i have an big content package to import within CQ and some nodes are owned by users.
Every time when i try to import the package as admin, i get an error that the node is protected. So i have to impersonate as this user and remove the ownership to continue the import process.
Is there an easy way to take ownership / remove the protection as admin user for a whole tree?
Regards
Patrick
When you install the package through the Package Manager [1] interface, you should be able to tell CQ how to handle access controls. I think if you set the AC Handling option to Ignore, then the permissions that come with the package will not be applied.
[1] http://dev.day.com/docs/en/crx/current/how_to/package_manager.html#Using%20the%20Package%20Manager
Hope this helps!
Related
Halp! I am writing an internal macOS app for our IT staff to perform some org-specific tasks, and am also adding some shortcuts for simple, but common tasks that they do. One of those tasks is to rename a user when migrating between domains. This app has a Privileged Helper available (via SMjobBless) to perform most of the tasks. However, it appears that this helper tool, despite its privileged execution context, is unable to rename a user's home directory.
My first attempt at implementing this specific task in the helper was to run a short shell script via Process() (a technique used successfully for dozens of other tasks in this helper).
let script = """
set -e
mv '\(homeDirPath)' /Users/\(toUsername)
dscl . -change /Users/\(fromUsername) NFSHomeDirectory '\(homeDirPath)' '/Users/\(toUsername)'
dscl . -change /Users/\(fromUsername) RecordName \(fromUsername) \(toUsername)
"""
I get the following output on stderr (/Users/newname verified to not exist):
mv: rename /Users/oldname to /Users/newname: Operation not permitted
Trying this as a non-root user gives a different error: mv: rename /Users/oldname to /Users/newname: Permission denied
Okay, weird. Add whoami to the top of the script to double check the user context: root. Well... interesting. Wth, I can do this just fine via sudo in my user session.
Then I try using FileManager thinking there might be some SIP interference or sandboxing for child processes of a launchdaemon (despite not finding any docs that say this), but I still get an error - but more verbose this time:
Error: “oldname” couldn’t be moved because you don’t have permission to access “Users”.
I've tried searching for documentation for whatever restriction I am up against, but I'm at a loss. The directory doesn't appear to be under SIP's protection, and I can't find any docs for daemon sandboxing outside of the app store (the parent app does not have the App Sandbox capability enabled). Can anyone point me in the right direction?
Update: It doesn't appear to be affected by 10.14's Privacy Protection. Adding the helper to "Full Disk Access" doesn't resolve. Perhaps I am adding the helper incorrectly: had to change the build target to 10.14 (which will be a problem), then dragged the helper binary from within the App bundle into the list. I cannot add it from /Library/PrivilegedHelperTools/ - it is greyed out as an option to add.
Update 2: Correction, it does appear to be FDA related. iTerm was in the FDA list. Removing it causes it to throw Operation not permitted, then adding it back resolves. So I'm now chasing down how to properly add the helper to the FDA list.
Okay, it's confirmed - Mojave's Privacy Protections apply even to privileged tools. The solution was to make the helper binary executable by all so it can be allowed to be added to the Full Disk Access table.
Hopefully, this helps someone in the future who is initially puzzled by what they're seeing.
Here's to hoping that Apple adds a standardized, easier method for the user to grant this access to helpers.
I am currently working on with a solution that would be able to clone/copy/backup my existing rep:policy. 'Cause when we do some jobs it accidentally removed. I am trying to apply this kind of fix, but am failing to. It says it is an invalid path.
javax.jcr.security.AccessControlException: OakAccessControl0006: Isolated policy node. Parent is not of type [rep:AccessControllable]
final Workspace ws = session.getWorkspace();
ws.copy("/etc/commerce/products/abccompany/TvPackChannelMap/rep:policy","/tmp/nxt/TvPackChannelMap/rep:policy");
Are there other ways that I can be able to take the rep:policy thru code?
You need to make sure that your job does not touch the permissions or the rep:policy, this is the best way forward for you.
The exception could be because of /etc/commerce/products/abccompany/TvPackChannelMap/rep:policy does not exist or the user whose session you are using does not have read access to the node.
Make sure the path is correct, copy paste it to your CRX/DE to make sure it exists.
I have tried to use your code to copy a rep:policy from one node to another, works fine. But I would not* recommend copying permissions that way. The best practice is to use the Access Control Management API for all things permissions.
You can check, install and use the access control tool from netcentric. It offers a jmx interface for exporting AC entries and maybe also some APIs you could use to implement your custom solution.
The Other approach is to retrieve the ACL permissions through the query language.
For example, SELECT * FROM [rep:ACL] or SELECT * FROM [rep:ACE] where [rep:principalName] is not null should give you the results.
For more information, I would recommend you to check the ACS commons ACL Packager Implementation which is available on GitHub.
Reference Link - https://github.com/Adobe-Consulting-Services/acs-aem-commons/blob/master/bundle/src/main/java/com/adobe/acs/commons/packaging/impl/ACLPackagerServletImpl.java
This is the scenario (CQ5.6). Let's say there is the following node /content/geometrixx/articles, with articles inside of it. In author instance I create a package as a backup of that node. Then I deactivate article1 inside of articles, if I try to access the page I get a 404 page, that is fine. However if I build the backup package again and then replicate it, the deactivated page (article1) is available, that is, I do not get the 404 but instead the article.
