in the author you always log in with the user who has correct access to modify/read the content. And I believe you are getting resourceResolver object from the Request object. In author, Request object gets the correct user. However, In the publish environment, Request object will have an anonymous user. And you know, the anonymous user will not have access to update the content of your pages.

The solution is that we should try with the user who can enough access in publish too. if no user exists then you need to create in publishing too.

I hope this helps.

Arun_Patidar
MVP
31-07-2018

Hi,

How you are getting resourceResolver?

The user should have permission to persist all the pending changes.

Can you check users permisisons?

Thanks

Arun