wttech / apm Goto Github PK
View Code? Open in Web Editor NEWAEM Permission Management (APM) is an AEM based, cloud compatible tool focused on streamlining the permission configuration.
License: Apache License 2.0
AEM Permission Management (APM) is an AEM based, cloud compatible tool focused on streamlining the permission configuration.
License: Apache License 2.0
Yet another implemented, but undocumented endpoint: /bin/cqsm/list
Internal ticket reference: CQSM-220
I'd like to have main run.cqsm script, but each subscripts also could be run separately for e.g testing.
run.cqsm
DEFINE market 'en'
IMPORT market.cqsm
DEFINE market 'pl'
IMPORT market.cqsm
market.cqsm
IMPORT definitions.cqsm ONCE
CREATE USER my_user ${user_path}/${market}
# ...
but the IMPORT path ONCE
is not available. Still redefining variables is nice, but if definitions.cqsm has some other rules that shouldn't be run again that ONCE will prevent some errors and improve performance.
this is issue is about a workaround which can be handled in other way: #34 (which I also invented, but nah still not implemened)
STRICT glob means that it matches given path only
MODIFY gives two permissions for given path and for glob /jcr:content
Question is what should the following action result to?
ALLOW /content STRICT [ MODIFY ]
BEGIN MACRO content_market('lang_code', 'permissions')
# Allow to read site root path
DENY ${content_path} [READ]
ALLOW ${content_path} STRICT [READ]
ALLOW ${content_path} /jcr:content [READ]
ALLOW ${content_path} /jcr:primaryType [READ]
# Allow to read site channel root path
DENY ${content_path}/default [READ]
ALLOW ${content_path}/default STRICT [READ]
ALLOW ${content_path}/default /jcr:content [READ]
ALLOW ${content_path}/default /jcr:primaryType [READ]
ALLOW ${content_path/default/${langCode} ${permissions}
END MACRO
then just
USE MACRO content_market('en_US', [ALL])
USE MACRO content_market('pl_PL', [READ])
macro argument names are quoted intentionally to be able to inject there other variables.
APM will provide many built-in macros, for instance for filtered workflows to be launched by author
BEGIN MACRO workflows_only_at('path')
ADD TO GROUP 'workflow-users'
DENY /etc/workflow/models /* [READ]
ALLOW /etc/workflow/models/${path} [READ]
END MACRO
USE MACRO workflows_only_at('my-site')
Difference between cqsm-2.0.0
and cqsm-2.0.0-aem61
is not documented anywhere. It seems the 1st one is for newest AEM (6.2 at the time of writing) and 2nd one is for AEM 6.1 only.
Can we introduce consistent naming convention, please? Lack of suffix everywhere will introduce confusion upon next AEM release.
It is very often that projects are re-using scripts with different parameter values. Add possibility to pass arguments in INCLUDE action.
Main script:
DEFINE name 'foo'
DEFINE pass 'p@$$'
RUN create-user.cqsm
Script create-user.cqsm:
CREATE USER $name $pass
Main script:
RUN create-user.cqsm name=['foo'] pass='p@$$'
Script create-user.cqsm:
REQUIRE [name, pass] # throws error when name or pass is not defined
CREATE USER $name $pass
Additional requirements:
Hi,
Is there a possible way with this tool, to export the user groups that is currently available in the project ?
Thanks in advance.
Currently, when a CQSM script is run, it overrides permissions applied by CUGs. In result, you must "resynchronise" CUG after each run of CQSM.
It would be nice if there is an option to tell CQSM to resynchronise CUGs after running a script. A script to resynchronize CUGs is already created synchronise_CUGs.txt
change tool name from Security Management to Permission Management
We have a config for Delegating Servlet from ACS Commons that is mapping the wcm/core/components/designer
to acs-commons/components/utilities/designer
.
Because of the fact that /apps/cqsm/core/renderers/cqsmRenderer
inherits from cqsm/core/renderers/base
and this in turn inherits from wcm/core/components/designer
, the Delegating servlet was mapping the cqsmRenderer
to acs-commons/components/utilities/designer
which was causing the tool to break. This realtionship is really weird and probably could be removed.
On trusty images oraclejdk7 is no longer supported. This is why we are getting travis failures.
We could remove it from .travis.yml file or switch to openjdk7.
Also, maybe precise image would work with oracle JAVA but this would require more work for Travis configuration.
/bin/cqsm/history
was implemented some time ago, but stays completely undocumented.
Internal ticket reference: CQSM-226
Currently, the permission store lookup is performed using ResourceResolver
.
In fact, this could be achieved easily while staying on the JCR API.
instead
CREATE USER xx
FOR USER xx
SET PROPERTY profile/givenName 'XX'
why not just
CREATE USER xx THEN
SET PROPERTY profile/givenName 'XX'
It will help to create scripts that can be launched multiple times.
