Bug 1151230 - Validation is not invoked when changing existing partition manager configuration in IDM subsystem
Summary: Validation is not invoked when changing existing partition manager configurat...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: PicketLink
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: DR7
: EAP 6.4.0
Assignee: Pedro Igor
QA Contact: Jitka Kozana
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-09 20:17 UTC by FIlip Bogyai
Modified: 2019-08-19 12:42 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:42:02 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1155634 0 unspecified CLOSED Write-attribute and undefine-attribute operations failed to complete in IDM subsystem 2021-02-22 00:41:40 UTC
Red Hat Issue Tracker EAP6-182 0 Major Ready for QA Transition PicketLink subsystems from tech preview to production support 2016-01-04 10:02:54 UTC
Red Hat Issue Tracker WFLY-3978 0 Major Resolved PicketLink Subsystem EAP 6.4 Issues 2016-03-17 08:36:17 UTC

Internal Links: 1155634

Description FIlip Bogyai 2014-10-09 20:17:23 UTC 
When user is changing existing partition manager configuration in IDM subsystem through CLI, the validation of new configuration is not invoked and output from CLI command is:   "outcome" => "success",
                  "response-headers" => {
                     "operation-requires-reload" => true,
                     "process-state" => "reload-required"
                  }
After server restart the partition manager cannot be started, because of wrong configuration. The validation should be perform, so that user cannot change configuration to incorrect state. Correct validation of partiton manager configuration is only invoked on adding whole new partition manager through CLI batch. 

Examples of operations that should be forbidden on existing partition manager configuration:

-remove last supported-type so that identity-store don't have at least one 
-remove last one identity-store from identity-configuration
-remove last one identity-configuration from partiton-manager
-add LDAPPasswordHandler to file-store or jpa-store
-add second identity-store without supported-types

and many other commands that change the configuration to incorrect state.
Comment 1 JBoss JIRA Server 2014-10-14 13:01:28 UTC 
Kabir Khan <kabir.khan> updated the status of jira EAP6-182 to Resolved
Comment 2 JBoss JIRA Server 2014-10-14 13:26:55 UTC 
Kabir Khan <kabir.khan> updated the status of jira EAP6-182 to Reopened
Comment 3 Pedro Igor 2014-10-17 15:34:52 UTC 
https://github.com/jbossas/jboss-eap/pull/1810
Comment 4 JBoss JIRA Server 2014-10-17 18:38:42 UTC 
Kabir Khan <kabir.khan> updated the status of jira EAP6-182 to Resolved
Comment 5 JBoss JIRA Server 2014-10-22 09:08:13 UTC 
Ondrej Lukas <olukas> updated the status of jira EAP6-182 to Reopened
Comment 6 FIlip Bogyai 2014-10-22 13:09:21 UTC 
Verification failed in EAP 6.4.0.DR6. 

Correctly fixed, so that validation prevents: 
-removing last supported-type from identity-store
-removing last identity-store from identity-configuration
-removing last identity-configuration from partiton-manager

But there are still scenarios which allows invalid configuration. When partition manager is already configured, for example user can:

-add second identity configuration without any idetity store
-add second identity-store without supported-types
-add LDAPPasswordHandler to file-store or jpa-store
-remove last mapping from ldap-store

There should be performed validation as it is while adding whole new partition manager. This requires using CLI batch, so that final configuration is correct against xml schema. Without this validation user can change the configuration to incorrect state, so that after reload it leads to Exception during server boot.
Comment 7 Pedro Igor 2014-10-23 16:07:15 UTC 
https://github.com/jbossas/jboss-eap/pull/1838
Comment 8 Pedro Igor 2014-10-23 16:10:10 UTC 
Validations were added.

Some other validations are only going to happen during a service restart, as a result of a server load or if you execute commands in CLI with the {allow-resource-service-restart=true} operation header.

It is not feasible to replicate all validations done by PicketLink in the subsystem, but only those related with the structure and consistency of the configuration.

For instance, the validation for LDAPPasswordHandler was not added. That is something users must be aware of.
Comment 9 FIlip Bogyai 2014-11-03 14:00:45 UTC 
Verified in EAP 6.4.0.DR7. Validations of the structure and consistency of subsystem are now correctly implemented. Other validations e.g: logical requirements of configuration are not needed, unless these requirements will be stated in documentation.
Comment 10 JBoss JIRA Server 2014-11-05 07:05:42 UTC 
Rostislav Svoboda <rsvoboda> updated the status of jira EAP6-182 to Resolved
Comment 13 JBoss JIRA Server 2016-03-17 08:36:18 UTC 
Pedro Igor <pigor.craveiro> updated the status of jira WFLY-3978 to Resolved
Note You need to log in before you can comment on or make changes to this bug.