Documentation

Distribution Queue blocked with AccessDeniedException

Last update: Mon Jun 17 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

When attempting to replicate Page content, XF, or other resources using Quick Publish, Manage Publication, or Replicate, the Distribution Queue on the Author becomes blocked. You can verify this by checking the publish Distribution Queue from the Distribution UI (AEM > Tools > Deployment > Distribution). Follow the steps provided in this document to resolve the issue.

Description description

Environment

  • Experience Manager
  • Experience Manager as a cloud service

Issues/Symptoms

When trying to replicate some Page content (or XF and other kind of resources) using the “Quick Publish”, “Manage Publication” or “Replicate”, the Distribution Queue on Author gets Blocked.

This can be observed by checking the publish Distribution Queue from the Distribution UI (AEM - Tools - Deployment - Distribution):






Selecting the Golden Publisher queue (entry in bold from the list), more details are given and in particular the involved  PATH  (there can be multiple elements here):





Looking into the  Logs  tab will show the following corresponding error:

2023/03/08 12:11:26:238 - INFO - Request accepted with distribution package PackageMessage(pubSlingId=a1133c97-6809-411e-a435-4eea0ecbe889, reqType=ADD, pkgId=dstrpck-1678277486031-63159f4b-c577-4079-8741-d41660597d20, pkgType=journal_filevault, pkgLength=6330, pubAgentName=publish, userId=replication-service, paths=[ /content/wknd/fr] , deepPaths=[ ] ) at offset=158705

2023/03/08 12:11:27:459 - WARN - Message: Failed attempt (0/infinite) to import the distribution package PackageMessage(pubSlingId=a1133c97-6809-411e-a435-4eea0ecbe889, reqType=ADD, pkgId=dstrpck-1678277486031-63159f4b-c577-4079-8741-d41660597d20, pkgType=journal_filevault, pkgLength=6330, pubAgentName=publish, userId=replication-service, paths=[ /content/wknd/fr] , deepPaths=[ ] ) at offset=158705 because of ‘javax.jcr.AccessDeniedException: OakAccess0000: Access denied’, the importer will retry later,

Stacktrace: org.apache.sling.distribution.common.DistributionException: javax.jcr.AccessDeniedException: OakAccess0000: Access denied

[]




You need to Clear Queue (or remove that item) to unblock the queue.

Resolution resolution

Despite the error being  javax.jcr.AccessDeniedException, there is possibly no relation with the ACL / permissions for the distribution service users, though this should be considered if the following scenario does not apply to your case.

Diagnostics

The above error can occur in some situation, when the replicated content does have a specific configuration related to the special  jcr:lockIsDeep  property.

In order to confirm the diagnostic, you will have to inspect each of the mentioned path  with any of the following tool that you can access/is applicable:

  1. CRX/DE for DEV instances
  2. the Repository Browser
  3. creating a content package in the Package Manager (this option is also part of the resolution)

Then you need to check the  jcr:content  node for each path found in the Distribution Queue UI, and verify if:

  • It does  have a  jcr:lockIsDeep=“(Boolean)true”  property
  • It does not  have a  jcr:lockOwner="xxx"  property
  • ( it does not have a  mix:lockable  value in the  jcr:mixinTypes)

If this is the case, then the issue is confirmed, since the  jcr:lockIsDeep  property should not be present alone. This property should always be set conjointly with the  jcr:lockOwner  when  Locking  a page.

It is not possible to only set the jcr:lockIsDeep  property, even by using the JCR API, so the root cause explaining this situation is mostly by having installed a corrupted content package with that single property.

Resolution

To fix the content the only solution is to install a package in your Author that has the correct properties set on the corresponding node.

You can either create that package from another instance having the corresponding content or if you only have this content on the impacted instance then you can follow these instructions:

  1. Generate a package on the broken instance for the faulty page
  2. Download the package
  3. Extract the  .content.xml  for the page/jcr:content
  4. Manually remove the line with the  jcr:lockIsDeep
  5. Update your package with the new/fixed .content.xml
  6. Re-upload and install the modified package

Check the page properties again, and successfully test the replication/distribution.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f