search

Netcentric / accesscontroltool

Rights and roles management for AEM made easy
Eclipse Public License 1.0
147 stars 92 forks source link

[AEMaaCS] Issue with isMemberOf property #693

Closed nikolay-v-atanasov closed 3 months ago

nikolay-v-atanasov commented 3 months ago

Hi all,

We have an issue with AC Tool on AEMaaCS. The issue is weird because we have the same scripts and same configurations for all AEM Cloud environments, but we only have the problem on PROD, i.e. the groups are created properly on AEM DEV and STAGE environments but they are broken on PROD.

The problem is that we create several external IMS user groups by AC Tool, and for these groups, we specify that Group A isMemberOf Group B. For example we specify that: SKD-FLEETCARCONFIGURATOR.FLEETCCDOC-HQ-PUBLISHER is member of these three groups:

However, the FLEETCCDOC-HQ-PUBLISHER group is not created as a member of the groups above. Here is the code snippet

  • SKD-FLEETCARCONFIGURATOR.FLEETCCDOC-HQ-PUBLISHER:
  • name: SKD-FLEETCARCONFIGURATOR.FLEETCCDOC-HQ-PUBLISHER externalId: "SKD-FLEETCARCONFIGURATOR.FLEETCCDOC-HQ-PUBLISHER;ims" isMemberOf: SKD-FLEETCARCONFIGURATOR.FLEETCCDOC-CMS-HQ-PUBLISHER,SKD-FLEETCARCONFIGURATOR.FLEETCCDOC-DAM-HQ-PUBLISHER,SKD-FLEETCARCONFIGURATOR.FLEETCCDOC-GLOBAL-USERS path: /home/groups/fleet`

The script is attached new_fleet.yaml.txt

Additionally, we create a similar user group FLEETCARCONFIGURATOR.FLEETCCDOC-HQ-PUBLISHER (no SKD prefix) and everything is good for this group i.e. the groups is included as a member of listed groups.

  • FLEETCARCONFIGURATOR.FLEETCCDOC-HQ-PUBLISHER:
  • name: FLEETCARCONFIGURATOR.FLEETCCDOC-HQ-PUBLISHER path: /home/groups/fleet isMemberOf: FLEETCARCONFIGURATOR.FLEETCCDOC-CMS-HQ-PUBLISHER,FLEETCARCONFIGURATOR.FLEETCCDOC-DAM-HQ-PUBLISHER,FLEETCARCONFIGURATOR.FLEETCCDOC-GLOBAL-USERS

We have just one AC Tool configuration for PROD in config.author.prod folder. The PID of the service is biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl.cfg.json { "configurationRootPaths":[ "/apps/xxx/actoolconfig", "/apps/xxx/actoolconfig_ims" ] }

I appreciate any advice and suggestion about the issue.

Thank you in advance, Nikolay

otarsko commented 3 months ago

Hi @nikolay-v-atanasov what does AC Tool log say? I assume the execution on Production is successful? Maybe you can share the verbose log?

Additionally, we create a similar user group FLEETCARCONFIGURATOR.FLEETCCDOC-HQ-PUBLISHER (no SKD prefix) and everything is good for this group i.e. the groups is included as a member of listed groups.

Was it being created as part of the same yaml definition you shared? (asking, because don't see it there).

nikolay-v-atanasov commented 3 months ago

Hi,

I don't see errors in verbose log. The log is attached ac_tool_verbole.log

The FLEETCARCONFIGURATOR.FLEETCCDOC-HQ-PUBLISHER (no SKD prefix) is created in another script file. The definition is here: new_fleet.yaml.txt

I attached two screenshots on SKD and NOS SKD groups so we can see that NOT SKD groups are created successfully:

Screenshot 2024-04-04 at 16 22 33 Screenshot 2024-04-04 at 16 22 48
nikolay-v-atanasov commented 3 months ago

I dumped the AC Tool, and I see that for not SKD groups, we have

  • STARGATE.STARGATE-EN-IE-IMPORTER:
   - name: 
     isMemberOf: STARGATE.STARGATE-GLOBAL-WORKFLOW-USERS,STARGATE.STARGATE-GLOBAL-WORKFLOW-REQUESTERS
     path: /home/groups/stargate/importers

and some of the comma-separated strings are converted to lists:

  • FLEETCARCONFIGURATOR.FLEETCCDOC-CZ-EDITOR:
   - name: 
     isMemberOf: 
       - FLEETCARCONFIGURATOR.FLEETCCDOC-CS-CZ-CMS-EDITOR
       - FLEETCARCONFIGURATOR.FLEETCCDOC-EN-CZ-CMS-EDITOR
       - FLEETCARCONFIGURATOR.FLEETCCDOC-GLOBAL-USERS
       - FLEETCARCONFIGURATOR.FLEETCCDOC-CS-CZ-DAM-EDITOR
       - FLEETCARCONFIGURATOR.FLEETCCDOC-EN-CZ-DAM-EDITOR

Do we have a limitation of the length of isMemberOf property in characters? Do we have any other limitation that affects converting isMemberOf property to YAML list?

Thank you Nikolay

kwin commented 3 months ago

This doesn't seem to be like an issue in the tool itself (as it happens only on PROD), can you therefore please rather use https://github.com/Netcentric/accesscontroltool/discussions. This is reserved for tracking of bugs/features. Thanks.

nikolay-v-atanasov commented 3 months ago

The tool doesn't work as expected. This can be an environment-specific issue, can't it?