AEMaaCS deployment fails when upgrading to latest version accesscontroltool-content-package-3.0.4.zip

[subsul8]

Upgraded from version 2.5.5 to 3.0.4 and the deployment fails in AEMaaCS, observed the below logs in cloud manager.

00:16:51.316 [main] INFO  install.mutable.content - cURL - request successful
[2022/02/15 00:16:51] [ info] [input chunk] skip ingesting data with 0 bytes
00:16:51.316 [main] INFO  install.mutable.content - Blocked queue error trace: 
 java.lang.Throwable: Failed attempt (2/infinite) to import the distribution package PackageMessage(pubSlingId=dba48ea3-8392-40c6-9056-bb16aa0fdd27, reqType=ADD, pkgId=dstrpck-1644884195357-bc0c1aae-ae20-49fb-8403-8cd08c2304a8, pkgType=journal_filevault, pkgLength=14622, pubAgentName=publish, userId=replication-service, paths=[/etc/packages/Netcentric/accesscontroltool-content-package-3.0.4.zip], deepPaths=[]) at offset=3997460 because of 'Error trying to extract package at path /etc/packages/Netcentric/accesscontroltool-content-package-3.0.4.zip because of 'Failed to import /rep:repoPolicy (org.xml.sax.SAXException: javax.jcr.AccessDeniedException: Access denied.
javax.jcr.AccessDeniedException: Access denied.)'', the importer will retry later
    at org.apache.sling.distribution.journal.queue.impl.QueueErrors.toThrowable(QueueErrors.java:67)
    at org.apache.sling.distribution.journal.queue.impl.QueueErrors.handleEvent(QueueErrors.java:62)
    at org.apache.felix.eventadmin.impl.handler.EventHandlerProxy.sendEvent(EventHandlerProxy.java:431)
    at org.apache.felix.eventadmin.impl.tasks.HandlerTask.runWithoutDenylistTiming(HandlerTask.java:82)
    at org.apache.felix.eventadmin.impl.tasks.SyncDeliverTasks.execute(SyncDeliverTasks.java:107)
    at org.apache.felix.eventadmin.impl.tasks.AsyncDeliverTasks$TaskExecuter.run(AsyncDeliverTasks.java:167)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
    at java.base/java.util.concurrent.FutureTask.run(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.Throwable: org.apache.sling.distribution.common.DistributionException: Error trying to extract package at path /etc/packages/Netcentric/accesscontroltool-content-package-3.0.4.zip because of 'Failed to import /rep:repoPolicy (org.xml.sax.SAXException: javax.jcr.AccessDeniedException: Access denied.
javax.jcr.AccessDeniedException: Access denied.)'
    at org.apache.sling.distribution.journal.bookkeeper.ContentPackageExtractor.handlePath(ContentPackageExtractor.java:87)
    at org.apache.sling.distribution.journal.bookkeeper.ContentPackageExtractor.handle(ContentPackageExtractor.java:70)
    at org.apache.sling.distribution.journal.bookkeeper.PackageHandler.installAddPackage(PackageHandler.java:79)
    at org.apache.sling.distribution.journal.bookkeeper.PackageHandler.apply(PackageHandler.java:61)
    at org.apache.sling.distribution.journal.bookkeeper.BookKeeper.importPackage(BookKeeper.java:154)
    at org.apache.sling.distribution.journal.impl.subscriber.DistributionSubscriber.processQueueItem(DistributionSubscriber.java:371)
    at org.apache.sling.distribution.journal.impl.subscriber.DistributionSubscriber.fetchAndProcessQueueItem(DistributionSubscriber.java:327)
    at org.apache.sling.distribution.journal.impl.subscriber.DistributionSubscriber.processQueue(DistributionSubscriber.java:306)
    at java.base/java.lang.Thread.run(Unknown Source)
Caused by: org.apache.jackrabbit.vault.packaging.PackageException: Failed to import /rep:repoPolicy (org.xml.sax.SAXException: javax.jcr.AccessDeniedException: Access denied.
javax.jcr.AccessDeniedException: Access denied.)
    at org.apache.sling.distribution.journal.bookkeeper.ContentPackageExtractor.failed(ContentPackageExtractor.java:126)
    at org.apache.sling.distribution.journal.bookkeeper.ContentPackageExtractor.installPackage(ContentPackageExtractor.java:109)
    at org.apache.sling.distribution.journal.bookkeeper.ContentPackageExtractor.handlePath(ContentPackageExtractor.java:81)
    ... 8 more
Caused by: org.apache.jackrabbit.vault.packaging.PackageException: Errors during import.
    at org.apache.jackrabbit.vault.packaging.impl.ZipVaultPackage.extract(ZipVaultPackage.java:248)
    at org.apache.jackrabbit.vault.packaging.impl.JcrPackageImpl.extract(JcrPackageImpl.java:401)
    at org.apache.jackrabbit.vault.packaging.impl.JcrPackageImpl.extract(JcrPackageImpl.java:360)
    at org.apache.jackrabbit.vault.packaging.impl.JcrPackageImpl.extract(JcrPackageImpl.java:346)
    at org.apache.sling.distribution.journal.bookkeeper.ContentPackageExtractor.installPackage(ContentPackageExtractor.java:118)
    at org.apache.sling.distribution.journal.bookkeeper.ContentPackageExtractor.installPackage(ContentPackageExtractor.java:106)
    ... 9 more

Dependencies used:

            <dependency>
                <groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
                <artifactId>accesscontroltool-package</artifactId>
                <type>content-package</type>
                <version>${netcentric.accesscontroltool.version}</version>
            </dependency>
            <dependency>
                <groupId>biz.netcentric.cq.tools.accesscontroltool</groupId>
                <artifactId>accesscontroltool-oakindex-package</artifactId>
                <type>zip</type>
                <version>${netcentric.accesscontroltool.version}</version>
            </dependency>

[subsul8]

Works fine with version 3.0.2 though.

[arungm20]

I do have the same issue. Any fixes expected? However re-triggering the build would work as the bundle starts in backend and on next build it would apply the required permissions.

[kwin]

The error mentioned above Failed to import /rep:repoPolicy (org.xml.sax.SAXException: javax.jcr.AccessDeniedException: Access denied. is not related to the ACTool at all. It happens during regular replication of a content package. The stack trace above does not mention any ACTool class. Please observe the limitations of the underlying service user for packages which are supposed to be installed on publish outlined at https://github.com/Netcentric/aem-cloud-validator#prevent-using-certain-paths-in-mutable-content-packages