Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-2056

PSPNG references PIT tables, not changelog for group attributes during delete group events.

    XMLWordPrintable

Details

    • Bug
    • Status: In Progress
    • Major
    • Resolution: Unresolved
    • 2.3.0, 2.4.0
    • None
    • API, provisioning
    • None
    • tier/grouper:2.3.0-a109-u47-w12-p21

    Description

      groupSearchAttributes defaults to "cn,gidNumber,samAccountName,objectclass", so it seems to be a reasonable assumption that a singleGroupSearch that utilizes group attributes mapped to those values(e.g. 'cn=${group.name}', gidNumber=${group.idIndex}, etc) should return a group. 

      In cases where a provisioner uses an attribute that is not ${group.name} or ${group.extension} as a single group search parameter, issues arise during Group deletions.

      When a provsioned group is deleted, the provisioner logs an error:

      2019-03-11 10:29:00,074: [DefaultQuartzScheduler_Worker-6] ERROR Provisioner.evaluateJexlExpression(665) - - Jexl Expression SingleGroupSearchFilter '(&(objectclass=group)(gidNumber=${group.idIndex}))' could not be evaluated for subject 'null/null' and group 'uncg:apps:AAA_test:BravoGroupID(PIT)/null' which used variableMap '{extension=BravoGroupID, pitGroup=edu.internet2.middleware.grouper.pit.PITGroup@8ab224e1, displayName=uncg:apps:AAA_test:BravoGroupID, provisionerName=pspng_personBushyLdap, groupSearchBaseDn=ou=groups,dc=devauth,dc=uncg,dc=edu, groupAttributes={}, displayExtension=BravoGroupID, userSearchBaseDn=ou=accounts,dc=devauth,dc=uncg,dc=edu, provisionerType=LdapGroupProvisioner, groupCreationBaseDn=ou=groups,dc=devauth,dc=uncg,dc=edu, utils=edu.internet2.middleware.grouper.pspng.PspJexlUtils@4898a89b, stemAttributes={}, name=uncg:apps:AAA_test:BravoGroupID}'
      edu.internet2.middleware.grouper.exception.ExpressionLanguageMissingVariableException: variable 'group.idIndex' is not defined in script: 'group.idIndex'

      The provisioner is looking in the PIT tables for group.idIndex. It will always comes back as NULL since the group has already been deleted. 

      This creates a constraint that only search filters using the group name can be used to delete groups during incremental changelog events.

       

      Attachments

        1. groupCreateAndDelete.log
          79 kB
          Jeffrey Williams (uncg.edu)
        2. grouper-loader-pspng_example.properties
          2 kB
          jfwillia

        Activity

          People

            bert.beelindgren@at.internet2.edu Bert Bee-Lindgren
            jeffrey.williams@at.internet2.edu Jeffrey Williams (uncg.edu)
            mchyzer
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:

              Smart Checklist