Open Promathia opened 1 month ago
Colleagues, does anyone have any ideas on the issue description above?
@Promathia Have you tried the approach as outlined in https://github.com/Netcentric/accesscontroltool/discussions/694#discussioncomment-9057384 / attached zip https://github.com/Netcentric/accesscontroltool/files/14917287/link-ims-groups-with-actool-example.zip ?
you state the error Member IMS en-editors does not exist and cannot be added as external member to group en-editors
is the problem during the image build, if you put the link group in a folder ala ims-link-group.author.dev
, it will only be executed during second run (as the runmode dev
is not set during image build)
Hi @ghenzler , thank you so much for addressing this, I'll try it today, seems like it should work, although I have a couple of doubts. But anyway, I'll try and let you know.
Regards, Ivan
Hello colleagues! @ghenzler, as you suggested I put my configs into run-mode folder, as follows (we have same configs for all 3 envs):
after deploy to AEMaaCS I see the following picture (no configs were applied):
The startup_hook error message looks like this:
So seems like, due to runmode presence - image build phase was skipped. But in my initial message I stated, that both 2 phases produce errors. And this happens only when I add 'members' config for some groups. The project has a couple of custom admin tools and therefore some groups have ACE configurations under /apps.... And on startup it can not write to immutable areas of repo... (this is my assumption)
Could you please give any feedback? Maybe this was already given a thought or discussed? I appriciate your help very much!
Regards, Ivan
Prehistory:
AEMaaCS - latest version. AC Tool - latest version. In general AC Tool works fine and installs groups to AEMaaCS in 2 phases (as per docs).
Context (group names changed due to NDA):
We have a business group config in AC Tool .yaml script (for example):
This group has ACLs for some paths under '/content/...', '/conf/...' and '/etc/...'.
For that group we have one in Adobe IMS: 'IMS en-editors' After "Apache Jackrabbit Oak Default Sync Handler" syncs groups to AEMaaCS Author service, we link those 2 groups together (for ACL inheritance), so 'IMS en-editors' is made a member of 'en-editors'. Note: 'IMS en-editors' was not added to AC Tool. But it definitely exists on AEMaaCS Author service before a next build
When we change something in AC tool .yaml scripts - it recreates the groups (since the hash changed) and upon groups recreation - the linking above is missed ('IMS en-editors' is not member of 'en-editors' any more).
So to mitigate this we tried to add 'IMS en-editors' group to 'members' property of 'en-editors' in .yaml script. As per documentation :
Updated group config example looks like this after the change:
Problem description:
Once 'members: IMS en-editors' added to config, AC Tool fails on both steps with the following errors: _Step startup_hook_imagebuild:
_Step startuphook:
Once I delete 'members: IMS en-editors' property from .yaml config - AC Tool successfully installs scripts in 2 phases again.
Question:
Can you please suggest, how can we maintain the linkage of the IMS and AEM groups while using AC Tool ('IMS en-editors' is a member of 'en-editors')?
Some ideas and notes:
Looking into code I could not find why it is not working, 'member'-s processing is pretty much straightforward
My assymption is that upon 'startup_hook_image_build' phase the composite node store is not connected, and the users/groups can not be seen at all, but still I can not understand why 'startup_hook' phase fails with an error as if it tries to write under apps/libs.
Just to proof 'IMS en-editors' group existence, if I run a simple groovy, it finds the group as expected and everything seems to be ok.![image](https://github.com/Netcentric/accesscontroltool/assets/16146208/820f4670-fc4f-4648-b10b-37faf97870a4)
Regards, Ivan