Problem :
Business wants to move whole legacy CQ application to new AEM 6.0/ AEM 6.1. There are different types of migration from legacy to new AEM version and it all depends on what is version of legacy application. If it is below than CQ5.6 then there might be lot of effort to make things work. Assets & static data can be moved easily but moving components & bundles might be a big hurdle.
Business wants to move whole legacy CQ application to new AEM 6.0/ AEM 6.1. There are different types of migration from legacy to new AEM version and it all depends on what is version of legacy application. If it is below than CQ5.6 then there might be lot of effort to make things work. Assets & static data can be moved easily but moving components & bundles might be a big hurdle.
However, we are here to talk about how do we move users to new AEM instance without any manual effort. When we proceed migrating users & their groups, first thing comes to our mind is that let's create a package of all the users & their groups and install it in another instance. This seems pretty right approach and convincing as well. To be fair, AEM package manager module is build for such things (Importing/Exporting content & AEM stuff).
But when you try to install a package which contains users & groups info of legacy system, it throws a big exception and leave you with no hope. Let's see exception first..
com.day.jcr.vault.packaging.PackageException: org.apache.jackrabbit.vault.packaging.PackageException: javax.jcr.nodetype.ConstraintViolationException: OakConstraint0025: Authorizable property rep:authorizableId may not be removed.
|----------------------------------------Big LOG------------------------------------------------------
| ----------------------------------------------------------------------------------------
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Unknown Source)
Caused by: org.apache.jackrabbit.vault.packaging.PackageException: javax.jcr.nodetype.ConstraintViolationException: OakConstraint0025: Authorizable property
Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakConstraint0025: Authorizable property rep:authorizableId may not be removed.
|----------------------------------------Big LOG------------------------------------------------------
| ----------------------------------------------------------------------------------------
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:865)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:235)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:82)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:667)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:52)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:608)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:543)
at java.lang.Thread.run(Unknown Source)
Caused by: org.apache.jackrabbit.vault.packaging.PackageException: javax.jcr.nodetype.ConstraintViolationException: OakConstraint0025: Authorizable property
Caused by: org.apache.jackrabbit.oak.api.CommitFailedException: OakConstraint0025: Authorizable property rep:authorizableId may not be removed.
woooo damn it Packaging. What to do now?. Creating all the users & their groups in another system?. Not a good idea. you can't simply do that. if we can, what about their passwords?.
So what next?
So what next?
Solution:
Well, Many of us as AEM developers are agreed that Package manager is the right tool for moving content (Even taking backup of content). Though it does not work efficiently moving large content and assets. There are multiple open source solutions. For instance, "GRABBIT" is one of the best and fastest tool to transfer content from one system to another.
Anyway, Let's get back to our problem in hand. In this case, Package manager throws big exception and exception does not provide a clue here.
But if you look closely, it seems, package manager is not able to override the admin accounts. Actually, CRX is not allowing admin users to be overridden. In a way, it is right doing so. My personal opinion is that CRX is not allowing admin users to be overridden because admin has all the privileges and AEM stores permissions information in a different way. It maintains "rep:policy" nodes to keep privileges and can't be overridden just like that.
But if you look closely, it seems, package manager is not able to override the admin accounts. Actually, CRX is not allowing admin users to be overridden. In a way, it is right doing so. My personal opinion is that CRX is not allowing admin users to be overridden because admin has all the privileges and AEM stores permissions information in a different way. It maintains "rep:policy" nodes to keep privileges and can't be overridden just like that.
FYI
Package manager does help when you want to move users & groups privileges from one instance to another. which is a different case.
Package manager does help when you want to move users & groups privileges from one instance to another. which is a different case.
In order to solve above problem, we still going to use package manager. So, follow below steps:
- Create a package and put all the users & their groups.
Exclude few users & groups : - admin & administrative anonymous (not necessary but good to keep it exclude )
- If same user & group found in both environment, delete from AEM6 instance before installing 5.6 user package. You should ignore admin & anonymous here too.
Install it. - To verify your accounts, login with any of your group. Also you can verify logged-in user's privileges.
Note :
This solution is tested and proven in one of our application. However, if you still find any issue, leave a comment, will try to help you.
----
Jitendra
Java & AEM Developer
Jitendra
Java & AEM Developer
