[jira] [Commented] (SLING-10134) Deleting ACEs for users that don't exist is impossible

Wed, 10 Feb 2021 08:42:05 -0800 


    [ 
https://issues.apache.org/jira/browse/SLING-10134?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17282565#comment-17282565
 ] 

Angela Schreiber commented on SLING-10134:
------------------------------------------

[~Henry Kuijpers], i agree with your analysis.... when iterating over entries 
of an access control list all entries that have a matching principal-name 
should be removed based on the repo-init statements above. IMHO this is a bug.

> Deleting ACEs for users that don't exist is impossible
> ------------------------------------------------------
>
>                 Key: SLING-10134
>                 URL: https://issues.apache.org/jira/browse/SLING-10134
>             Project: Sling
>          Issue Type: New Feature
>          Components: Repoinit
>    Affects Versions: Repoinit JCR 1.1.30
>            Reporter: Henry Kuijpers
>            Priority: Major
>
> We're looking into using Sling Repo Init to clean up old permissions that 
> have been left behind in our instances over time. We used the following 
> syntax: 
> delete service user sv-read-apps-website-components
> set ACL for sv-read-apps-website-components
>  remove * on /apps/website/components 
> end 
> We get the following error: 09.02.2021 21:57:38.961 *ERROR* [CM Event 
> Dispatcher (Fire ConfigurationEvent: 
> pid=org.apache.sling.jcr.repoinit.RepositoryInitializer.25c1f862-75bd-4cd9-9ca1-b612f8752544)]
>  com.adobe.granite.repository.impl.SlingRepositoryManager Exception in a 
> SlingRepositoryInitializer: RepositoryInitializerFactory, references=[], 
> scripts=2 java.lang.RuntimeException: Failed to set ACL 
> (java.lang.IllegalStateException: Authorizable not 
> found:sv-read-apps-website-components) AclLine REMOVE_ALL 
> {paths=[/apps/website/components]} at 
> org.apache.sling.jcr.repoinit.impl.AclVisitor.setAcl(AclVisitor.java:63) 
> [org.apache.sling.jcr.repoinit:1.1.8] at 
> org.apache.sling.jcr.repoinit.impl.AclVisitor.visitSetAclPrincipal(AclVisitor.java:84)
>  [org.apache.sling.jcr.repoinit:1.1.8] at 
> org.apache.sling.repoinit.parser.operations.SetAclPrincipals.accept(SetAclPrincipals.java:53)
>  [org.apache.sling.repoinit.parser:1.2.2] .... 
> I think it's fine that the authorizable is not found: It doesn't have to 
> exist, in order to be able to remove ACEs, which is exactly what we are 
> trying to achieve: remove left behind ACEs for our deleted service users.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to