Merge 9019eaf into c430980

CHANGELOG.md

@@ -14,6 +14,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com)
 
 ### Fixed
 - #2529 - Unable to find an implementation for interface acscommons.io.jsonwebtoken.io.Serializer using java.util.ServiceLoader
+- #2341 - ACS Commons fails to deploy to AEM as a Cloud Service due to inclusion of /var nodes
 
 ## 4.11.2 - 2021-01-05
 

ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-replication-status.config

@@ -0,0 +1,8 @@
+scripts=[
+"# these users and ACLs are only necessary on author
+create service user acs-commons-package-replication-status-event-service with path system/acs-commons
+set ACL for acs-commons-package-replication-status-event-service
+    allow jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl on /
+end
+"
+]

ui.apps/src/main/content/jcr_root/apps/acs-commons/config.author/org.apache.sling.jcr.repoinit.RepositoryInitializer-varworkflow-acls.config

@@ -0,0 +1,17 @@
+scripts=[
+"# these users and ACLs are only necessary on author
+create service user acs-commons-workflow-remover-service with path system/acs-commons
+# the path may not yet exist in AEMaaCS as it is created lazily
+create path /var/workflow/instances(sling:Folder)
+set ACL for acs-commons-workflow-remover-service
+    allow jcr:read, rep:write on /var/workflow/instances
+end
+
+create service user acs-commons-workflowpackagemanager-service with path system/acs-commons
+# the path may not yet exist in AEMaaCS as it is created lazily
+create path /var/workflow/packages(sling:Folder)
+set ACL for acs-commons-workflowpackagemanager-service
+    allow jcr:read on /var/workflow/packages
+end
+"
+]

ui.apps/src/main/content/jcr_root/apps/acs-commons/config.publish/org.apache.sling.jcr.repoinit.RepositoryInitializer-distribution.config

@@ -0,0 +1,11 @@
+scripts=[
+"# extend rights for installing the ui.content package containing /var nodes with AEMaaCS (https://helpx.adobe.com/in/experience-manager/kb/cm/cloudmanager-deploy-fails-due-to-sling-distribution-aem.html)
+create path /var/acs-commons(nt:folder)
+
+# AEM classic does not know this system user, but creating it below system/acs-commons shouldn't do any harm
+create service user sling-distribution-importer with path system/acs-commons
+set ACL for sling-distribution-importer
+    allow jcr:read, rep:write, jcr:versionManagement, jcr:modifyAccessControl, jcr:readAccessControl, jcr:lockManagement on /var/acs-commons
+end
+"
+]

ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-ensure-oakindex.config

@@ -0,0 +1,8 @@
+scripts=[
+"
+create service user acs-commons-ensure-oak-index-service with path system/acs-commons
+set ACL for acs-commons-ensure-oak-index-service
+    allow jcr:read,rep:write,rep:indexDefinitionManagement on /oak:index
+end
+"
+]

ui.apps/src/main/content/jcr_root/apps/acs-commons/config/org.apache.sling.jcr.repoinit.RepositoryInitializer-root-acls.config

@@ -0,0 +1,18 @@
+scripts=[
+"
+create service user acs-commons-dispatcher-flush-service with path system/acs-commons
+set ACL for acs-commons-dispatcher-flush-service
+    allow jcr:read,crx:replicate,jcr:removeNode on /
+end
+
+create service user acs-commons-ensure-service-user-service with path system/acs-commons
+set ACL for acs-commons-ensure-service-user-service
+    allow jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl on /
+end
+
+create service user acs-commons-on-deploy-scripts-service with path system/acs-commons
+set ACL for acs-commons-on-deploy-scripts-service
+    allow jcr:read on /
+end
+"
+]

ui.content/pom.xml

@@ -109,66 +109,6 @@
                                 <denyAllDeletes>true</denyAllDeletes>
                             </config>
                         </check>
-                        <!-- check that rep:policy nodes are actually created by the package -->
-                        <check>
-                            <name>check-expected-policy-paths</name>
-                            <template>basic/expectPaths</template>
-                            <config>
-                                <severity>minor</severity>
-                                <expectedPaths>
-                                    <path>/oak:index/rep:policy</path>
-                                    <path>/conf/rep:policy</path>
-                                    <path>/content/rep:policy</path>
-                                    <path>/content/dam/rep:policy</path>
-                                    <path>/etc/rep:policy</path>
-                                    <path>/etc/acs-commons/bulk-workflow-manager/rep:policy</path>
-                                    <path>/etc/acs-commons/notifications/rep:policy</path>
-                                    <path>/etc/acs-commons/redirect-maps/rep:policy</path>
-                                    <path>/etc/cloudservices/dtm/rep:policy</path>
-                                    <path>/etc/cloudservices/sharethis/rep:policy</path>
-                                    <path>/etc/cloudservices/typekit/rep:policy</path>
-                                    <path>/etc/notification/email/rep:policy</path>
-                                    <path>/etc/workflow/instances/rep:policy</path>
-                                    <path>/home/groups/rep:policy</path>
-                                    <path>/home/users/rep:policy</path>
-                                    <path>/var/workflow/instances/rep:policy</path>
-                                    <path>/var/acs-commons/rep:policy</path>
-                                    <path>/var/acs-commons/httpcache/rep:policy</path>
-                                    <path>/var/acs-commons/mcp/rep:policy</path>
-                                    <path>/var/acs-commons/on-deploy-scripts-status/rep:policy</path>
-                                </expectedPaths>
-                            </config>
-                        </check>
-                        <check>
-                            <name>verify-acls-on-root</name>
-                            <template>basic/expectAces</template>
-                            <!-- since the root rep:policy node will obviously exist regardless, we should be more
-                            specific for these acl entries -->
-                            <config>
-                                <expectedAces>
-                                    <expectedAce>
-                                        principal=acs-commons-ensure-oak-index-service
-                                        ;type=allow;path=/;privileges=jcr:read,rep:write,rep:indexDefinitionManagement
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-dispatcher-flush-service
-                                        ;type=allow;path=/;privileges=jcr:read,crx:replicate,jcr:removeNode
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-package-replication-status-event-service
-                                        ;type=allow;path=/;privileges=jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-ensure-service-user-service
-                                        ;type=allow;path=/;privileges=jcr:read,rep:write,jcr:readAccessControl,jcr:modifyAccessControl
-                                    </expectedAce>
-                                    <expectedAce>
-                                        principal=acs-commons-on-deploy-scripts-service
-                                        ;type=allow;path=/;privileges=jcr:read
-                                    </expectedAce>
-                                </expectedAces>
-                            </config>
-                        </check>
                     </checks>
 
                     <!-- assume that we are installing into an instance where utility pages and configs have already

ui.content/src/main/content/META-INF/vault/filter.xml

@@ -89,8 +89,6 @@
     <filter root="/home/groups/rep:policy"/>
     <filter root="/home/users/rep:policy"/>
     <filter root="/home/users/system/acs-commons"/>
-    <filter root="/oak:index/rep:policy"/>
-    <filter root="/rep:policy"/>
     <filter root="/var/acs-commons">
         <include pattern="/var/acs-commons/rep:policy"/>
         <include pattern="/var/acs-commons/jcr:content"/>
@@ -103,6 +101,4 @@
         <include pattern="/var/acs-commons/on-deploy-scripts-status"/>
         <include pattern="/var/acs-commons/mcp"/>
     </filter>
-    <filter root="/var/workflow/instances/rep:policy"/>
-    <filter root="/var/workflow/packages/rep:policy"/>
 </workspaceFilter>