Use Case : Some time you want to create package based on Xpath. CQ5 package manager does not have ability to create package based on Xpath.
Solution :
You can use following package to achieve this
FOR CQ5.3 and CQ5.4
FOR CQ5.5
FOR CQ5.6 (Also fixes some other issues)
FOR CQ6
Above package might not work for AEM 6 onward because of this feature You might have to do disable POST from felix console for CSRF token. Add it back after running this tool.
1) Download and Install package using package manager
2) go to <host>:<port>/apps/tools/components/createPackage/run.html
3) Give your Xpath in xpath value
4) You can also add comma separate exclude path that you don't want to add to package.
5) Click on Create config package
6) Now Download the package and also be saved under /etc/packages/CQSupportTool
For example if you have to create package of all ACL to migrate from one CQ instance to another you can use xpath query for package as //element(*,rep:ACL)
Please note that, this package is for test purpose only. Feel free to modify it based on your need.
Known Issue Exception when "/" root is given (I will fix that as soon as get some time).
Solution :
You can use following package to achieve this
FOR CQ5.3 and CQ5.4
FOR CQ5.5
FOR CQ5.6 (Also fixes some other issues)
FOR CQ6
Above package might not work for AEM 6 onward because of this feature You might have to do disable POST from felix console for CSRF token. Add it back after running this tool.
1) Download and Install package using package manager
2) go to <host>:<port>/apps/tools/components/createPackage/run.html
3) Give your Xpath in xpath value
4) You can also add comma separate exclude path that you don't want to add to package.
5) Click on Create config package
6) Now Download the package and also be saved under /etc/packages/CQSupportTool
For example if you have to create package of all ACL to migrate from one CQ instance to another you can use xpath query for package as //element(*,rep:ACL)
Please note that, this package is for test purpose only. Feel free to modify it based on your need.
Known Issue Exception when "/" root is given (I will fix that as soon as get some time).
Hi Yogesh,
ReplyDeleteWe are trying to use this tool for migrating acls.
But we are unable to migrate them.
We gave below parameters for migration
Base Path: Empty
XPath query://element(*,rep:ACE)
Package name:Permissions
Exclude path:Empty
Can you please help us on this issue?
You have any other solution/approach for migrating acls to other CQ instance?
wasim,
ReplyDeleteWhat message do you see when you click on create package ? Do you see all ACL getting included in package filter definition ? You would see something like "allow" "allow0" in the filter path definition. Also try Base path as "/"
Hi yogesh
ReplyDeleteWhen i give basepath as "/", its throwing an error
But when i give base path empty then it generates a package and shows me a text like this :
/home/users/s/scott.b.reynolds@dodgit.com/rep:policy/allow
/home/users/a/aparker@geometrixx.info/rep:policy/allow
/home/users/l/larry.a.spiller@pookmail.com/rep:policy/allow
/home/groups/w/workflow-users/rep:policy/allow
/home/users/i/iris.r.mccoy@mailinator.com/rep:policy/allow
/home/rep:policy/allow
/home/users/l/leslie.d.dufault@trashymail.com/rep:policy/allow
/home/users/l/luz.a.smith@dodgit.com/rep:policy/allow
/home/users/j/jdoe@geometrixx.info/rep:policy/allow
/home/users/w/william.a.plunkett@mailinator.com/rep:policy/allow
/tmp/rep:policy/allow
/etc/reports/wfinstances/rep:policy/allow
/etc/workflow/models/rep:policy/deny
/etc/workflow/models/rep:policy/allow
/home/groups/w/workflow-editors/rep:policy/allow
/home/groups/a/administrators/rep:policy/deny
/home/users/l/leonard.a.duncan@mailinator.com/rep:policy/allow
But when i install the this package(i.e acl.zip) i see following message
Importing content...
saving approx 0 nodes...
Package imported.
and when i check permissions on any user , as expected the ACL's are not there
Can you provide more information ?
Delete- What version of CQ and CRX and if there is any Hotfix installed. Also are you trying to import permission from author to author or author to publish ? Make sure that you have users/group already present before you do this.
we are using CQ 5.4.I was trying to move ACL's from author to author and i don't think we have any hotfixes installed as of now.Yes the users and groups were already present when i moved ACL's from one instance to another
ReplyDeleteDO we need to install any hotfixes for migrating acl's .If yes can you provide the link
ReplyDeleteYogesh any update ????
ReplyDeleteWasim,
ReplyDeleteI just checked. I guess it is not working with latest Hotfix in CRX2.2. I Will check what is going on and will update. Stay tuned.
Yogesh
Wasim,
ReplyDeleteI have modified the code and added option for AC handling. Select Override for AC handling and let me know if that works for you.
Yogesh
Hi Yogesh,
ReplyDeleteCan we specify for a specific basepath because when we give empty then it collects rep:acl for the complete server.Can't we restrict it for a specific path
Sorry for late reply. But you can, You can find code attached in above package and change it based on your need. Let me know if you need help with that.
DeleteYogesh
This is great. One question - if you create (or deploy) the package on Author, how do you replicate that to Publish?
