754693 – delete a role which is linked to an LDAP group is failing with a database constraint

Bug 754693 - delete a role which is linked to an LDAP group is failing with a database constraint

Summary: delete a role which is linked to an LDAP group is failing with a database con...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	RHQ Project
Classification:	Other
Component:	Database
Sub Component:
Version:	3.0.1
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	RHQ 4.3.0
Assignee:	Simeon Pinder
QA Contact:	Mike Foley
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	738209 jon30-sprint10, rhq43-sprint10 812193
TreeView+	depends on / blocked

Reported:	2011-11-17 11:56 UTC by Tom Fonteyne
Modified:	2018-11-27 21:13 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-08-31 10:16:26 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	754696	0	medium	CLOSED	Creating a role linked to an LDAP group will not link existing users	2021-02-22 00:41:40 UTC

Internal Links: 754696

Description Tom Fonteyne 2011-11-17 11:56:08 UTC

Description of problem:

I am logged in as "rhqadmin" and when deleting a role which is linked to an LDAP group, I'm getting the following error: You do not have permission to remove selected role(s). The following is logged in rhq-server-log4j.log file:

...
WARN [org.hibernate.util.JDBCExceptionReporter] SQL Error: 2292, SQLState: 23000
WARN [org.hibernate.util.JDBCExceptionReporter] SQL Error: 2292, SQLState: 23000
ERROR [org.hibernate.util.JDBCExceptionReporter] ORA-02292: integrity constraint (JONDBUSR.SYS_C0013011) violated - child record found
ERROR [org.hibernate.event.def.AbstractFlushingEventListener] Could not synchronize database state with session
org.hibernate.exception.ConstraintViolationException: Could not execute JDBC batch update

Version-Release number of selected component (if applicable):

JON 2.4.1

How reproducible: always

Steps to Reproduce:
1. In the LDAP server, create a group and a user belonging to this group
2. setup JON to use LDAP authentication, and add the needed group filter to find said group.
3. In JON, create a role, and assign the LDAP group to it
4. Login with the user, and register in JON as normal.
5. You can now see an entry in RHQ_SUBJECT_ROLE_LDAP_MAP
6. Delete the role now

Actual results:
Step 6 fails with above error + Exception

Expected results:
That the role is deleted

Additional info:

workaround is:

Start with removing the LDAP group(s) from the role you wish to delete.
Now use this SQL to find the role id:

SELECT * FROM rhq_role_ldap_group WHERE ldap_group_name LIKE 'the group you want';

Next delete from the join table, where (for example) 12345 is the role_id you got from the aboev select:

DELETE FROM RHQ_SUBJECT_ROLE_LDAP_MAP WHERE role_id=12345;

Lastly remove the role as normal

An alternative solution is to delete all the users belonging to this role; followed by normally removing the role.

Comment 1 Simeon Pinder 2011-12-09 23:11:08 UTC

This is fixed with commit 0753aae5cab0 to master. 

For some reason hibernate was not loading the external LDAP Groups correctly.  Fix was to explicitly load the lazy references before updating on a remove.

Moving this to ON_QA.

Comment 2 Sunil Kondkar 2011-12-12 09:21:33 UTC

Verified in latest master build#827 (Version: 4.3.0-SNAPSHOT Build Number: 0753aae)

Followed the steps and verified that the role which is linked to an LDAP group is deleted successfully. No errors are observed in server log.

marking as verified.

Comment 3 Mike Foley 2012-02-07 19:23:41 UTC

<removing erroneous comment> Putting this bug back to VERIFIED since its only been fixed in master currently

Comment 4 Heiko W. Rupp 2013-08-31 10:16:26 UTC

Bulk close of old bugs in VERIFIED state.

Note You need to log in before you can comment on or make changes to this bug.