Currently when we are using REMOVE USER ... command no permissions are cleaned so old script operations may have impact and we are not sure if our script is complete.
Business background:
AEM publisher ACLs differs than author's. Sometimes different instances of publisher has different ACL's (solr indexers). The purpose of the instance is reflected in instance run modes.
Enhancement:
The idea is to auto-run scripts when specified run modes are present.
Feature will introduce new property at script content : cqsm:allowedRunModes.
This property would work only when script is run in auto-run mode. Providing that this property will be effective only when set together with cqsm:executionMode. It doesn't matter if it will be scheduled, run on startup or when modified.
Few examples:
it will be nice to have option to run/dry run all scripts.
To introduce such functionatity there should be posibility to change order of scripts in custom way (some arrows to move script on list + some buttons to sort i.e. alfabetically)
executionSummary
and executionSummaryJson
is the same thing, the only difference is that the first one is an evaluated version of the latter.
[
{
"author": "admin",
"executionSummary": [
{
"actionName": "CreateAuthorizable",
"command": "CREATE USER abcd-dev-author IF NOT EXISTS",
"messages": [
{
"text": "User with id: abcd-dev-author created",
"type": "info"
}
],
"parameters": "abcd-dev-author",
"status": "SUCCESS"
},
{
"actionName": "ForAuthorizable",
"command": "FOR USER abcd-dev-author",
"messages": [
{
"text": "User with id: abcd-dev-author set as current authorizable",
"type": "info"
}
],
"parameters": "abcd-dev-author",
"status": "SUCCESS"
}
],
"executionSummaryJson": "[\n {\n \"actionName\": \"CreateAuthorizable\",\n \"command\": \"CREATE USER abcd-dev-author IF NOT EXISTS\",\n \"parameters\": \"abcd-dev-author\",\n \"messages\": [\n {\n \"text\": \"User with id: abcd-dev-author created\",\n \"type\": \"info\"\n }\n ],\n \"status\": \"SUCCESS\"\n },\n {\n \"actionName\": \"ForAuthorizable\",\n \"command\": \"FOR USER abcd-dev-author\",\n \"parameters\": \"abcd-dev-author\",\n \"messages\": [\n {\n \"text\": \"User with id: abcd-dev-author set as current authorizable\",\n \"type\": \"info\"\n }\n ],\n \"status\": \"SUCCESS\"\n }\n]",
"executionTime": "Sep 12, 2016 8:49:06 PM",
"executor": "admin",
"fileName": "abcd-demo-dev-users.cqsm",
"filePath": "/etc/cqsm/history/jcr:content/cqsmHistory/abcd-demo-dev-users.cqsm/script",
"instanceHostname": "abcd-vagrant.local",
"instanceType": "author",
"path": "/etc/cqsm/history/jcr:content/cqsmHistory/abcd-demo-dev-users.cqsm",
"uploadTime": "Sep 12, 2016 8:43:18 PM"
}
]
Provide mechanism which will allow to execute the block statement only if the user is created for the first time:
For example in our script, we have users with initial password (after first log in they are forced to change it):
CREATE USER my@user ${users_path} IF NOT EXISTS
FOR USER my@user
SET-PROPERTY profile/givenName Name
SET-PROPERTY profile/familyName LastName
SET-PROPERTY profile/email my@use
SET PASSWORD initial-password
ADD TO GROUP site-viewers
ADD TO GROUP super-authors
If this script is executed after the user has modified his details (password etc...) then we would reset it to the initial one.
We will need something like this:
IF USER NOT EXISTS my@user ${users_path}
CREATE USER my@user ${users_path}
SET-PROPERTY profile/givenName Name
SET-PROPERTY profile/familyName LastName
SET-PROPERTY profile/email my@user
SET PASSWORD initial-password
FOR USER my@user
ADD TO GROUP site-viewers
ADD TO GROUP super-authors
ADD TO GROUP admin
Actual
Following error present on author and publish:
20.07.2017 11:22:57.634 ERROR [qtp1008368614-286635] org.apache.felix.metatype Missing element AD in element OCD : bundle://549.1:0/OSGI-INF/metatype/com.cognifide.cq.cqsm.core.jobs.JobResultsCache.xml 20.07.2017 11:22:57.638 ERROR [qtp1008368614-286635] org.apache.felix.metatype Missing element AD in element OCD : bundle://553.0:0/OSGI-INF/metatype/com.cognifide.cq.atm.monitor.FailureLogListener.xml 20.07.2017 11:22:57.638 ERROR [qtp1008368614-286635] org.apache.felix.metatype Missing element AD in element OCD : bundle://553.0:0/OSGI-INF/metatype/com.cognifide.cq.atm.monitor.MonitorDispatcherService.xml
Expected
No "Missing element AD in element OCD" errors.