ReplyDeleteUsing the "Replicate" feature, or "Activate" feature in Tools does replicate the package, however permissions will not be deployed on the Publish server
The only way to do it is to manually deploy the package directly to the publish server, and install using the "merge" option.
Is there a better way?
Tim,
DeleteCan you check [1] and [2] if that helps,
[1] http://www.wemblog.com/2012/04/how-to-change-package-install-behavior.html
[2] http://www.wemblog.com/2013/01/how-to-publish-code-component-in-cq.html
Yogesh
Thanks, yes [1] looks good. will test
DeleteThanks - just tested. When I replicated the package, the permissions did not appear. Upon logging into the Publish server, install with option merge, and they did appear.
DeleteHi Yogesh,
ReplyDeleteNice component! However it seems that the Exclude Path only uses the first argument in the list, and ignores the rest. I tried:
/etc, /libs, /home
and it leaves out the /etc tree, but still includes /libs and /home.
But yeah - very nice work!
K
Thanks for pointing out this bug. I will look in it as soon as get some time.
DeleteHi Yogesh,
ReplyDeleteYour Xpath package works perfectly fine. Thanks for creating this tool.
However, the known Issue Exception when "/" root is given.
For creating rep:policy nodes for /(root), it should be entered /jcr:root
For BasePath, if rep:policy nodes package is to be created for /content then
in basepath it should be entered as /jcr:root/content. Likewise for other paths.
Thanks for feed back Varun. Will look in to this soon.
DeleteYogesh
Hi Yogesh,
ReplyDeleteThanks so much for the tool... just one note I was trying to package up DAM rep:policy nodes and couldn't get filters to add to the package until I tried with no leading slash, so /content/dam doesn't work as the path filter, you have to do it like content/dam with no leading slash. I know there is another bug that causes a problem if you try just "/". That's what clued me into trying without the leading slash after a couple failed attempts. Just wanted to document this here for others that use your tool. Also this was the 5.3 version of the project.
Thanks Again,
Adam Yocum
Thank you very much for feedback. I will try to resolve this issue as soon as get some time.
Deleteis this works for 5.6?
ReplyDeleteYes. 5.5 version should work for CQ5.6 as well. Let me know if does not.
DeleteYogesh
can i export users and groups from 5.4 and import in 5.6.1?
ReplyDeleteThis is really helpful. Thank you.
ReplyDeleteHi Yogesh,
ReplyDeletewould you like to put this package on github so that it's possible to fork it and improve it in case needed?
Cheers
Davide
I need to migrate only ACLs of anonymous user from fresh AEM 5.6 instances (author and publish) to a old AEM 5.6 instances (ACLs got modified).
ReplyDeleteWhat should be the parameters (e.g.,XPath query etc.) to create the ACL package?
I tried with below xpath query and 'overwrite' as AC handling behavior,
ReplyDelete//element(*,rep:ACE)[jcr:contains(.,'anonymous')]
But when I tried to install the package on same instance (after changing ACL of 'anonymous') It has thrown below error.
A /etc/creativecloud/rep:policy
Error during processing:
....
com.day.jcr.vault.packaging.PackageException: javax.jcr.nodetype.ConstraintViolationException: Unable to perform operation. Node is protected.
.....
How to solve this issue?
Hi Yogesh,
ReplyDeleteI'm using AEM 5.6.1 and CRX 2.4.30. I've created around 10 groups and added permissions to them. Later I installed the package you have provided.
Given below parameters while creating package:
Base Path: Empty
XPath query://element(*,rep:ACE)
Package name:XYZ
Exclude path:Empty
AC Handling behavior: overwrite
When I tried to install the package, it's throwing below exception:
Caused by: javax.jcr.nodetype.ConstraintViolationException: Unable to perform operation. Node is protected.
at org.apache.jackrabbit.core.ItemValidator.checkCondition(ItemValidator.java:276)
at org.apache.jackrabbit.core.ItemValidator.checkRemove(ItemValidator.java:254)
at org.apache.jackrabbit.core.ItemRemoveOperation.perform(ItemRemoveOperation.java:63)
at org.apache.jackrabbit.core.session.SessionState.perform(SessionState.java:216)
at org.apache.jackrabbit.core.ItemImpl.perform(ItemImpl.java:91)
at org.apache.jackrabbit.core.ItemImpl.remove(ItemImpl.java:322)
at com.day.jcr.vault.fs.io.Importer.commit(Importer.java:863)
at com.day.jcr.vault.fs.io.Importer.commit(Importer.java:781)
at com.day.jcr.vault.fs.io.Importer.commit(Importer.java:818)
at com.day.jcr.vault.fs.io.Importer.commit(Importer.java:818)
at com.day.jcr.vault.fs.io.Importer.commit(Importer.java:818)
at com.day.jcr.vault.fs.io.Importer.commit(Importer.java:818)
at com.day.jcr.vault.fs.io.Importer.run(Importer.java:424)
at com.day.jcr.vault.packaging.impl.ZipVaultPackage.extract(ZipVaultPackage.java:360)
Am I missing anything?
Why do you have ACE instead of ACL?