Is there a way to replicate a package while preserving deactivated pages? That is, how I avoid re-activation?
Replicating package means that you are replicating every thing available in Package. Which means publish environment will have deactivated pages also. There are several ways to handle it, like:
Simplest way is to add a check in template (as first rule) to see if Env==publish && requested resource ==not activated, if so, return 404 page.
Another way is to create a script to delete all deactivated pages, and run this script on publish after page activation.
Add exclude filters in your package to exclude such pages.
I would recommend to use #1 as this is one time change and will be future proof.
should use treeactivation: http://localhost:4502/etc/replication/treeactivation.html, much safer (since you have 3 options: Only Modified, Only Activated and Ignore Deactivated)
Sometime someone want to change inside something crx directly on environment.
Often it is a cause of unworking state of environment. And often enough hard to find the cause of the problem. And I think it is will be helpful if cq5 crx will have audit log. something like this.
12.12.12 21:03 /etc/blueprints/geometrixx was removed [rollout]
...
maybe CQ5 has something like this already?
Assuming these changes to the repositories are made using crxde lite[/crx/de/index.jsp] or content explorer [/crx/explorer/browser/index.jsp] , there is an indirect way to find out who did it.
The data can be fetched by looking into two different logs request.log and audit.log [these files can be found at \crx-quickstart\logs folder ]
The modifications to nodes are POST requests. These are logged in request.log , the path of the request will only show the interface used or to root node. If you search the time stamp of the POST in audit.log you can find which user did a GET request.
This is not direct way, nor will it tell more of the changes except for which user read the node at the time of the POST .
In researching this scenario, all I could find was a suggestion that you contact Microstrategy, send them your metadata DB and ask them for the password.
This CAN'T be the only way.
Is there no way to simply reset the password in some fashion? Looking at the DSSMDUSRACCT table in the metadata DB, this appears to hold (at first glance anyway) a hashed/encrypted password, but I don't believe this is correct, as every entry for every account is the same in the PASSWD field.
Can someone suggest an alternative beyond sending a database to Microstrategy?
There isn't any alternative. We ended up in similar scenario and had Microstrategy reset the password. Password is not easily recoverable from Medadata since it is secured.
I'm not sure how many projects you have in your metadata or if you have access to another user that may have all privileges; but another option would be to create a new database, use MSTR configuration wizard to populate metadata tables, then duplicate the project across project sources into the new metadata that was just created. The Administrator user in this new metadata will have a blank password. If this is not an option then I recommend to open a support ticket (as others have suggested).
One of the things which one can try is to see any command manager script or system manager workflow. Every MicroStrategy environment may have atleast one of the above two things running in their environment. If you check the file, you may see the password for the administrator user. But in case if there is none of these being used then contacting MicroStrategy support would be the right thing to do.
Thanks,
Nikhil.
Benedict's right, there's no way they would keep passwords in plaintext in the metadata. You'll have to send it to them in a support ticket. It can take quite a few days, but they get the job done.
as soon as you get it reset use object manager, create a configuration object package for the administrator account and anytime you forget it, just redeploy the package to reset it.
You could try using the MicroStrategy Object Manager to copy the Administrator user from another project source/server to this environment.
This should do the trick if you have at least one other user with the right administrative privileges.
The other day I wanted to login to one of our applications. However, I forgot my username and password. I tried using the forgot password wizard but had no luck.
The steps I am about to walkthrough will work with most web applications with average logon security measures. It may not work with MicroStrategy, but should work if the input password is not externally verified.
So this is how I got access:
First I logged into my database manager -If you don't have access to
this... run a scan for 'password' on your server root. For Linux I
write sudo grep 'password' -roni or try: db_pass, dbpass,
database_password, etc as other search terms... The -roni will apply various filtering and
options to the search... aka line number, file name and etc. After
getting some results... find a likely file and open it to see if you
have your database details in there.
Login to your database manager. Find the table associated with your account. (This will usually have the name X_users If the password isn't hashed, just take it and login with it... if it is hashed... copy the hashed value to your clipboard.
Change the directory to your chosen applications root.
Run the scan with the search term 'password' or 'md5(' ...this will hopefully bring up a login controller file.
Edit the line within the function that takes your login input. Change the value 'md5($#####)' with '$#####', (aka removing the md5hashing of your input).
Reload the login page. Now, enter your username and hashed password copied from the database and login.
If done correctly you should now be logged into your web app.
Change the password of the account. Now go back to the login controller file and undo the chnages.
This might not be applicable with your app in question, but it's worth a shot! ....and if it isn't appropriate for your scenario... it could still be very helpful for someone else with a similar problem and different application. I just thought there's a small chance it may help someone who's locked out of one of their web applications. Rather than having to reinstall and lose data.
I'd be happy for you to improve on this or give some feedback.