grouper-dev - [grouper-dev] RE: Bad Membership Finder Utility .... Was: ( [grouper-users] Composite group problems)
Subject: Grouper Developers Forum
List archive
[grouper-dev] RE: Bad Membership Finder Utility .... Was: ( [grouper-users] Composite group problems)
Chronological Thread
- From: "Hyzer, Chris" <>
- To: "Black, Carey M." <>, "" <>
- Subject: [grouper-dev] RE: Bad Membership Finder Utility .... Was: ( [grouper-users] Composite group problems)
- Date: Mon, 23 Oct 2017 05:15:39 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:XiBYCBKf2nUgfryzmNmcpTZWNBhigK39O0sv0rFitYgfL/TxwZ3uMQTl6Ol3ixeRBMOAuqIC07KempujcFRI2YyGvnEGfc4EfD4+ouJSoTYdBtWYA1bwNv/gYn9yNs1DUFh44yPzahANS47xaFLIv3K98yMZFAnhOgppPOT1HZPZg9iq2+yo9ZDeZwZFiCChbb9uMR67sRjfus4KjIV4N60/0AHJonxGe+RXwWNnO1eelAvi68mz4ZBu7T1et+ou+MBcX6r6eb84TaFDAzQ9L281/szrugLdQgaJ+3ART38ZkhtMAwjC8RH6QpL8uTb0u+ZhxCWXO9D9QKsqUjq+8ahkVB7oiD8GNzEn9mHXltdwh79frB64uhBz35LYbISTOfFjfK3SYMkaSHJBUMhPSiJBHo2yYYgBD+UDPOZXs4byqkAUoheiGQWhHv/jxiNWinLwwKY00/4hEQbD3AE4Ed4AsnTVrdTrO6cISey+0bfFzTXZb/NXwjfx5pXDfxckof6QXbJxccvQxlc1Fw7ej1WQspDqMymI1uQVrWeb6exgWfixhGE6tgF8uz6izdovhInRno8Z1ErL+TlkzIswONG0VVN3bNuqEJZfqy2WK457T8E8TGxnpSo3z7gLtYCncCQU0Jgr2hDSZ+Cdf4WM/x7vTvidLSp8iX5/Zb6yhRe//E69wePmTMa0ykxFri9dn9nMqH8N0xvT59CfRPZh+UmtxSuD2xnO5+9cL004jK3bJIU/zbIqkZoTrFjDETTxmEXriq+Za18o+vCy6+TgfrXpuIOTN5N1igH5NKQigMu/AfkkMggKWGib/ue82Kf/8k3+RbVGlvw2kq/Hv5DGPckXuLS2DxNI3osm9hqzEiqq3dEWnXQIMF5JZBeKgor3NFzBPfz1CPKyj0qwnDt13/zGO6fuApTJLnjNirfherN95lZZyAUvzdBe55NVBa8bIP/oW0/xr8DXAgUkMwys3ennDtN92pkAVm2SH6+VKLnSvkOQ5uIzP+mMY5cYuDnnK/gi+v7ulWE2mUUEcaa0w5QXdmu1HvBnI0WCfXrsmckNHX0Lvgo4UOzllkeCUThNaHauQa4w/C80B5+7DdSLeof4ypaF1Sy4WtV9b3pLGxipVz2gI4+AUvwPLnvIeedmiSFCWLS8Hctpnx60sxLixqAiIufK0iweqZ/50tVpvavemQx4vWh7FcOAy2yXCm15gEsJQSM7xqZyvRY7x1ueh/tWmftdQJZz9uFESENyHp7GzvcwQ4T3UQLQbNqTYFe9SZO7GTw3SJQ8z8JYMBU1IMmrkh2Wh3niOLQSjbHeQcVsqq8=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
The problem is the queries to find bad memberships can be very costly and disruptive. My DBAs have yelled at me about it. Maybe a targeted change log consumer
to check only affected groups could be a good idea. We can think about it after 2.4 is released… Otherwise getting to 2.3 and letting the daemon run nightly should be sufficient as a stopgap… Thanks Chris From: [mailto:]
On Behalf Of Black, Carey M. Shilen ( et. al.) , I suspect that this condition is barely understood about the inner workings of the system by most deployers and/or users. Giving the AM ( Access Management ) team control over the promptness of the “fully effective By” window would be a very powerful tool/control that Grouper could
assert. ( Or at least knowledge of when the changes are fully verified/effective in Grouper.) I remember reading about the Bad Membership Finder Utility and thinking:
“What??!?!? Why?? Can that not be done on any membership change? So that the “invalid state” for the composites is avoided all together?” Then I wandered off to other things, and have only bumped into the though a few times sense. (and every time decided “I don’t have time to think about it right
now.” And wandered off again.) Well here are some more thoughts on the implementation details: I think I see some of the complexities here, but I doubt that I see all of them. The graph of dependencies for all of the composite groups seems knowable. (Possibly changing as a result of the change too. ) When any one of those dependencies are changed (for a given subject/group) it seems possible to walk/correct the affected parts of the graphs.