Deletesame here ...on 5.6 we see nable to perform operation. Node is protected, during installation of the package.
ReplyDeletecom.day.jcr.vault.packaging.PackageException: javax.jcr.nodetype.ConstraintViolationException: Unable to perform operation. Node is protected.
at com.day.jcr.vault.packaging.impl.ZipVaultPackage.extract(ZipVaultPackage.java:365)
at com.day.jcr.vault.packaging.impl.JcrPackageImpl.extract(JcrPackageImpl.java:368)
at com.day.jcr.vault.packaging.impl.JcrPackageImpl.install(JcrPackageImpl.java:336)
at com.day.crx.packaging.impl.J2EEPackageManager.consoleInstall(J2EEPackageManager.java:327)
at com.day.crx.packaging.impl.J2EEPackageManager.doPost(J2EEPackageManager.java:173)
at com.day.crx.packaging.impl.PackageManagerServlet.doPost(PackageManagerServlet.java:144)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
Created new package that is tested for CQ5.6.1. Also make sure that you are trying to create package as admin.
DeleteI am getting below errors
ReplyDeleteInstalling content (dry run)
Error during processing:
java.lang.IllegalStateException: Package not valid.
at com.day.jcr.vault.packaging.impl.ZipVaultPackage.prepareExtract(ZipVaultPackage.java:293)
at com.day.jcr.vault.packaging.impl.JcrPackageImpl.extract(JcrPackageImpl.java:348)
at com.day.jcr.vault.packaging.impl.JcrPackageImpl.install(JcrPackageImpl.java:332)
at com.day.crx.packaging.impl.J2EEPackageManager.consoleDryRun(J2EEPackageManager.java:304)
at com.day.crx.packaging.impl.J2EEPackageManager.doPost(J2EEPackageManager.java:146)
at com.day.crx.packaging.impl.PackageManagerServlet.doPost(PackageManagerServlet.java:73)
at com.day.crx.j2ee.CRXHttpServlet.doPost(CRXHttpServlet.java:127)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
at com.day.crx.j2ee.CRXHttpServlet.service(CRXHttpServlet.java:94)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
at com.day.j2ee.servletengine.ServletRuntimeEnvironment.service(ServletRuntimeEnvironment.java:228)
at com.day.j2ee.servletengine.RequestDispatcherImpl.doFilter(RequestDispatcherImpl.java:315)
at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:334)
at com.day.j2ee.servletengine.RequestDispatcherImpl.service(RequestDispatcherImpl.java:378)
at com.day.j2ee.servletengine.ServletHandlerImpl.execute(ServletHandlerImpl.java:315)
at com.day.j2ee.servletengine.DefaultThreadPool$DequeueThread.run(DefaultThreadPool.java:134)
at java.lang.Thread.run(Thread.java:636)
Error: Package not valid.
Have you created package using tool above ?
DeleteYogesh
Any update on the / bug - I just executed against 5.6.1 and saw some weird message (didn't put any path in so assumes root?) - but the package seemed to get created fine - maybe I did not experience the exception, or it has been fixed?
ReplyDeleteThanks,
B
I have fixed empty path issue.
DeleteYogesh
http://adobe-consulting-services.github.io/acs-aem-commons/features/acl-packager.html
ReplyDeleteIs the package available for AEM 6.0 ?
ReplyDeleteHello Sunil,
DeleteSame package should work for AEM6 on ward. However you have to remove POST action from CSRF check from felix console for CSRF service. After you run this, Please add POST service back (As this could lead to security issue). I will try to fix this problem in code (Which is essentially using CQ version of jquery) to post to fix this issue permanently.
Yogesh
Hello Yogesh, thank for such super awesome blog. Such a social service man. Keep it up.
ReplyDeleteOn the related topic, I'm struggling with bad ACL implementation. Can you please suggest?
User has been given folder level permission. I pulled up as 205 nodes. I want to start clean. I deleted user. When I add back user, all permissions are inherited back again. Since we use SAML authentication, I must use same userid.
1. Is there easy way to clean this up
2. If I delete '.../rep:policy/allow0', '.../rep:policy/deny213' etc. via crx/de, will that cause problem for other users& groups?
I read docs.adobe.com that folder level permissions should not be given on user. But damage is done. I'm cleaning up.
AEM: 5.6
Thank you
Hello,
DeleteTo clean up ACL you can simply right Query to find all permission and remove them.You can use Xpath like content///element(*,rep:ACL) to find all node and then using pageManagerAPI remove them. Please do not run query for whole repo, that can delete some ACL that you need. Note that removing ACL will not remove user or group. Let me know if you need example to how to write a tool that will update or remove data from repo.
Yogesh
It's not working on AEM6.1, I am able to export the users and groups but not the Permissions. When I install on New Instance ,all the user permissions are empty. Could you please help me
ReplyDeleteHi Yogesh,
ReplyDeleteDoes this utility work on AEM 6.1 too? I noticed an entry from Shekhar above, but have a similar query so checking ...
Hi Yogesh,
ReplyDeleteDoes this utility work on AEM 6.1 too? I noticed an entry from Shekhar above, but have a similar query so checking ...