Bug 754693

Summary: delete a role which is linked to an LDAP group is failing with a database constraint
Product: [Other] RHQ Project Reporter: Tom Fonteyne <tfonteyn>
Component: DatabaseAssignee: Simeon Pinder <spinder>
Status: CLOSED CURRENTRELEASE QA Contact: Mike Foley <mfoley>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.0.1CC: hrupp, skondkar, spinder
Target Milestone: ---Keywords: Reopened
Target Release: RHQ 4.3.0   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-31 10:16:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 738209, 760116, 812193    

Description Tom Fonteyne 2011-11-17 11:56:08 UTC
Description of problem:

I am logged in as "rhqadmin" and when deleting a role which is linked to an LDAP group, I'm getting the following error: You do not have permission to remove selected role(s). The following is logged in rhq-server-log4j.log file:

 ...
WARN  [org.hibernate.util.JDBCExceptionReporter] SQL Error: 2292, SQLState: 23000
WARN  [org.hibernate.util.JDBCExceptionReporter] SQL Error: 2292, SQLState: 23000
ERROR [org.hibernate.util.JDBCExceptionReporter] ORA-02292: integrity constraint (JONDBUSR.SYS_C0013011) violated - child record found
ERROR [org.hibernate.event.def.AbstractFlushingEventListener] Could not synchronize database state with session
org.hibernate.exception.ConstraintViolationException: Could not execute JDBC batch update

Version-Release number of selected component (if applicable):

JON 2.4.1

How reproducible: always


Steps to Reproduce:
1. In the LDAP server, create a group and a user belonging to this group
2. setup JON to use LDAP authentication, and add the needed group filter to find said group.
3. In JON, create a role, and assign the LDAP group to it
4. Login with the user, and register in JON as normal.
5. You can now see an entry in RHQ_SUBJECT_ROLE_LDAP_MAP
6. Delete the role now
  
Actual results:
Step 6 fails with above error + Exception

Expected results:
That the role is deleted

Additional info:

workaround is:

Start with removing the LDAP group(s) from the role you wish to delete.
Now use this SQL to find the role id:

SELECT * FROM rhq_role_ldap_group WHERE ldap_group_name LIKE 'the group you want';

Next delete from the join table, where (for example) 12345 is the role_id you got from the aboev select:

DELETE FROM RHQ_SUBJECT_ROLE_LDAP_MAP WHERE role_id=12345;

Lastly remove the role as normal

An alternative solution is to delete all the users belonging to this role; followed by normally removing the role.

Comment 1 Simeon Pinder 2011-12-09 23:11:08 UTC
This is fixed with commit 0753aae5cab0 to master. 

For some reason hibernate was not loading the external LDAP Groups correctly.  Fix was to explicitly load the lazy references before updating on a remove.

Moving this to ON_QA.

Comment 2 Sunil Kondkar 2011-12-12 09:21:33 UTC
Verified in latest master build#827 (Version: 4.3.0-SNAPSHOT Build Number: 0753aae)

Followed the steps and verified that the role which is linked to an LDAP group is deleted successfully. No errors are observed in server log.

marking as verified.

Comment 3 Mike Foley 2012-02-07 19:23:41 UTC
<removing erroneous comment> Putting this bug back to VERIFIED since its only been fixed in master currently

Comment 4 Heiko W. Rupp 2013-08-31 10:16:26 UTC
Bulk close of old bugs in VERIFIED state.