Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

Service user and mapping

Avatar

Level 2

Hello,

I followed the instruction https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/security-service-users.html to create a service user and a mapping.

To create a user I performed following steps:

- created a user just like the site specifies there: http://server:port/crx/explorer/index.jsp

as I want the user to be created during bundle content installation:

- created a .confg.xml file under /<content_dir>/src/main/content/jcr_root/home/users/system/<jcr:uuid from the created user in previous step> with the content specified in the example in instruction>

- added a filter instruction to /<content_dir>/src/main/content/META_INF/vault/filter.xml -> <filter root="/home/users/system" mode="merge"/>

- removed the user from jcr.

During bundle installation in aem following error occured:

Request failed: org.apache.jackrabbit.vault.packaging.PackageException: javax.jcr.nodetype.ConstraintViolationException: OakConstraint0001: /home/users/system[[rep:AuthorizableFolder, rep:AccessControllable]]: No matching definition found for child node q1_hkN-Qns4jK_Lt9ri_ with effective type [nt:folder] (500)

As to adding an amendment to ServiceUserMapper configuration,

- I've placed a file named org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-<service_user_name>-factory.xml

in /<bundle_dir>/src/main/resources/SLING-INF/content/

with following content:

<?xml version="1.0" encoding="UTF-8"?>
<jcr:root xmlns:sling="http://sling.apache.org/jcr/sling/1.0"
   xmlns:jcr="http://www.jcp.org/jcr/1.0"
   jcr:primaryType="sling:OsgiConfig"
   user.mapping="[<package_path>=<service_user_name>]" />

and I've performed the 3rd step of the instruction exactly as it's specified there, however the configuration does not seem to take place. I've checked that by looking at path /libs/system/config in jcr and checking as specified in 4th step of the instruction.

Have you encountered the same or similar problem or might now the solution to this one?

1 Accepted Solution

Avatar

Correct answer by
Level 2

It finally worked, even without renaming it.

What I've done is just placed the file in content package in catalogue: <...>/jcr_root/apps/<app>/config/ which resulted in putting the file into the same location in JCR and initialization of an instance of the factory defined in there.

Looks like just correct jcr:primaryType was enough to make the functionality work.

View solution in original post

9 Replies

Avatar

Level 10

Could you please explain your use case? Why would you want to create "service user" progammatically at run time?

Per my knowledge, it requires admin credentials/session to create service user. How do you plan to get the "admin" session in your code and then make sure that you apply the configuration to the respective use case at run time?

Avatar

Level 2

I wanted to use a service user as a mean to access certain jcr paths that a logged-in user may not have access to.

Avatar

Level 10

That's a valid use case. Just create the user as mentioned in the article and assign permissions to specific paths  via /useradmin and in the usermapper configuration, grant either read or write or both permissions (based on your use case) to the user against the bundle. Now, that system user can be utilized by that service bundle and would have read/write access to specific paths.  All of this is done statically one time before you deploy your code bundle.

In your source code/bundle, you'd simply use this service user to perform some action.

I got confused with your statement - "as I want the user to be created during bundle content installation"

Avatar

Level 4

The jcr:primaryType of q1_hkN-Qns4jK_Lt9ri_ node must be rep:SystemUser in the xml file

Avatar

Level 2

Actually, I want the user to be defined in a package, so that when it's is uploaded to AEM and installed, the user is installed as-well. So user creation through /useradmin is not what I want to do.

That's the content of .config.xml (so there's already rep:SystemUser):

<?xml version="1.0" encoding="UTF-8"?>
<jcr:root xmlns:jcr="http://www.jcp.org/jcr/1.0" xmlns:rep="internal"
   jcr:primaryType="rep:SystemUser"
   jcr:uuid="55a85283-a5cc-34f8-9049-6b252037b538"
   rep:principalName="testSysUser"
   rep:authorizableId="testSysUser"/>

Avatar

Level 2

I've managed to figure out the first issue by simply renaming the '.config.xml' file to '.content.xml' - small issue.

Now I'm working on the 2nd issue.

Avatar

Employee Advisor

Rename org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-<service_user_name>-factory.xml to org.apache.sling.serviceusermapping.impl.ServiceUserMapperImpl.amended-<service_user_name>.xml.

Also it is not required to use the name of the service is the name (as <service_user_name>), but it's just good practice.

Avatar

Correct answer by
Level 2

It finally worked, even without renaming it.

What I've done is just placed the file in content package in catalogue: <...>/jcr_root/apps/<app>/config/ which resulted in putting the file into the same location in JCR and initialization of an instance of the factory defined in there.

Looks like just correct jcr:primaryType was enough to make the functionality work.