cf-mgmt returns error CF-UnprocessableEntity 10008 user already has role in space
search cancel

cf-mgmt returns error CF-UnprocessableEntity 10008 user already has role in space

book

Article ID: 402686

calendar_today

Updated On:

Products

VMware Tanzu Application Service

Issue/Introduction

cf-mgmt returns this error during update-space-users command

error: got errors processing update space users [Error syncing users for org Org1, space Test, role developer: adding ldap users: User my-ldap-user with origin SAML: cfclient error (CF-UnprocessableEntity|10008): User 'my-ldap-user' already has 'space_developer' role in space 'Test'. ]

Environment

This was observed when using SAML Configuration with ldap group lookups

Cause

cf-mgmt will throw this error when there is duplicate references for a given ldap user in its cache that have the different distinguished names, but the same value for "userNameAttribute" key.  For example if the "userNameAttribute" maps to the UserID attribute below and the Distinguished Name (DN) are different for each users.

{
     DN:first.last 
     UserID:username1 
     Email:[email protected]
}

{
     DN:CN=first.last,OU=User Accounts,DC=mydomain,DC=COM 
     UserID:username1 
     Email:[email protected]
}

 

When cf-mgmt iterates over these two users for a given space it will apply the role for the first user "username1" and remove it from its role assignment cache.  When it iterates on the second user with the same UserID "username1" it will attempt to apply a role to the same space and cloud controller will return an error indicating the role is already assigned. 

Scenario 1

This might happen is if you have manually added user DN of "first.last" to spaceConfig.yml "ldap_users:[first.last, other.name, more.names]" not realizing that user will also be found in one of the groups defined by "ldap_group:[group1, group2, group3]".   This will create a duplicate user reference in cf-mgmt.

Scenario 2

Another possible reason could be that cf-mgmt is run through pipeline where the spaceConfig.yml of multiple jobs are configured with same user in same organization and space. For example, Job1 is to update org/space Org1/Test spcaeConfig.yml 

org: Org1
space: Test
space-developer:
  ldap_users:
    - my-ldap-user

And Job2 is set to update Org2 but mistakenly using the same content as shown above. If Job1 and Job2 are run by pipeline sequentially, and Job2 is executed first, then this issue would be hit when Job1 is executed later. The operator might think it's issue with cf-mgmt. 

 

Resolution

Scenario 1

Remove the duplicate reference of "first.last" from spaceConfig.yml.  

Before 

"ldap_users:[first.last, other.name, more.names]".

After

"ldap_users:[other.name, more.names]".

 

Scenario 2

Review spaceConfig.yaml file for all pipeline jobs and remove any duplicated configurations

Powered by Wolken Software