( in line, or at least triggering an event to config/fix as needed.) And since circular membership loops are possible it gets a bit more well…. Interesting…. to know where to start and stop some of these things
too. :^/ Which is why the process is run repeatedly till it does not make changes. (Inferring that the dependency graph may not be used to optimize the path of changes, or the solution may not be done in a way that “pushes multiple peer changes” in a “top
down” kind of flow.) You alluded to a possible race condition in the system too. ( in the thread below. )
So apparently the backend does not do “locking” in a way to deal with overlapping dependency tree changes in a full ACID compliance
way. ( no doubt complicated by the “circular membership loops” ) Likely trying to avoid DB thread deadlocks… ok… but…. Maybe, in some cases, that blocking would actually be desired by the users/system? So, in this non-blocking model, with an attempt to not “thrash the system” and make every save take minutes, I could see the idea of stacking
up a queue (change log consumer?) to process these checks/corrections in a timely ( a few minutes, < 2 ? , < 5 ? ) manor. But maybe that “acceptable delay” should be a property of the composite and/or the groups that are involved? I could imagine some cases were you always want: ) change in “this special group” to be 100% completed “NOW”. ( Global Exclude groups, or just “important” Exclude
groups, etc… And maybe even in some “include groups” too.) ) While other groups may be ok to be “loosely consistent”. ( “Provision that group in the next hour and no harm
done. “ ) Especially when in the context of Access Control Policies and/or Provisioning/DE provisioning. So maybe membership changes also
needs to force (queue/call) Prov/DeProv processes too? I doubt all of that would be easy to do. ( In fact, I think most of it would be fairly hard to implement without potentially causing other issues.) But does the core idea of making this “loosely consistent model tunable by the users” make sense to anyone else? --
Carey Matthew
From:
[]
On Behalf Of Shilen Patel That could have happened if you have composites that are factors of other composites. There may be other reasons too though. FWIW, the daemon in 2.3 is designed to take that into account and runs multiple times until
all the issues are corrected. - Shilen Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: Dave Churchley <>
Date: 10/20/17 10:12 AM (GMT-05:00) To: Shilen Patel <>
Cc: Subject: RE: [grouper-users] Composite group problems
Yes, that makes sense. I’ve now scheduled the Bad Membership Finder Utility to run each morning, just after the Grouper loader groups are populated. One more question, if you don’t mind, do you know why it took four goes to fix all the bad memberships this morning? Each time I ran it, it fixed
the majority that it had found, but not all of them. Thanks From:
[]
On Behalf Of Shilen Patel OK cool. The scenario you described is a similar situation where you probably have two threads running at the same time that deleted and added the user from/to the groups under Group B. The thread that deleted the user
from the group under B would have thought the user wasn't an effective member of B anymore and would have deleted the user from A. Meanwhile the thread that added the user to the group under B would have seen that the user is already in A (since the other
transaction may not have committed yet) and therefore wouldn't have done anything else. Does that at least explain the issue? We created the bad membership daemon in 2.3 because of this issue but we may need to handle it better. Thanks! - Shilen Sent from my Verizon, Samsung Galaxy smartphone -------- Original message -------- From: Dave Churchley <>
Date: 10/20/17 1:28 AM (GMT-08:00) To: Shilen Patel <>
Cc: Subject: RE: [grouper-users] Composite group problems
Thanks again Shilen The Bad Membership Finder Utility cleaned up 118 bad memberships this morning. (I had to run it four times though until it found no membership errors.)
I’m sure this utility will be useful to us! I don’t know if you’re able to explain why the composite group memberships go wrong as in the example below? Thanks From:
[]
On Behalf Of Dave Churchley Thanks Shilen, I'll take a look at that in the morning.
For at least one of the problem groups, however, this is definitely not the issue. Group A is made up of Group B complement Group C. Person X was in B and not C and so he rightly appeared in A. Two days ago he dropped
out of A but he remained in B and not in C. Those groups' memberships hadn't changed. We did notice that Group B was built from several Grouper loader groups and Person X had moved from one of them into another, but this meant that he was still a member of
B. I hope I've managed to explain that! Thanks Dave From: Shilen Patel <> If both factors in the composite are being updated at about the same time for the same subject, then a membership may be missed. For example, if Group A is an intersection
of Group B and Group C and you add the same person to B and C at almost the same time, then due to the way the database transactions work, the composite membership may not be added to Group A. Does that seem like the problem you’re having? |
- [grouper-dev] Bad Membership Finder Utility .... Was: ( [grouper-users] Composite group problems), Black, Carey M., 10/20/2017
- Re: [grouper-dev] Bad Membership Finder Utility .... Was: ( [grouper-users] Composite group problems), Shilen Patel, 10/20/2017
- [grouper-dev] RE: Bad Membership Finder Utility .... Was: ( [grouper-users] Composite group problems), Hyzer, Chris, 10/23/2017
- [grouper-dev] RE: Bad Membership Finder Utility .... Was: ( [grouper-users] Composite group problems), Black, Carey M., 10/23/2017
Archive powered by MHonArc 2.6.19.