-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: None
-
Component/s: Streams
-
Tags:
-
Upgrade notes:
-
Team:PLATFORM
-
Sprint:nxplatform #85, nxplatform #86
-
Story Points:3
When a doc ACP is corrupted the computation terminate.
updateReadAcls: Terminate computation due to previous failure
java.lang.ClassCastException: org.nuxeo.ecm.core.storage.State cannot be cast to java.util.List
at org.nuxeo.ecm.core.storage.dbs.DBSTransactionState.getReadACL(DBSTransactionState.java:716) ~[nuxeo-core-storage-dbs-10.10-HF66.jar:?]
at org.nuxeo.ecm.core.storage.dbs.DBSTransactionState.updateDocumentReadAclsNoCache(DBSTransactionState.java:690) ~[nuxeo-core-storage-dbs-10.10-HF66.jar:?]
at org.nuxeo.ecm.core.storage.dbs.DBSTransactionState.lambda$updateReadACLs$3(DBSTransactionState.java:662) ~[nuxeo-core-storage-dbs-10.10-HF66.jar:?]
at java.lang.Iterable.forEach(Iterable.java:75) ~[?:1.8.0_342]
at org.nuxeo.ecm.core.storage.dbs.DBSTransactionState.updateReadACLs(DBSTransactionState.java:662) ~[nuxeo-core-storage-dbs-10.10-HF66.jar:?]
at org.nuxeo.ecm.core.storage.dbs.DBSSession.updateReadACLs(DBSSession.java:1316) ~[nuxeo-core-storage-dbs-10.10-HF66.jar:?]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_342]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_342]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_342]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_342]
at org.nuxeo.ecm.core.storage.dbs.DBSRepositoryBase$DBSSessionInvoker.invoke(DBSRepositoryBase.java:542) ~[nuxeo-core-storage-dbs-10.10-HF66.jar:?]
at com.sun.proxy.$Proxy85.updateReadACLs(Unknown Source) ~[?:?]
at org.nuxeo.ecm.core.api.AbstractSession.updateReadACLs(AbstractSession.java:618) ~[nuxeo-core-10.10-HF66.jar:?]
at org.nuxeo.ecm.core.storage.dbs.action.UpdateReadAclsAction$UpdateReadAclsComputation.compute(UpdateReadAclsAction.java:62) ~[nuxeo-core-storage-dbs-10.10-HF66.jar:?]
at
Indeed we don't want to continue when an ACP is corrupted:
either we ignore the ACP and we might give access to children documents to unauthorized users,
either we block all ACP which is not what was intended.
It is better to fix the corrupted ACP instead of updating all code path that could access such document,
corrupted ACP being exceptional and limited (the cause of corruption is a fixed bug).
Here is the procedure:
Using Mongo shell, search for documents with a defined ecm:acp without an acl element:
rs0:PRIMARY> db.default.find({"$and" : [{"ecm:acp.acl" : null}, {"ecm:acp":{"$exists": true}}]}, {"ecm:id":1, "ecm:primaryType":1, "dc:title":1, "ecm:racl":1, "ecm:acp":1}) { "_id" : ObjectId("64425b86c2d0ac26d1195e48"), "dc:title" : "azer", "ecm:primaryType" : "Workspace", "ecm:id" : "9413e2b3-26b0-41ef-a17f-eb5d5609f110", "ecm:racl" : [ "Administrator", "members" ], "ecm:acp" : "foo" }
The above ecm:acp is a string which is invalid, a valid ACP should be a list of ACL like:
"ecm:acp": [ { "name": "local", "acl": [ { "creator": "Administrator", "perm": "Read", "grant": true, "user": "members" } ] } ]
Decide to remove or fix the corrupted ACP.
Here an example to remove all invalid ACP:
db.default.update({"$and" : [{"ecm:acp.acl" : null}, {"ecm:acp":{"$exists": true}}]}, {"$unset":{"ecm:acp": ""}}, {"multi":true})
Note that after updating documents in MongoDB, all Nuxeo nodes need to be restarted.