Just noticed that Run on author action doesn't update Last run on author column. The entire /etc/cqsm/import.html
needs to be refreshed to see that.
For most cases this is probably not a problem to have particular version of CQ Actions being installed with APM, but in our project, we have got our own CQ Actions installed, and we cannot update version currently.
Proposed solution is to make APM generate two packages: one as it is currently, and another with CQ Action bundles embedded inside APM bundle, and CQ Actions removed from install folder of APM package.
Expected:
When publish instances are stopped, running uploaded script with "Run on publish" should end up with error: publish unavailable or similar.
Actual:
"Run on publish" with no active publish server ends up with success.
Is error expected when I run DRY RUN?
Child members can only be removed from groups.
Generally some parts of scripts are reused and parametrized with some definitions from parent script. But when they are executed separately .. error is cased because of lack of defined definitions. For testing/dev purposes it would be nice to have a possibility to test sub scripts by just implementing "DEFINE ... IF NOT EXISTS" (define value only if it is not defined previously)
Upfront explanation:
*.cqsm
files and saves them in JCR repository under /etc/cqsm/import/jcr:content/cqsmImport
and /etc/cqsm/import/jcr:content/cqsmInclude
APM execution date displayed on http://localhost:4502/etc/cqsm/import.html comes from JCR property that's stored directly under given script as cqsm:executionLast
. Upon application update APM scripts get replaced and this property is gone. Eventually, even though given script was executed and hasn't changed in the new app, /etc/cqsm/import.html
will show that this script was never executed, which is not true. If script has changed then this is absolutely expected.
At the same time there's a full history under /etc/cqsm/history/jcr:content
, which I rely on at the moment in my Chef cookbook to verify if script has or hasn't been run yet.
All in all execution history is stored in 2 places - directly under given script as well as under /etc/cqsm/history/jcr:content
. Is this really a reasonable approach?
This is not a big deal, but affects user experience and can lead to misleading conclusions sometimes.
Possible considerations and solutions:
/etc/cqsm/import/jcr:content/cqsmImport
and /etc/cqsm/import/jcr:content/cqsmInclude
. MERGE
filter should be used instead (to avoid unwanted removal of cqsm:executionLast
property from scripts)cqsm:executionLast
property it doesn't really mean that information about last execution on /etc/cqsm/import.html
will be accurate, as content of given script can change with application upgradeCreated at
date is newer than cqsm:executionLast
(please note that it may happen if MERGE
filter was used in my application package), given script should be considered as not yet executed (in other words cqsm:executionLast
should get removed). This is not ideal, as create/update date of given node doesn't really mean that something has been updated in a scriptInternal ticket reference: CQSM-245
Propose the output structure and implement a servlet listing all execution history.
Extension bundles can add new features to parser. Script manager could trigger preprocess event before every command parsing.
When using APM on AEM 6.3 the following error appears in logs:
org.apache.sling.api.resource.LoginException: Bundle com.cognifide.cq.cqsm is NOT whitelisted
Since the 6.3 version of AEM all bundles that use administrative resource resolver have to be whitelisted in Apache Sling Login Admin Whitelist
OSGi configuration.
There are two possible ways to fix this issue. One is to whitelist the APM bundle by providing the following OSGi configuration:
org.apache.sling.jcr.base.internal.LoginAdminWhitelist.fragment
The other one is to replace the administrative resource resolver with service resource resolver. But first it should to be determined if this solution is possible.
Not sure if that's a bug or an improvement, but it'd be nice to see non-200 response if an error occurred during CQSM script run. There's a way to verify if such case actually happened, as response body contains JSON with all required data.
Upload script on Author, use 'Run on publish` button.
Expected:
Import page 'Recently executed at' column should state last publish run date,
Actual:
Import page 'Recently executed at' column states that script was never run.
Note that History for that run is created properly. (This is a problem on scirpt node level itself)
Instead of one type of event listener, we should extend our API and implement 3 types of listeners:
During script execution from /etc/cqsm/import.html
console hundreds of HTTP requests get sent to /bin/cqsm/run-background?id=<DATE>/<ID>
. For the sake of example, please take a look at these screenshots:
During 45 seconds of execution 972 requests were made. Sounds like a way more than we need. It'd be great if we can reduce the frequency and/or introduce some sort of a back off approach (to not overload AEM instance with redundant HTTP traffic).
Basing on [~michal_zietek]'s suggestion we should hide or display as tree or something.. related scripts on imported scripts list. Some partial scripts are always invalid because they are included from other scripts.
Two new tags have been created 26 days ago (https://github.com/Cognifide/APM/releases), which indicates final release, but none of them contains corresponding CRX package. Could you please include them?
The only way to get that package is build from source, which is an inconvenience for anyone that'd like to use APM.
APM enables user to run script on publish instance via Run on publish button. Is it possible to verify if given script has been already executed there?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.