Issues Caused by Orphaned User Roles
Article ID: 115407
Updated On:
Products
CA API Gateway
Issue/Introduction
- When a user exists in the rbac_assignment table, while the user no longer exists, it will generate a Null Pointer Exception:
2018-08-27T20:49:12.710+0500 SEVERE 59 com.l7tech.server.util.ManagedTimerTask: Uncaught exception in background task 'java.lang.NullPointerException'.
java.lang.NullPointerException
at com.l7tech.server.logon.SSMLogonService.checkLogonInfos(Unknown Source)...
java.lang.NullPointerException
at com.l7tech.server.logon.SSMLogonService.checkLogonInfos(Unknown Source)...
- It could also cause delays and errors when roles are being managed through policy manager.
- Non existent users should be removed from the rbac_assignment table to fix the issue.
Environment
This issue is mostly observed when an upgrade from SSG 7.x to 8.x has been performed.
Cause
- Issue is caused by non existent users having roles assigned to them the rbac_assignment table.
Resolution
- goid in ssg.internal_user uniquely identifies a user, and maps to identity_id in ssg.rbac_assignment, to define access rights for that specific user.
- You can get a list of current users and groups from internal_user and internal_group tables, and compare it to users/groups listed in rbac_assignment table to find orphan ones, and proceed to remove those. Please note that identity_id in rbac_assignment table ~ goid in internla_user and internal_group tables.
# mysql
mysql use ssg;
mysql> select hex(goid),name from internal_user;
mysql> select hex(goid),hex(provider_goid),hex(role_goid),identity_id,entity_type from rbac_assignment where entity_type="User";
mysql> select hex(goid),name from internal_group;
mysql> select hex(goid),hex(provider_goid),hex(role_goid),identity_id,entity_type from rbac_assignment where entity_type="Group";
# service ssg stop
# mysqldump --all-databases > ~/all_databases_`date '+%Y%m%d_%T'`.sql
# mysql
mysql> use ssg;
mysql> delete from rbac_assignment where identity_id = 'nnnnnnnn';
mysql> quit
# service ssg start
mysql use ssg;
mysql> select hex(goid),name from internal_user;
mysql> select hex(goid),hex(provider_goid),hex(role_goid),identity_id,entity_type from rbac_assignment where entity_type="User";
mysql> select hex(goid),name from internal_group;
mysql> select hex(goid),hex(provider_goid),hex(role_goid),identity_id,entity_type from rbac_assignment where entity_type="Group";
# service ssg stop
# mysqldump --all-databases > ~/all_databases_`date '+%Y%m%d_%T'`.sql
# mysql
mysql> use ssg;
mysql> delete from rbac_assignment where identity_id = 'nnnnnnnn';
mysql> quit
# service ssg start
Additional Information
- If this is case of upgrade from SSG 7.x, you should also look for, and remove legacy upgrade tasks:
# mysql
mysql> delete from ssg.cluster_properties where propkey='upgrade.task.800003';
mysql> delete from ssg.cluster_properties where propkey='upgrade.task.800004';
mysql> exit
mysql> delete from ssg.cluster_properties where propkey='upgrade.task.800003';
mysql> delete from ssg.cluster_properties where propkey='upgrade.task.800004';
mysql> exit
Feedback
Yes
No
Powered by
