Bug 1151230
| Summary: | Validation is not invoked when changing existing partition manager configuration in IDM subsystem | ||
|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | FIlip Bogyai <fbogyai> |
| Component: | PicketLink | Assignee: | Pedro Igor <psilva> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Jitka Kozana <jkudrnac> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4.0 | CC: | anmiller, bdawidow, jkudrnac, kkhan, psilva |
| Target Milestone: | DR7 | ||
| Target Release: | EAP 6.4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-19 12:42:02 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Kabir Khan <kabir.khan> updated the status of jira EAP6-182 to Resolved Kabir Khan <kabir.khan> updated the status of jira EAP6-182 to Reopened Kabir Khan <kabir.khan> updated the status of jira EAP6-182 to Resolved Ondrej Lukas <olukas> updated the status of jira EAP6-182 to Reopened Verification failed in EAP 6.4.0.DR6. Correctly fixed, so that validation prevents: -removing last supported-type from identity-store -removing last identity-store from identity-configuration -removing last identity-configuration from partiton-manager But there are still scenarios which allows invalid configuration. When partition manager is already configured, for example user can: -add second identity configuration without any idetity store -add second identity-store without supported-types -add LDAPPasswordHandler to file-store or jpa-store -remove last mapping from ldap-store There should be performed validation as it is while adding whole new partition manager. This requires using CLI batch, so that final configuration is correct against xml schema. Without this validation user can change the configuration to incorrect state, so that after reload it leads to Exception during server boot. Validations were added.
Some other validations are only going to happen during a service restart, as a result of a server load or if you execute commands in CLI with the {allow-resource-service-restart=true} operation header.
It is not feasible to replicate all validations done by PicketLink in the subsystem, but only those related with the structure and consistency of the configuration.
For instance, the validation for LDAPPasswordHandler was not added. That is something users must be aware of.
Verified in EAP 6.4.0.DR7. Validations of the structure and consistency of subsystem are now correctly implemented. Other validations e.g: logical requirements of configuration are not needed, unless these requirements will be stated in documentation. Rostislav Svoboda <rsvoboda> updated the status of jira EAP6-182 to Resolved Pedro Igor <pigor.craveiro> updated the status of jira WFLY-3978 to Resolved |
When user is changing existing partition manager configuration in IDM subsystem through CLI, the validation of new configuration is not invoked and output from CLI command is: "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } After server restart the partition manager cannot be started, because of wrong configuration. The validation should be perform, so that user cannot change configuration to incorrect state. Correct validation of partiton manager configuration is only invoked on adding whole new partition manager through CLI batch. Examples of operations that should be forbidden on existing partition manager configuration: -remove last supported-type so that identity-store don't have at least one -remove last one identity-store from identity-configuration -remove last one identity-configuration from partiton-manager -add LDAPPasswordHandler to file-store or jpa-store -add second identity-store without supported-types and many other commands that change the configuration to incorrect state.