Issues Caused by Orphaned User Roles
search cancel

Issues Caused by Orphaned User Roles

book

Article ID: 115407

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

  • When a user exists in the rbac_assignment table, while the user no longer exists, it will generate a Null Pointer Exception:
2018-08-27T20:49:12.710+0500 SEVERE 59 com.l7tech.server.util.ManagedTimerTask: Uncaught exception in background task 'java.lang.NullPointerException'.
java.lang.NullPointerException
at com.l7tech.server.logon.SSMLogonService.checkLogonInfos(Unknown Source)...
  • It could also cause delays and errors when roles are being managed through policy manager.
  • Non existent usersĀ  should be removed from the rbac_assignment table to fix the issue.

Environment

This issue is mostly observed when an upgrade from SSG 7.x to 8.x has been performed.

Cause

- Issue is caused by non existent users having roles assigned to them the rbac_assignment table.

Resolution

  • goid in ssg.internal_user uniquely identifies a user, and maps to identity_id in ssg.rbac_assignment, to define access rights for that specific user.
  • You can get a list of current users and groups from internal_user and internal_group tables, and compare it to users/groups listed in rbac_assignment table to find orphan ones, and proceed to remove those. Please note that identity_id in rbac_assignment table ~ goid in internla_user and internal_group tables.
# mysql
mysql use ssg;
mysql> select hex(goid),name from internal_user;
mysql> select hex(goid),hex(provider_goid),hex(role_goid),identity_id,entity_type from rbac_assignment where entity_type="User";
mysql> select hex(goid),name from internal_group;
mysql> select hex(goid),hex(provider_goid),hex(role_goid),identity_id,entity_type from rbac_assignment where entity_type="Group";

# service ssg stop
# mysqldump --all-databases > ~/all_databases_`date '+%Y%m%d_%T'`.sql
# mysql
mysql> use ssg;
mysql> delete from rbac_assignment where identity_id = 'nnnnnnnn';
mysql> quit
# service ssg start

Additional Information

  • If this is case of upgrade from SSG 7.x, you should also look for, and remove legacy upgrade tasks:
# mysql
mysql> delete from ssg.cluster_properties where propkey='upgrade.task.800003';
mysql> delete from ssg.cluster_properties where propkey='upgrade.task.800004';
mysql> exit