Bug 754693 - delete a role which is linked to an LDAP group is failing with a database constraint
delete a role which is linked to an LDAP group is failing with a database con...
Product: RHQ Project
Classification: Other
Component: Database (Show other bugs)
All All
unspecified Severity unspecified (vote)
: ---
: RHQ 4.3.0
Assigned To: Simeon Pinder
Mike Foley
: Reopened
Depends On:
Blocks: 738209 jon30-sprint10/rhq43-sprint10 812193
  Show dependency treegraph
Reported: 2011-11-17 06:56 EST by Tom Fonteyne
Modified: 2013-08-31 06:16 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-31 06:16:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tom Fonteyne 2011-11-17 06:56:08 EST
Description of problem:

I am logged in as "rhqadmin" and when deleting a role which is linked to an LDAP group, I'm getting the following error: You do not have permission to remove selected role(s). The following is logged in rhq-server-log4j.log file:

WARN  [org.hibernate.util.JDBCExceptionReporter] SQL Error: 2292, SQLState: 23000
WARN  [org.hibernate.util.JDBCExceptionReporter] SQL Error: 2292, SQLState: 23000
ERROR [org.hibernate.util.JDBCExceptionReporter] ORA-02292: integrity constraint (JONDBUSR.SYS_C0013011) violated - child record found
ERROR [org.hibernate.event.def.AbstractFlushingEventListener] Could not synchronize database state with session
org.hibernate.exception.ConstraintViolationException: Could not execute JDBC batch update

Version-Release number of selected component (if applicable):

JON 2.4.1

How reproducible: always

Steps to Reproduce:
1. In the LDAP server, create a group and a user belonging to this group
2. setup JON to use LDAP authentication, and add the needed group filter to find said group.
3. In JON, create a role, and assign the LDAP group to it
4. Login with the user, and register in JON as normal.
5. You can now see an entry in RHQ_SUBJECT_ROLE_LDAP_MAP
6. Delete the role now
Actual results:
Step 6 fails with above error + Exception

Expected results:
That the role is deleted

Additional info:

workaround is:

Start with removing the LDAP group(s) from the role you wish to delete.
Now use this SQL to find the role id:

SELECT * FROM rhq_role_ldap_group WHERE ldap_group_name LIKE 'the group you want';

Next delete from the join table, where (for example) 12345 is the role_id you got from the aboev select:


Lastly remove the role as normal

An alternative solution is to delete all the users belonging to this role; followed by normally removing the role.
Comment 1 Simeon Pinder 2011-12-09 18:11:08 EST
This is fixed with commit 0753aae5cab0 to master. 

For some reason hibernate was not loading the external LDAP Groups correctly.  Fix was to explicitly load the lazy references before updating on a remove.

Moving this to ON_QA.
Comment 2 Sunil Kondkar 2011-12-12 04:21:33 EST
Verified in latest master build#827 (Version: 4.3.0-SNAPSHOT Build Number: 0753aae)

Followed the steps and verified that the role which is linked to an LDAP group is deleted successfully. No errors are observed in server log.

marking as verified.
Comment 3 Mike Foley 2012-02-07 14:23:41 EST
<removing erroneous comment> Putting this bug back to VERIFIED since its only been fixed in master currently
Comment 4 Heiko W. Rupp 2013-08-31 06:16:26 EDT
Bulk close of old bugs in VERIFIED state.

Note You need to log in before you can comment on or make changes to this bug.